search

algesten / ureq

A simple, safe HTTP client
Apache License 2.0
1.64k stars 172 forks source link

Trust invalid certificate convenience function #691

Closed ynuwenhof closed 1 week ago

ynuwenhof commented 8 months ago

The current process of configuring ureq to trust invalid certificates is a bit annoying since you have to figure out the correct rustls version based on the ureq version you are using and then create a ClientConfig and custom catch all ServerCertVerifier. A simple convenience function or example in the documentation would be great.

[dependencies.rustls]
version = "0.21.6"
features = ["dangerous_configuration"]
let mut client_config = ClientConfig::builder()
    .with_safe_defaults()
    .with_root_certificates(RootCertStore::empty())
    .with_no_client_auth();

client_config
    .dangerous()
    .set_certificate_verifier(Arc::new(NoVerification));

AgentBuilder::new().tls_config(Arc::new(client_config)).build();
#[derive(Debug)]
struct NoVerification;

impl ServerCertVerifier for NoVerification {
    fn verify_server_cert(
        &self,
        _end_entity: &Certificate,
        _intermediates: &[Certificate],
        _server_name: &rustls::ServerName,
        _scts: &mut dyn Iterator<Item = &[u8]>,
        _ocsp_response: &[u8],
        _now: SystemTime,
    ) -> Result<ServerCertVerified, Error> {
        Ok(ServerCertVerified::assertion())
    }

    fn verify_tls12_signature(
        &self,
        _message: &[u8],
        _cert: &Certificate,
        _dss: &DigitallySignedStruct,
    ) -> Result<HandshakeSignatureValid, Error> {
        Ok(HandshakeSignatureValid::assertion())
    }

    fn verify_tls13_signature(
        &self,
        _message: &[u8],
        _cert: &Certificate,
        _dss: &DigitallySignedStruct,
    ) -> Result<HandshakeSignatureValid, Error> {
        Ok(HandshakeSignatureValid::assertion())
    }
}
algesten commented 8 months ago

Hi @ynuwenhof, welcome to ureq!

Disabling certificate verification is a contentious issue. Some library authors would say it should be hard to disable it, others don't. It would be interesting to know what some other libraries do, like reqwest, curl, urllib3 for example.

ynuwenhof commented 8 months ago

Reqwest provides the convenience function danger_accept_invalid_certs on their ClientBuilder as for curl IIRC you can simply add the --insecure flag.

mcr commented 8 months ago

Martin Algesten @.***> wrote:

Disabling certificate verification is a contentious issue. Some library authors would say it should be hard to disable it, others don't. It would be interesting to know what some other libraries do, like reqwest, curl, urllib3 for example.

In my use case (RFC8995), I need to disable it, because it's a private PKI anchor. But, it will be validated later via other means. My opinion is that it should be done by providing an object that will do the validation as it sees fit. (Yes, a callback)

algesten commented 1 week ago

Closing since we're moving to ureq 3.x. This is solved in ureq 3.x