feat: allow TLS connections with invalid certificate if the key is unchanged

This change weakens TLS checks. Every time we make a successful TLS connection, we remember public key hash from the certificate in relation to the hostname. If later we connect to the same hostname and the public key does not change, we skip checking certificate chain. This way we will still connect successfully even if certificate expires or becomes invalid for another reason, but keeps the key. We always check that certificate corresponds to the hostname. We also do this for certificates starting with _ where we allow self-signed certificates, so self-signed certificates with mismatching domains are not allowed. Previously we did not check this for domains starting with _.
2026-05-02 12:56:30 +03:00 · 2026-03-29 17:47:12 +02:00
parent 7daa6cc8d9
commit 82924952fb
11 changed files with 338 additions and 32 deletions
--- a/src/net.rs
+++ b/src/net.rs
@@ -12,7 +12,7 @@ use tokio_io_timeout::TimeoutStream;

 use crate::context::Context;
 use crate::net::session::SessionStream;
-use crate::net::tls::TlsSessionStore;
+use crate::net::tls::{SpkiHashStore, TlsSessionStore};
 use crate::sql::Sql;
 use crate::tools::time;

@@ -130,6 +130,8 @@ pub(crate) async fn connect_tls_inner(
    strict_tls: bool,
    alpn: &str,
    tls_session_store: &TlsSessionStore,
+    spki_hash_store: &SpkiHashStore,
+    sql: &Sql,
 ) -> Result<impl SessionStream + 'static> {
    let use_sni = true;
    let tcp_stream = connect_tcp_inner(addr).await?;
@@ -141,6 +143,8 @@ pub(crate) async fn connect_tls_inner(
        alpn,
        tcp_stream,
        tls_session_store,
+        spki_hash_store,
+        sql,
    )
    .await?;
    Ok(tls_stream)