This is very much not kotlin but kotlin colored hence putting it in #C09222272 , but I'm not aware of a JVM focussed chat group with the quality of insight this Slack has... We've written a Kotlin JVM CLI that is deployed with a bundled JVM[1]. One issue we are seeing is clients deploying it in controlled environments where all HTTP traffic goes via an HTTPS proxy that does MITM stuff because the O/S has self-sgned root certs installed. This fails because the JVM does not use the O/S certs so the MITM presented certs are rejected. I was surprised to find that there is no Open Source TrustManager implementation that uses the O/S certificates. I could write one... but the fact that I can't find one that already exists makes me think that perhaps there are very good reasons not to write your own? Any thoughts? [1] I am aware of the general shortcomings of the JVM for CLIs - can we just take it as read that for reasons it would be tedious to go into this is a necessary compromise?

I've seen companies use this kind of MITM tech before. I guess they use it to spy on employee web traffic and detect what they consider to be security threats, data exfiltration, etc. The problem is that it completely undermines the entire certificate chain. Let's be clear: these certificates are forged, and this is a MITM attack, so rejecting the certificate is really the only sane thing to do 😄 If you're talking to your own server, bundling your own certs with your CLI is not weird. Plenty of apps will sign their own cert and ignore existing root certs completely (both OS ones and JRE ones). If you're using your own pinned cert you can even reasonably claim that an MITM attack on this connection represents a security risk to you. On that basis, I'd just tell the client that you expect them to whitelist your connection, and that the CLI won't work otherwise.

I basically agree, but I strongly suspect our company position will be it isn't our business to tell clients how to setup their computers, and if they want to MITM all traffic off their employee's computers then they can.

Yeah, you're probably right 😞. Never mind the fact that a connection goes both ways, and that opening your server up to their MITM attack also undermines your own ability to secure incoming traffic. I think the way to use OS certs will vary depending on which Java distribution and OS, but it shouldn't be impossible 🤔

ChatGPT happily pops off and writes me a

TrustManager

implementation that reads the certs from Windows, macOs and Linux system trust stores. It just scares me that no-one has put something out there to do it, if it's that easy...

You got me curious, I found https://github.com/Hakky54/sslcontext-kickstart

Thanks for the pointer, I'll investigate what providers might be available to us...

> I basically agree, but I strongly suspect our company position will be it isn't our business to tell clients how to setup their computers, and if they want to MITM all traffic off their employee's computers then they can. Well… one of my former companies did. The client was talking to our self-signed server and pinned the certificate. For one customer that didn’t work as they ran a a MITM firewall. I explained to my boss that this means the customer could grab the sales & market analysis data that’s transferred from the server to the client in raw format and theoretically clone our valuable database. My boss told that customer to either make an exception in the firewall rules or they won’t be able to use our services. They did. That’s an possible outcome too, depending on the data transferred and how important it’s to protect that.