feat(ssl): remove hardened HTTPS validation kit for proxied connections; add E2E test file tls-revocation.spec.js

Gldywn · Gldywn · commit 7197221f387c · 2025-09-05T17:51:58.000+02:00
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -94,7 +94,7 @@
         "feed": "^4.2.2",
         "form-data": "~4.0.0",
         "gamedig": "^4.2.0",
-        "hardened-https-agent": "^1.3.0",
+        "hardened-https-agent": "~1.5.0",
         "html-escaper": "^3.0.3",
         "http-cookie-agent": "~5.0.4",
         "http-graceful-shutdown": "~3.1.7",
diff --git a/server/model/monitor.js b/server/model/monitor.js
@@ -530,7 +530,6 @@ class Monitor extends BeanModel {
                             const { httpAgent, httpsAgent } = Proxy.createAgents(proxy, {
                                 httpsAgentOptions: httpsAgentOptions,
                                 httpAgentOptions: httpAgentOptions,
-                                hardenedHttpsValidationKitOptions: hardenedHttpsValidationKitOptions,
                             });
 
                             options.proxy = false;
diff --git a/server/proxy.js b/server/proxy.js
@@ -6,7 +6,6 @@ const { debug } = require("../src/util");
 const { UptimeKumaServer } = require("./uptime-kuma-server");
 const { CookieJar } = require("tough-cookie");
 const { createCookieAgent } = require("http-cookie-agent/http");
-const { HardenedHttpsValidationKit } = require("hardened-https-agent");
 
 class Proxy {
 
@@ -88,16 +87,15 @@ class Proxy {
     /**
      * Create HTTP and HTTPS agents related with given proxy bean object
      * @param {object} proxy proxy bean object
-     * @param {object} options http and https agent options with hardened https validation kit options
+     * @param {object} options http and https agent options
      * @returns {{httpAgent: Agent, httpsAgent: Agent}} New HTTP and HTTPS agents
      * @throws Proxy protocol is unsupported
      */
     static createAgents(proxy, options) {
-        const { httpAgentOptions, httpsAgentOptions, hardenedHttpsValidationKitOptions } = options || {};
+        const { httpAgentOptions, httpsAgentOptions } = options || {};
         let agent;
         let httpAgent;
         let httpsAgent;
-        let validationKit = hardenedHttpsValidationKitOptions ? new HardenedHttpsValidationKit(hardenedHttpsValidationKitOptions) : null;
 
         let jar = new CookieJar();
 
@@ -115,50 +113,42 @@ class Proxy {
         debug(`Proxy URL: ${proxyUrl.toString()}`);
         debug(`HTTP Agent Options: ${JSON.stringify(httpAgentOptions)}`);
         debug(`HTTPS Agent Options: ${JSON.stringify(httpsAgentOptions)}`);
-        if (validationKit) {
-            debug(`Hardened HTTPS ValidationKit Options: ${JSON.stringify(hardenedHttpsValidationKitOptions)}`);
-        }
 
         switch (proxy.protocol) {
             case "http":
-            case "https": {
+            case "https":
                 // eslint-disable-next-line no-case-declarations
                 const HttpCookieProxyAgent = createCookieAgent(HttpProxyAgent);
+                // eslint-disable-next-line no-case-declarations
+                const HttpsCookieProxyAgent = createCookieAgent(HttpsProxyAgent);
+
                 httpAgent = new HttpCookieProxyAgent(proxyUrl.toString(), {
                     ...(httpAgentOptions || {}),
                     ...proxyOptions,
                 });
-
-                // eslint-disable-next-line no-case-declarations
-                const HttpsCookieProxyAgent = createCookieAgent(HttpsProxyAgent);
-                let httpsProxyAgentOptions = {
+                httpsAgent = new HttpsCookieProxyAgent(proxyUrl.toString(), {
                     ...(httpsAgentOptions || {}),
                     ...proxyOptions,
-                };
-                httpsAgent = new HttpsCookieProxyAgent(proxyUrl.toString(), !validationKit ? httpsProxyAgentOptions : validationKit.applyBeforeConnect(httpsProxyAgentOptions));
-                validationKit?.attachToAgent(httpsAgent);
+                });
+
                 break;
-            }
             case "socks":
             case "socks5":
             case "socks5h":
-            case "socks4": {
+            case "socks4":
                 // eslint-disable-next-line no-case-declarations
                 const SocksCookieProxyAgent = createCookieAgent(SocksProxyAgent);
-                let socksProxyAgentOptions = {
+                agent = new SocksCookieProxyAgent(proxyUrl.toString(), {
                     ...httpAgentOptions,
                     ...httpsAgentOptions,
                     tls: {
                         rejectUnauthorized: httpsAgentOptions.rejectUnauthorized,
                     },
-                };
-                agent = new SocksCookieProxyAgent(proxyUrl.toString(), !validationKit ? socksProxyAgentOptions : validationKit.applyBeforeConnect(socksProxyAgentOptions));
-                validationKit?.attachToAgent(agent);
+                });
 
