feat(tls): do not verify TLS certificates for hostnames starting with _

2026-04-26 01:46:34 +03:00 · 2026-03-02 06:01:13 +00:00
parent 9e5e9d906e
commit 965ba2e892
2 changed files with 64 additions and 1 deletions
--- a/src/net/tls.rs
+++ b/src/net/tls.rs
@@ -10,6 +10,9 @@ use crate::net::session::SessionStream;
 use tokio_rustls::rustls;
 use tokio_rustls::rustls::client::ClientSessionStore;

+mod danger;
+use danger::NoCertificateVerification;
+
 pub async fn wrap_tls<'a>(
    strict_tls: bool,
    hostname: &str,
@@ -90,7 +93,6 @@ impl TlsSessionStore {
        )
    }
 }
-
 pub async fn wrap_rustls<'a>(
    hostname: &str,
    port: u16,
@@ -124,6 +126,12 @@ pub async fn wrap_rustls<'a>(
    config.resumption = resumption;
    config.enable_sni = use_sni;

+    if hostname.starts_with("_") {
+        config
+            .dangerous()
+            .set_certificate_verifier(Arc::new(NoCertificateVerification::new()));
+    }
+
    let tls = tokio_rustls::TlsConnector::from(Arc::new(config));
    let name = tokio_rustls::rustls::pki_types::ServerName::try_from(hostname)?.to_owned();
    let tls_stream = tls.connect(name, stream).await?;
--- a/src/net/tls/danger.rs
+++ b/src/net/tls/danger.rs
@@ -0,0 +1,55 @@
+//! Dangerous TLS implementation of accepting invalid certificates for Rustls.
+
+use rustls::pki_types::{CertificateDer, ServerName, UnixTime};
+use tokio_rustls::rustls;
+
+#[derive(Debug)]
+pub(super) struct NoCertificateVerification();
+
+impl NoCertificateVerification {
+    pub(super) fn new() -> Self {
+        Self()
+    }
+}
+
+impl rustls::client::danger::ServerCertVerifier for NoCertificateVerification {
+    fn verify_server_cert(
+        &self,
+        _end_entity: &CertificateDer<'_>,
+        _intermediates: &[CertificateDer<'_>],
+        _server_name: &ServerName<'_>,
+        _ocsp_response: &[u8],
+        _now: UnixTime,
+    ) -> Result<rustls::client::danger::ServerCertVerified, rustls::Error> {
+        Ok(rustls::client::danger::ServerCertVerified::assertion())
+    }
+
+    fn verify_tls12_signature(
+        &self,
+        message: &[u8],
+        cert: &CertificateDer<'_>,
+        dss: &rustls::DigitallySignedStruct,
+    ) -> Result<rustls::client::danger::HandshakeSignatureValid, rustls::Error> {
+        let provider = rustls::crypto::ring::default_provider();
+        let supported_schemes = &provider.signature_verification_algorithms;
+        rustls::crypto::verify_tls12_signature(message, cert, dss, supported_schemes)
+    }
+
+    fn verify_tls13_signature(
+        &self,
+        message: &[u8],
+        cert: &CertificateDer<'_>,
+        dss: &rustls::DigitallySignedStruct,
+    ) -> Result<rustls::client::danger::HandshakeSignatureValid, rustls::Error> {
+        let provider = rustls::crypto::ring::default_provider();
+        let supported_schemes = &provider.signature_verification_algorithms;
+        rustls::crypto::verify_tls13_signature(message, cert, dss, supported_schemes)
+    }
+
+    fn supported_verify_schemes(&self) -> Vec<rustls::SignatureScheme> {
+        let provider = rustls::crypto::ring::default_provider();
+        provider
+            .signature_verification_algorithms
+            .supported_schemes()
+    }
+}