search

ziglang / zig

General-purpose programming language and toolchain for maintaining robust, optimal, and reusable software.
https://ziglang.org
MIT License
34.82k stars 2.55k forks source link

Add support for custom certificate validation to std.crypto.tls.Client #15681

Open Chris3606 opened 1 year ago

Chris3606 commented 1 year ago

Currently, I don't see a way to customize the certificate validation that takes place, or even to toggle it. Although not a particularly good example with respect to security, I'm thinking of a use case like curl, which provides the -k/--insecure flag allowing you to toggle off hostname validation.

Not sure what degree of versatility/"footgun" type of options are desirable for the standard library, particularly in an area as important to security as certificate validation; however given a custom TLS implementation is difficult to write correctly, it seems like value could be added. Other common TLS implementations like mbedtls do provide ways to customize elements of cert validation (for example, via mbedtls_ssl_conf_verify(), and it may have implications for programs designed to run in environments with custom or self-signed CAs.

clickingbuttons commented 7 months ago

Would an insecure option and a customizable ca_bundle be enough? That'd allow self signed CAs to be skipped or validated (assuming you have access to the self-signed cert public keys).

What else do you need a callback for?