                 httpAgent = agent;
                 httpsAgent = agent;
                 break;
-            }
 
             default: throw new Error(`Unsupported proxy protocol provided. ${proxy.protocol}`);
         }
diff --git a/test/e2e/specs/tls-revocation.spec.js b/test/e2e/specs/tls-revocation.spec.js
@@ -0,0 +1,85 @@
+import { expect, test } from "@playwright/test";
+import { login, restoreSqliteSnapshot, screenshot } from "../util-test";
+
+/**
+ * Create an HTTP monitor via the UI and navigate back to the dashboard.
+ * @param {import('@playwright/test').Page} page - Playwright page instance.
+ * @param {{ name: string, url: string, ignoreTls?: boolean }} param1 - Monitor parameters.
+ * @returns {Promise<void>} Resolves when the monitor has been saved and the dashboard is shown.
+ */
+async function createHttpMonitor(page, { name, url, ignoreTls = false }) {
+    await page.goto("./add");
+    await login(page);
+
+    await expect(page.getByTestId("monitor-type-select")).toBeVisible();
+    await page.getByTestId("monitor-type-select").selectOption("http");
+
+    await page.getByTestId("friendly-name-input").fill(name);
+    await page.getByTestId("url-input").fill(url);
+
+    if (ignoreTls) {
+        // No data-testid, so select by id
+        await page.locator("#ignore-tls").check();
+    }
+
+    await page.getByTestId("save-button").click();
+    await page.waitForURL("/dashboard/*");
+}
+
+/**
+ * Wait until the monitor status badge matches the expected value.
+ * @param {import('@playwright/test').Page} page - Playwright page instance.
+ * @param {string} expected - Expected status text (case-insensitive). One of: up | down | pending | maintenance.
+ * @param {number} timeoutMs - Max time to wait in milliseconds. Default: 15000.
+ * @returns {Promise<void>} Resolves when the expected status appears or rejects on timeout.
+ */
+async function waitForStatus(page, expected, timeoutMs = 15000) {
+    await expect(page.getByTestId("monitor-status")).toHaveText(expected, {
+        ignoreCase: true,
+        timeout: timeoutMs,
+    });
+}
+
+test.describe("TLS Revocation (Policy: OCSP Mixed with failHard=false)", () => {
+    test.beforeEach(async ({ page }) => {
+        await restoreSqliteSnapshot(page);
+    });
+
+    test("if a domain is not revoked, the monitor should be UP", async ({ page }, testInfo) => {
+        await createHttpMonitor(page, { name: "not-revoked",
+            url: "https://www.example.com" });
+        await waitForStatus(page, "up");
+        await screenshot(testInfo, page);
+    });
+
+    test("if a domain is OCSP-revoked, the monitor should be DOWN", async ({ page }, testInfo) => {
+        await createHttpMonitor(page, { name: "ocsp-revoked",
+            url: "https://aaacertificateservices.comodoca.com:444" });
+        await waitForStatus(page, "down");
+        await screenshot(testInfo, page);
+    });
+
+    // TODO: Modify this test when we support CRLs
+    test("if a domain is CRL-only revoked, the monitor should be UP (because we don't support CRLs yet and failHard=false)", async ({ page }, testInfo) => {
+        await createHttpMonitor(page, { name: "crl-only-revoked",
+            url: "https://revoked.badssl.com" });
+        await waitForStatus(page, "up");
+        await screenshot(testInfo, page);
+    });
+
+    // StackOverflow uses Let's Encrypt which recently dropped OCSP support (c.f. https://letsencrypt.org/2025/08/06/ocsp-service-has-reached-end-of-life), making it a reliable test target
+    test("if OCSP is unavailable for a domain, the monitor should be UP (because failHard=false)", async ({ page }, testInfo) => {
+        await createHttpMonitor(page, { name: "ocsp-unavailable",
+            url: "https://stackoverflow.com" });
+        await waitForStatus(page, "up");
+        await screenshot(testInfo, page);
+    });
+
+    test("if ignoreTls=true for a domain, the monitor should be UP (regardless of the certificate status)", async ({ page }, testInfo) => {
+        await createHttpMonitor(page, { name: "tls-ignored",
+            url: "https://aaacertificateservices.comodoca.com:444",
+            ignoreTls: true });
+        await waitForStatus(page, "up");
+        await screenshot(testInfo, page);
+    });
+});
