Mirrors/chatmail-core
1
0
Fork 0
mirror of https://github.com/chatmail/core.git synced 2026-05-17 05:46:30 +03:00
Code Issues Packages Projects Releases Wiki Activity

feat(tls): do not verify TLS certificates for hostnames starting with _

Browse Source
This commit is contained in:
link2xt
2026-03-02 06:01:13 +00:00
parent 9e5e9d906e
commit 965ba2e892
2 changed files with 64 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
src/net/tls.rs
View File

@@ -10,6 +10,9 @@ use crate::net::session::SessionStream;
use tokio_rustls::rustls; use tokio_rustls::rustls;
use tokio_rustls::rustls::client::ClientSessionStore; use tokio_rustls::rustls::client::ClientSessionStore;
mod danger;
use danger::NoCertificateVerification;
pub async fn wrap_tls<'a>( pub async fn wrap_tls<'a>(
strict_tls: bool, strict_tls: bool,
hostname: &str, hostname: &str,
@@ -90,7 +93,6 @@ impl TlsSessionStore {
) )
} }
} }
pub async fn wrap_rustls<'a>( pub async fn wrap_rustls<'a>(
hostname: &str, hostname: &str,
port: u16, port: u16,
@@ -124,6 +126,12 @@ pub async fn wrap_rustls<'a>(
config.resumption = resumption; config.resumption = resumption;
config.enable_sni = use_sni; config.enable_sni = use_sni;
if hostname.starts_with("_") {
config
.dangerous()
.set_certificate_verifier(Arc::new(NoCertificateVerification::new()));
}
let tls = tokio_rustls::TlsConnector::from(Arc::new(config)); let tls = tokio_rustls::TlsConnector::from(Arc::new(config));
let name = tokio_rustls::rustls::pki_types::ServerName::try_from(hostname)?.to_owned(); let name = tokio_rustls::rustls::pki_types::ServerName::try_from(hostname)?.to_owned();
let tls_stream = tls.connect(name, stream).await?; let tls_stream = tls.connect(name, stream).await?;

55
src/net/tls/danger.rs Normal file
View File

@@ -0,0 +1,55 @@
//! Dangerous TLS implementation of accepting invalid certificates for Rustls.
use rustls::pki_types::{CertificateDer, ServerName, UnixTime};
use tokio_rustls::rustls;
#[derive(Debug)]
pub(super) struct NoCertificateVerification();
impl NoCertificateVerification {
pub(super) fn new() -> Self {
Self()
}
}
impl rustls::client::danger::ServerCertVerifier for NoCertificateVerification {
fn verify_server_cert(
&self,
_end_entity: &CertificateDer<'_>,
_intermediates: &[CertificateDer<'_>],
_server_name: &ServerName<'_>,
_ocsp_response: &[u8],
_now: UnixTime,
) -> Result<rustls::client::danger::ServerCertVerified, rustls::Error> {
Ok(rustls::client::danger::ServerCertVerified::assertion())
}
fn verify_tls12_signature(
&self,
message: &[u8],
cert: &CertificateDer<'_>,
dss: &rustls::DigitallySignedStruct,
) -> Result<rustls::client::danger::HandshakeSignatureValid, rustls::Error> {
let provider = rustls::crypto::ring::default_provider();
let supported_schemes = &provider.signature_verification_algorithms;
rustls::crypto::verify_tls12_signature(message, cert, dss, supported_schemes)
}
fn verify_tls13_signature(
&self,
message: &[u8],
cert: &CertificateDer<'_>,
dss: &rustls::DigitallySignedStruct,
) -> Result<rustls::client::danger::HandshakeSignatureValid, rustls::Error> {
let provider = rustls::crypto::ring::default_provider();
let supported_schemes = &provider.signature_verification_algorithms;
rustls::crypto::verify_tls13_signature(message, cert, dss, supported_schemes)
}
fn supported_verify_schemes(&self) -> Vec<rustls::SignatureScheme> {
let provider = rustls::crypto::ring::default_provider();
provider
.signature_verification_algorithms
.supported_schemes()
}
}