fix: pregenerate https certificate #6173
Conversation
node-forge used inside selfsigned is a bit package https://packagephobia.com/result?p=node-forge Sadly there is no js-only alternative (only `openssl` wrappers). While testing this feature (server.https: true) I found chrome detects the certificate is insecure though still allows to access the page with https after proceeding warning wall. So as there is not much value in using so big dependency to generate insecure certificates @patak-dev got an idea to pregenerate single certificate and publish it with vite. This need to be tested on various machines though before releasing. I made the certificate expire in 10 years. Let's cross our fingers this will be enough. ``` du -ck dist/node ``` before: 12348 after: 9812
TrySound
force-pushed
the
pregenerate-cert
branch
from
5c727ac
to
acdab15
Compare
patak-dev
added
the
p2-nice-to-have
|
Looks good code-wise. I haven't tested the certificate |
|
We will need help testing this one. I think the best is to merge it during the 2.8 beta period, we can revert it if there are reported issues before releasing 2.8 |
| @@ -0,0 +1,51 @@ | |||
| -----BEGIN RSA PRIVATE KEY----- | |||
There was a problem hiding this comment.
Just to clarify: is it safe to commit a private key to repo?
There was a problem hiding this comment.
This is a key that will only be used during development, and to trick the browser, it isn't a secure HTTPS certificate. But what we currently do isn't secure either. I'm still not sure if this is possible, but at least with the people we have discussed so far, it looks like inlining the cert is the same as generating it locally with fixed params.
There was a problem hiding this comment.
@TrySound should we add a comment in the .pem so people finding this private key in our repo would not be surprised? Looks like anything before the -----BEGIN should be ignored by parsers: https://stackoverflow.com/questions/19578812/comments-in-a-pem-file
Seems there are some parsers that have issues but it may be worth trying. Or any other idea to avoid getting security complaints once we merge this PR?
There was a problem hiding this comment.
Is this really needed at all? i'd rather not put a private key into a public repo for whatever reason. Someone takes it and uses it to target developers using vite in a social engineering/phishing attack.
Even without a public private key, a centralized cert is a bad idea imho. If you want to do this, generate the whole thing on the client side and preferably throw away the key afterwards so no other certs can be created.
There was a problem hiding this comment.
@dominikg the same answer I gave @patak-dev privately in discord
There was a problem hiding this comment.
@dominikg aren't we doing the same already with selfsigned with static params? I was under the impression that this cert couldn't be exploited as it is just an insecure hack to get the browser to comply even if you get a warning during development.
If having a global cert is more insecure than generating one with selfsigned, we shouldn't merge this PR. Would you explain a bit how this works?
If we don't merge this one, another option to remove selfsigned would be to deprecate this insecure feature, and add a new plugin/docs to push users to create a proper certificate, and then we can remove it in 3.0, as others are proposing in other messages
|
you can check EDIT: I mean, the registration part on the OS trust store. |
|
We discussed with @userquin, and he didn't mean that we should use https-localhost instead of this PR (I thought the same given the initial comment). |
|
But you do let to specify own cert already. I use it daily. And agree we should provide some recipes |
|
Btw this is what we do in our development (written by my teammate) |
|
Well, better like that, ha 🤦🏼 |
| import { generate } from 'selfsigned' | ||
|
|
||
| /** | ||
| * https://github.com/webpack/webpack-dev-server/blob/master/lib/utils/createCertificate.js |
There was a problem hiding this comment.
this link does not work, createCertificate.js does not exist in the webpack-dev-server repo current master.
Skimming the repo it looks like they only offer configuration options for bringing your own cert, no auto- or pregenerated certs
There was a problem hiding this comment.
We were talking with @userquin that it may also be better for us to do the same. Maybe in Vite 3.0 we can remove the autogenerated cert to push users to create secure certificates
|
As mentioned on discord i don't think vite should be distributing pregenerated certificates as it could be a potential security issue and is extra maintenance overhead. Instead add config options for ssl and a third party vite-plugin-local-ssl-setup could use these options to generate a proper cert on the developers machine. something like {
name: 'vite-plugin-local-ssl-setup',
config: () => {
// check if local cert exists, generate one if not (use a node package or platform dependant scripts around openssl)
const ssl = localSSL();
return { server: { ssl } }
}
}as it is a plugin that can be installed independently of vite, the dependency won't affect users that don't need it. Edit, more ideas:
The documentation part is important i think. Proper handling of ssl certificates and related keys is something web developers need to be aware of. Vite users who lack the knowledge to do it themselves should be educated in it instead of given an insecure default handling that may lead them to believe it is ok to do that in other places too. |
|
Agreed with @dominikg I suggest we maintain a |
|
Agree with both, but this is something we could do in Vite 3.0. We could deprecate now and start pushing user in the right direction though |
> watching The Matrix while hacking these certificates Alternative to vitejs#6173 Since sharing same certificate for all users is not the best approach I suggest to try decompose node-forge which is used internally by selfsigned package. We can just use part of the package which already gives a good result. Eventually we will deprecate this feature but would be good to have less impact on current major too. ``` du -sk dist/node ``` before: 10760 after: 9944
> watching The Matrix while hacking these certificates Alternative to #6173 Since sharing same certificate for all users is not the best approach I suggest to try decompose node-forge which is used internally by selfsigned package. We can just use part of the package which already gives a good result. Eventually we will deprecate this feature but would be good to have less impact on current major too. ``` du -sk dist/node ``` before: 10760 after: 9944
|
Closing in favour of #6325 |
|
@patak-dev should be 6325 instead 3625? |
|
comment changed |
Description
node-forge used inside selfsigned is a bit package https://packagephobia.com/result?p=node-forge
Sadly there is no js-only alternative (only
opensslwrappers).While testing this feature (server.https: true) I found chrome detects
the certificate is insecure though still allows to access the page with
https after proceeding warning wall.
So as there is not much value in using so big dependency to generate
insecure certificates @patak-dev got an idea to pregenerate single
certificate and publish it with vite.
This need to be tested on various machines though before releasing.
I made the certificate expire in 10 years. Let's cross our fingers this
will be enough.
before: 12348
after: 9812
Additional context
What is the purpose of this pull request?
Before submitting the PR, please make sure you do the following
fixes #123).