Cargo: Use Windows TLS/SSL CA store

Hello!

We have a firewall in our company that does traffic inspection with an MITM-ish approach by distributing a company-internal CA. However, this means that Cargo fails to verify remotes:

    Updating crates.io index
warning: spurious network error (3 tries remaining): [35] SSL connect error (schannel: next InitializeSecurityContext failed: CRYPT_E_NO_REVOCATION_CHECK (0x80092012) - Die Sperrfunktion konnte keine Sperrpr�fung f�r das Zertifikat durchf�hren.)
warning: spurious network error (2 tries remaining): [35] SSL connect error (schannel: next InitializeSecurityContext failed: CRYPT_E_NO_REVOCATION_CHECK (0x80092012) - Die Sperrfunktion konnte keine Sperrpr�fung f�r das Zertifikat durchf�hren.)
warning: spurious network error (1 tries remaining): [35] SSL connect error (schannel: next InitializeSecurityContext failed: CRYPT_E_NO_REVOCATION_CHECK (0x80092012) - Die Sperrfunktion konnte keine Sperrpr�fung f�r das Zertifikat durchf�hren.)
error: download of config.json failed

Caused by:
  failed to download from `https://index.crates.io/config.json`

Caused by:
  [35] SSL connect error (schannel: next InitializeSecurityContext failed: CRYPT_E_NO_REVOCATION_CHECK (0x80092012) - Die Sperrfunktion konnte keine Sperrpr�fung f�r das Zertifikat durchf�hren.)

Since index.crates.io isn't whitelisted (and I am the only one using it, I am the only dev here) this results in the DPI certificate to be returned upon request.

It is stored as a trusted cert in the Windows cert store - and I would like Cargo to use that. How can I do that?

Thanks and kind regards!

1 Like

Looking at the cargo documentation, I think you could try setting the environment variable CARGO_HTTP_CHECK_REVOKE to false.

1 Like

I'm pretty sure that one is about something else.

However, right above it in the same document it mentions ' http.cainfo', CARGO_HTTP_CAINFO.

Path to a Certificate Authority (CA) bundle file, used to verify TLS certificates. If not specified, Cargo attempts to use the system certificates.

Hopefully, some further googling will help you figure out what such a CA bundle file should look like and how to generate it. Then, simply put your company's man-in-the-middle certificate in the bundle, point http.cainfo to it, and it should work!

Joeri