ureq icon indicating copy to clipboard operation
ureq copied to clipboard

Published 20 hours ago verified publisher icon algesten

Trust invalid certificate convenience function

Open ynuwenhof opened this issue 1 year ago • 3 comments

The current process of configuring ureq to trust invalid certificates is a bit annoying since you have to figure out the correct rustls version based on the ureq version you are using and then create a ClientConfig and custom catch all ServerCertVerifier. A simple convenience function or example in the documentation would be great.

[dependencies.rustls]
version = "0.21.6"
features = ["dangerous_configuration"]

let mut client_config = ClientConfig::builder()
    .with_safe_defaults()
    .with_root_certificates(RootCertStore::empty())
    .with_no_client_auth();

client_config
    .dangerous()
    .set_certificate_verifier(Arc::new(NoVerification));

AgentBuilder::new().tls_config(Arc::new(client_config)).build();

#[derive(Debug)]
struct NoVerification;

impl ServerCertVerifier for NoVerification {
    fn verify_server_cert(
        &self,
        _end_entity: &Certificate,
        _intermediates: &[Certificate],
        _server_name: &rustls::ServerName,
        _scts: &mut dyn Iterator<Item = &[u8]>,
        _ocsp_response: &[u8],
        _now: SystemTime,
    ) -> Result<ServerCertVerified, Error> {
        Ok(ServerCertVerified::assertion())
    }

    fn verify_tls12_signature(
        &self,
        _message: &[u8],
        _cert: &Certificate,
        _dss: &DigitallySignedStruct,
    ) -> Result<HandshakeSignatureValid, Error> {
        Ok(HandshakeSignatureValid::assertion())
    }

    fn verify_tls13_signature(
        &self,
        _message: &[u8],
        _cert: &Certificate,
        _dss: &DigitallySignedStruct,
    ) -> Result<HandshakeSignatureValid, Error> {
        Ok(HandshakeSignatureValid::assertion())
    }
}

ynuwenhof avatar Dec 07 '23 21:12 ynuwenhof

Hi @ynuwenhof, welcome to ureq!

Disabling certificate verification is a contentious issue. Some library authors would say it should be hard to disable it, others don't. It would be interesting to know what some other libraries do, like reqwest, curl, urllib3 for example.

algesten avatar Dec 09 '23 08:12 algesten

Reqwest provides the convenience function danger_accept_invalid_certs on their ClientBuilder as for curl IIRC you can simply add the --insecure flag.

ynuwenhof avatar Dec 09 '23 09:12 ynuwenhof

Martin Algesten @.***> wrote: > Disabling certificate verification is a contentious issue. Some library > authors would say it should be hard to disable it, others don't. It > would be interesting to know what some other libraries do, like > reqwest, curl, urllib3 for example.

In my use case (RFC8995), I need to disable it, because it's a private PKI anchor. But, it will be validated later via other means. My opinion is that it should be done by providing an object that will do the validation as it sees fit. (Yes, a callback)

mcr avatar Dec 10 '23 03:12 mcr

Closing since we're moving to ureq 3.x. This is solved in ureq 3.x

algesten avatar Aug 13 '24 18:08 algesten