New option: dangerously_accept_invalid_certs
This patch adds an option to dangerously ignore all ceritificate verifications. This option must be used with extreme caution and should only be used as a last resort. Closes #209, #230 Co-authored-by: Hyeon Kim <simnalamburt@gmail.com>
This commit is contained in:
parent
f254b10fca
commit
bcc6479d22
3 changed files with 39 additions and 2 deletions
|
@ -65,7 +65,7 @@ tokio-socks = { version = "0.5.1", optional = true }
|
||||||
|
|
||||||
# Feature - TLS
|
# Feature - TLS
|
||||||
native-tls = { version = "0.2.0", optional = true }
|
native-tls = { version = "0.2.0", optional = true }
|
||||||
tokio-rustls = { version = "0.22.0", optional = true }
|
tokio-rustls = { version = "0.22.0", features = ["dangerous_configuration"], optional = true }
|
||||||
tokio-native-tls = { version = "0.3.0", optional = true }
|
tokio-native-tls = { version = "0.3.0", optional = true }
|
||||||
webpki-roots = { version = "0.20.0", optional = true }
|
webpki-roots = { version = "0.20.0", optional = true }
|
||||||
|
|
||||||
|
|
|
@ -38,7 +38,7 @@ use webpki_roots::TLS_SERVER_ROOTS;
|
||||||
#[cfg(feature = "tls-rust")]
|
#[cfg(feature = "tls-rust")]
|
||||||
use tokio_rustls::{
|
use tokio_rustls::{
|
||||||
client::TlsStream,
|
client::TlsStream,
|
||||||
rustls::{internal::pemfile::certs, ClientConfig, PrivateKey},
|
rustls::{self, internal::pemfile::certs, ClientConfig, PrivateKey},
|
||||||
webpki::DNSNameRef,
|
webpki::DNSNameRef,
|
||||||
TlsConnector,
|
TlsConnector,
|
||||||
};
|
};
|
||||||
|
@ -202,6 +202,10 @@ impl Connection {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if config.dangerously_accept_invalid_certs() {
|
||||||
|
builder.danger_accept_invalid_certs(true);
|
||||||
|
}
|
||||||
|
|
||||||
let connector: tokio_native_tls::TlsConnector = builder.build()?.into();
|
let connector: tokio_native_tls::TlsConnector = builder.build()?.into();
|
||||||
let domain = config.server()?;
|
let domain = config.server()?;
|
||||||
|
|
||||||
|
@ -265,6 +269,10 @@ impl Connection {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if config.dangerously_accept_invalid_certs() {
|
||||||
|
builder.dangerous().set_certificate_verifier(Arc::new(DangerousAcceptAllVerifier));
|
||||||
|
}
|
||||||
|
|
||||||
let connector = TlsConnector::from(Arc::new(builder));
|
let connector = TlsConnector::from(Arc::new(builder));
|
||||||
let domain = DNSNameRef::try_from_ascii_str(config.server()?)?;
|
let domain = DNSNameRef::try_from_ascii_str(config.server()?)?;
|
||||||
|
|
||||||
|
@ -363,3 +371,19 @@ impl Sink<Message> for Connection {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#[cfg(feature = "tls-rust")]
|
||||||
|
struct DangerousAcceptAllVerifier;
|
||||||
|
|
||||||
|
#[cfg(feature = "tls-rust")]
|
||||||
|
impl rustls::ServerCertVerifier for DangerousAcceptAllVerifier {
|
||||||
|
fn verify_server_cert(
|
||||||
|
&self,
|
||||||
|
_: &rustls::RootCertStore,
|
||||||
|
_: &[rustls::Certificate],
|
||||||
|
_: DNSNameRef,
|
||||||
|
_: &[u8]
|
||||||
|
) -> Result<rustls::ServerCertVerified, rustls::TLSError> {
|
||||||
|
return Ok(rustls::ServerCertVerified::assertion());
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
|
@ -137,6 +137,13 @@ pub struct Config {
|
||||||
#[cfg(any(feature = "tls-native", feature = "tls-rust"))]
|
#[cfg(any(feature = "tls-native", feature = "tls-rust"))]
|
||||||
#[cfg_attr(feature = "serde", serde(skip_serializing_if = "Option::is_none"))]
|
#[cfg_attr(feature = "serde", serde(skip_serializing_if = "Option::is_none"))]
|
||||||
pub client_cert_pass: Option<String>,
|
pub client_cert_pass: Option<String>,
|
||||||
|
/// On `true`, all certificate validations are skipped. Defaults to `false`.
|
||||||
|
///
|
||||||
|
/// # Warning
|
||||||
|
/// You should think very carefully before using this method. If invalid hostnames are trusted, *any* valid
|
||||||
|
/// certificate for *any* site will be trusted for use. This introduces significant vulnerabilities, and should
|
||||||
|
/// only be used as a last resort.
|
||||||
|
pub dangerously_accept_invalid_certs: Option<bool>,
|
||||||
/// The encoding type used for this connection.
|
/// The encoding type used for this connection.
|
||||||
/// This is typically UTF-8, but could be something else.
|
/// This is typically UTF-8, but could be something else.
|
||||||
#[cfg_attr(feature = "serde", serde(skip_serializing_if = "Option::is_none"))]
|
#[cfg_attr(feature = "serde", serde(skip_serializing_if = "Option::is_none"))]
|
||||||
|
@ -513,6 +520,12 @@ impl Config {
|
||||||
self.cert_path.as_ref().map(String::as_str)
|
self.cert_path.as_ref().map(String::as_str)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// Gets whether or not to dangerously accept invalid certificates.
|
||||||
|
/// This defaults to `false` when not specified.
|
||||||
|
pub fn dangerously_accept_invalid_certs(&self) -> bool {
|
||||||
|
self.dangerously_accept_invalid_certs.as_ref().cloned().unwrap_or(false)
|
||||||
|
}
|
||||||
|
|
||||||
/// Gets the path to the client authentication certificate in DER format if specified.
|
/// Gets the path to the client authentication certificate in DER format if specified.
|
||||||
#[cfg(any(feature = "tls-native", feature = "tls-rust"))]
|
#[cfg(any(feature = "tls-native", feature = "tls-rust"))]
|
||||||
pub fn client_cert_path(&self) -> Option<&str> {
|
pub fn client_cert_path(&self) -> Option<&str> {
|
||||||
|
|
Loading…
Reference in a new issue