Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Trust invalid certificate convenience function #691

Closed
ynuwenhof opened this issue Dec 7, 2023 · 4 comments
Closed

Trust invalid certificate convenience function #691

ynuwenhof opened this issue Dec 7, 2023 · 4 comments

Comments

@ynuwenhof
Copy link

The current process of configuring ureq to trust invalid certificates is a bit annoying since you have to figure out the correct rustls version based on the ureq version you are using and then create a ClientConfig and custom catch all ServerCertVerifier. A simple convenience function or example in the documentation would be great.

[dependencies.rustls]
version = "0.21.6"
features = ["dangerous_configuration"]
let mut client_config = ClientConfig::builder()
    .with_safe_defaults()
    .with_root_certificates(RootCertStore::empty())
    .with_no_client_auth();

client_config
    .dangerous()
    .set_certificate_verifier(Arc::new(NoVerification));

AgentBuilder::new().tls_config(Arc::new(client_config)).build();
#[derive(Debug)]
struct NoVerification;

impl ServerCertVerifier for NoVerification {
    fn verify_server_cert(
        &self,
        _end_entity: &Certificate,
        _intermediates: &[Certificate],
        _server_name: &rustls::ServerName,
        _scts: &mut dyn Iterator<Item = &[u8]>,
        _ocsp_response: &[u8],
        _now: SystemTime,
    ) -> Result<ServerCertVerified, Error> {
        Ok(ServerCertVerified::assertion())
    }

    fn verify_tls12_signature(
        &self,
        _message: &[u8],
        _cert: &Certificate,
        _dss: &DigitallySignedStruct,
    ) -> Result<HandshakeSignatureValid, Error> {
        Ok(HandshakeSignatureValid::assertion())
    }

    fn verify_tls13_signature(
        &self,
        _message: &[u8],
        _cert: &Certificate,
        _dss: &DigitallySignedStruct,
    ) -> Result<HandshakeSignatureValid, Error> {
        Ok(HandshakeSignatureValid::assertion())
    }
}
@algesten
Copy link
Owner

algesten commented Dec 9, 2023

Hi @ynuwenhof, welcome to ureq!

Disabling certificate verification is a contentious issue. Some library authors would say it should be hard to disable it, others don't. It would be interesting to know what some other libraries do, like reqwest, curl, urllib3 for example.

@ynuwenhof
Copy link
Author

Reqwest provides the convenience function danger_accept_invalid_certs on their ClientBuilder as for curl IIRC you can simply add the --insecure flag.

@mcr
Copy link
Contributor

mcr commented Dec 10, 2023 via email

@RomuDeuxfois RomuDeuxfois mentioned this issue Jul 17, 2024
Closed
@algesten
Copy link
Owner

Closing since we're moving to ureq 3.x. This is solved in ureq 3.x

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mcr @algesten @ynuwenhof