Deprecate AcceptInvalidHostnames option

Rustls does not offer a documented way to accept valid certificates with invalid hostnames. Implementation of certificate verification in Rustls does not have a public API and reimplementing it is error-prone.
2026-04-28 19:06:35 +03:00 · 2019-12-08 19:34:39 +03:00
parent cd951ad396
commit c08a1adc9b
3 changed files with 9 additions and 17 deletions
--- a/deltachat-ffi/deltachat.h
+++ b/deltachat-ffi/deltachat.h
@@ -4050,11 +4050,6 @@ int64_t          dc_lot_get_timestamp     (const dc_lot_t* lot);
 */
 #define DC_CERTCK_STRICT 1

-/**
- * Accept invalid hostnames, but not invalid certificates.
- */
-#define DC_CERTCK_ACCEPT_INVALID_HOSTNAMES 2
-
 /**
 * Accept invalid certificates, including self-signed ones
 * or having incorrect hostname.
--- a/python/src/deltachat/const.py
+++ b/python/src/deltachat/const.py
@@ -68,7 +68,6 @@ DC_LP_SMTP_SOCKET_SSL = 0x20000
 DC_LP_SMTP_SOCKET_PLAIN = 0x40000
 DC_CERTCK_AUTO = 0
 DC_CERTCK_STRICT = 1
-DC_CERTCK_ACCEPT_INVALID_HOSTNAMES = 2
 DC_CERTCK_ACCEPT_INVALID_CERTIFICATES = 3
 DC_EMPTY_MVBOX = 0x01
 DC_EMPTY_INBOX = 0x02
--- a/src/login_param.rs
+++ b/src/login_param.rs
@@ -16,7 +16,11 @@ use webpki_roots;
 pub enum CertificateChecks {
    Automatic = 0,
    Strict = 1,
-    AcceptInvalidHostnames = 2,
+
+    /// Same as AcceptInvalidCertificates
+    /// Previously known as AcceptInvalidHostnames, now deprecated.
+    AcceptInvalidCertificates2 = 2,
+
    AcceptInvalidCertificates = 3,
 }

@@ -288,14 +292,8 @@ pub fn dc_build_tls_config(certificate_checks: CertificateChecks) -> rustls::Cli
                .dangerous()
                .set_certificate_verifier(Arc::new(NoCertificateVerification {}));
        }
-        CertificateChecks::AcceptInvalidCertificates => {
-            // TODO: only accept invalid certs
-            config
-                .dangerous()
-                .set_certificate_verifier(Arc::new(NoCertificateVerification {}));
-        }
-        CertificateChecks::AcceptInvalidHostnames => {
-            // TODO: only accept invalid hostnames
+        CertificateChecks::AcceptInvalidCertificates
+        | CertificateChecks::AcceptInvalidCertificates2 => {
            config
                .dangerous()
                .set_certificate_verifier(Arc::new(NoCertificateVerification {}));
@@ -313,8 +311,8 @@ mod tests {
        use std::string::ToString;

        assert_eq!(
-            "accept_invalid_hostnames".to_string(),
-            CertificateChecks::AcceptInvalidHostnames.to_string()
+            "accept_invalid_certificates".to_string(),
+            CertificateChecks::AcceptInvalidCertificates.to_string()
        );
    }
 }