Skip to content

[CVE] Add proxy certificate support for HTTPS connections #5108

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
maelv-filigran wants to merge 1 commit into from
Closed

[CVE] Add proxy certificate support for HTTPS connections #5108

maelv-filigran wants to merge 1 commit into from

Conversation

@maelv-filigran
Copy link

@maelv-filigran maelv-filigran commented Oct 28, 2025

Proposed changes

  • Add custom entrypoint script to CVE connector to handle proxy certificate configuration
  • Modify Dockerfile to use entrypoint script instead of direct CMD execution
  • Process HTTPS_CA_CERTIFICATES environment variable and combine with system certificates
  • Set appropriate SSL environment variables (REQUESTS_CA_BUNDLE, SSL_CERT_FILE, CURL_CA_BUNDLE) for Python requests library

Related issues

  • OpenCTI #12177
  • HTTPS_CA_CERTIFICATES is not handled by lib request used in CVE

Checklist

  • I consider the submitted work as finished
  • I have signed my commits using GPG key
  • I tested the code for its functionality using different use cases
  • I added/update the relevant documentation (either on github or on notion)
  • Where necessary I refactored code to improve the overall quality

Further comments

This change enables the CVE connector to work properly in environments that use HTTPS proxies with custom certificates. The entrypoint script automatically detects the presence of the HTTPS_CA_CERTIFICATES environment variable and configures the appropriate certificate bundle for the Python requests library used by the connector.

The implementation:

  1. Creates a temporary certificate bundle combining proxy certificates with system certificates
  2. Exports the necessary environment variables for SSL verification
  3. Maintains backward compatibility when no proxy certificates are provided

@maelv-filigran maelv-filigran self-assigned this Oct 28, 2025
@maelv-filigran maelv-filigran added the filigran team use to identify PR from the Filigran team label Oct 28, 2025
@maelv-filigran
Copy link
Author

maelv-filigran commented Oct 29, 2025
edited
Loading

As seen with @helene-nguyen the fix is moved to client-python

@helene-nguyen helene-nguyen deleted the opencti/issue/12177 branch December 19, 2025 14:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Megafredo Megafredo Awaiting requested review from Megafredo

@helene-nguyen helene-nguyen Awaiting requested review from helene-nguyen

Assignees

@maelv-filigran maelv-filigran

Labels

filigran team use to identify PR from the Filigran team

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@maelv-filigran