search cancel

"Unable to get local issuer certificate" running Yarn Application through WSS

book

Article ID: 202281

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

WSSA agent installed and used to access internet via WSS

Running Yarn Package Manager Application on Windows clients

Running either 'yarn install' or 'yarn upgrade' command triggers following error

Disabling WSSA allows the Application to run normally.

Cause

Yarn Application has built in logic to verify server certificate is issued by it's CA

With WSS SSL inspection, the Proxy intercepts the server cert and chain from Oriigin server, and sends down a server certificate with the same common name, but signed by the WSS CA

Any client that does certificate pinning and/or expects the server certificate to be that of the physical origin server will fail with SSL inspection enabled

Environment

Although issue seen with WSSA agent, the same problem can manifest itself with any 'SSL inspected' Application going through WSS that expects the origin server certificate chain to root.

Resolution

Add an SSL inspection bypass for the domain we are going to.

Additional Information

Identifying the domain to bypass from SSL inspection may be easy or difficult depending on the application and client. In some cases the Application may include details about the domain we are having issues with, and we simply take this and add it to the SSL bypass domain list.

 

In other cases, as with the one above, the Application does not give any such information. To identify the domain, one needs to do the following:

- disable the agent
- run wireshark on the workstation where user having issues with Application
- Access the site directly which will work
- Look at each instance of an SSL handshake in the trace - hopefully there will not be too many
     - 'tls.handshake.extension.type == 0' filter will give each client hello with corresponding SNI (Server Name Indication) extension that includes the domain we need to SSL bypass
     - search for a matching SNI that correlates to the Application (registry.yarnpkg.com in our case above)
- Add this to the SSL bypass list of WSS

 

Here's an example of what the PCAP looked like when we failed 

- TCP handshake completes successfully
- SSL handshake appears to complete successfully
- No Application data sent by client, but a TCP FIN to close connection instead
     - the TCP FIN was triggered by the client because the certificate was not matching what was expected

Attachments