code-settings-sync: Why is NODE_TLS_REJECT_UNAUTHORIZED set to 0?

This is done , several users reported earlier that they are facing problems in certificates while connecting to github.

Is there any problem you are facing with this configuration ?

Yes, this is highly insecure. You are disabling TLS validation for any process running within VS Code. Now my app does not validate SSL certificates when run with VS Code

This is done , several users reported earlier that they are facing problems in certificates while connecting to github.

The solution should never be a complete disable of such a low level security feature which is paramount for secure systems. Especially if it side effects into the whole process. The problem is with those users’ machines/networks and a library should never try and fix a problem that does not even come remotely close to its primary function.

I believe I grepped my VS Code extensions folder for that environment variable key and then found the line (and therefore the extension) where it was being set.

On Jan 9, 2020, at 4:39 PM, ggirard07 notifications@github.com wrote:

@MattMorgis How did you manage to narrow it down to this extension from this single error message? I am currently having the same kind of issue (same error message while trying to run my app in debug), but obviously not from this extension as I don’t have it…

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.

The problem is with those users’ machines/networks and a library should never try and fix a problem that does not even come remotely close to its primary function.

If users report SSL trust issues, they should be sent here: https://code.visualstudio.com/docs/setup/network#_ssl-certificates

Edit: Worst case, the user with the issue can turn it off in VS Code if they wish with --ignore-certificate-errors, but it should not be the default for everyone.

I sent PR #779 which removes the disabling of TLS certificate validation. It would make this safe to use again.

@MattMorgis thanks, I found my culprit “Azure Repos” extension from Microsoft 😕

@MattMorgis after the 3.2.6 update I haven’t been able to use this extension. Whenever I try to update/upload I get an error (Sync: Internet not connected or unable to connect to GitHub. Exception logged in Console). When I look at the console there’s a couple of “unable to verify the first certificate” errors. I have tried setting my http.proxyStrictSSL to false and launching vs code with the --ignore-certificate-errors flag without any luck.

What do you think of having a setting that would set NODE_TLS_REJECT_UNAUTHORIZED to 0 right before a network request and set it back to 1 right after? Or is that still insecure?

The solution should never be a complete disable of such a low level security feature which is paramount for secure systems.

Indeed. I had to uninstall the plugin for now to restore normal behaviour.

Much better if you add an option to install the right root CA

I am open for PR if it solves the problem in both ways, installing CA and not using validation.