Add http.proxy-cainfo config for proxy certs (#15374)

This adds a `http.proxy-cainfo` option to Cargo which reads CA information from a bundle to pass through to the underlying `libcurl` call. This should allow configuration of Cargo in situations where SSL proxy is used. Similar to https://github.com/rust-lang/cargo/pull/2917. cc #15376
2025-09-25 11:14:46 +00:00 · 2025-06-27 16:17:30 +00:00 · 2025-06-27 16:17:30 +00:00 · 96c6d7b9c2
commit 96c6d7b9c2
parent 132064214f 5af783129a
4 changed files with 17 additions and 0 deletions
--- a/src/cargo/util/context/mod.rs
+++ b/src/cargo/util/context/mod.rs
@ -2632,6 +2632,7 @@ pub struct CargoHttpConfig {
    pub low_speed_limit: Option<u32>,
    pub timeout: Option<u64>,
    pub cainfo: Option<ConfigRelativePath>,
+    pub proxy_cainfo: Option<ConfigRelativePath>,
    pub check_revoke: Option<bool>,
    pub user_agent: Option<String>,
    pub debug: Option<bool>,
--- a/src/cargo/util/network/http.rs
+++ b/src/cargo/util/network/http.rs
@ -61,6 +61,11 @@ pub fn configure_http_handle(gctx: &GlobalContext, handle: &mut Easy) -> CargoRe
        let cainfo = cainfo.resolve_path(gctx);
        handle.cainfo(&cainfo)?;
    }
+    // Use `proxy_cainfo` if explicitly set; otherwise, fall back to `cainfo` as curl does #15376.
+    if let Some(proxy_cainfo) = http.proxy_cainfo.as_ref().or(http.cainfo.as_ref()) {
+        let proxy_cainfo = proxy_cainfo.resolve_path(gctx);
+        handle.proxy_cainfo(&format!("{}", proxy_cainfo.display()))?;
+    }
    if let Some(check) = http.check_revoke {
        handle.ssl_options(SslOpt::new().no_revoke(!check))?;
    }
--- a/src/doc/src/reference/config.md
+++ b/src/doc/src/reference/config.md
@ -110,6 +110,7 @@ ssl-version.min = "tlsv1.1" # minimum TLS version
 timeout = 30                # timeout for each HTTP request, in seconds
 low-speed-limit = 10        # network timeout threshold (bytes/sec)
 cainfo = "cert.pem"         # path to Certificate Authority (CA) bundle
+proxy-cainfo = "cert.pem"   # path to proxy Certificate Authority (CA) bundle
 check-revoke = true         # check for SSL certificate revocation
 multiplexing = true         # HTTP/2 multiplexing
 user-agent = "…"            # the user-agent header
@ -746,6 +747,14 @@ Sets the timeout for each HTTP request, in seconds.
 Path to a Certificate Authority (CA) bundle file, used to verify TLS
 certificates. If not specified, Cargo attempts to use the system certificates.

+#### `http.proxy-cainfo`
+* Type: string (path)
+* Default: falls back to `http.cainfo` if not set
+* Environment: `CARGO_HTTP_PROXY_CAINFO`
+
+Path to a Certificate Authority (CA) bundle file, used to verify proxy TLS
+certificates.
+
 #### `http.check-revoke`
 * Type: boolean
 * Default: true (Windows) false (all others)
--- a/src/doc/src/reference/environment-variables.md
+++ b/src/doc/src/reference/environment-variables.md
@ -106,6 +106,7 @@ In summary, the supported environment variables are:
 * `CARGO_HTTP_PROXY` --- Enables HTTP proxy, see [`http.proxy`].
 * `CARGO_HTTP_TIMEOUT` --- The HTTP timeout, see [`http.timeout`].
 * `CARGO_HTTP_CAINFO` --- The TLS certificate Certificate Authority file, see [`http.cainfo`].
+* `CARGO_HTTP_PROXY_CAINFO` --- The proxy TLS certificate Certificate Authority file, see [`http.proxy-cainfo`].
 * `CARGO_HTTP_CHECK_REVOKE` --- Disables TLS certificate revocation checks, see [`http.check-revoke`].
 * `CARGO_HTTP_SSL_VERSION` --- The TLS version to use, see [`http.ssl-version`].
 * `CARGO_HTTP_LOW_SPEED_LIMIT` --- The HTTP low-speed limit, see [`http.low-speed-limit`].
@ -173,6 +174,7 @@ In summary, the supported environment variables are:
 [`http.proxy`]: config.md#httpproxy
 [`http.timeout`]: config.md#httptimeout
 [`http.cainfo`]: config.md#httpcainfo
+[`http.proxy-cainfo`]: config.md#httpproxy-cainfo
 [`http.check-revoke`]: config.md#httpcheck-revoke
 [`http.ssl-version`]: config.md#httpssl-version
 [`http.low-speed-limit`]: config.md#httplow-speed-limit