Mirrors/chatmail-core
1
0
Fork 0
mirror of https://github.com/chatmail/core.git synced 2026-05-07 08:56:30 +03:00
Code Issues Packages Projects Releases Wiki Activity

fix: use Rustls NoCertificateVerification for underscore domains instead of AcceptInvalidCertificates

Browse Source 
Remove AcceptInvalidCertificates overrides in configure.rs and qr.rs that
caused a fallback to OpenSSL/native-tls. The upstream Rustls TLS layer now
handles underscore-prefixed domains via NoCertificateVerification directly.
Also fix clippy lint in peer_channels.rs (map_or -> is_some_and).
This commit is contained in:
holger krekel
2026-03-02 13:00:16 +01:00
committed by link2xt
parent 3ee2148c90
commit c3a883f460
7 changed files with 14 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
Cargo.lock generated
View File

@@ -1029,7 +1029,7 @@ dependencies = [
"heck 0.5.0", "heck 0.5.0",
"proc-macro2", "proc-macro2",
"quote", "quote",
"syn 2.0.114", "syn 2.0.117",
] ]
[[package]] [[package]]
@@ -8011,7 +8011,7 @@ checksum = "f65c489a7071a749c849713807783f70672b28094011623e200cb86dcb835953"
dependencies = [ dependencies = [
"proc-macro2", "proc-macro2",
"quote", "quote",
"syn 2.0.114", "syn 2.0.117",
] ]
[[package]] [[package]]

1
deltachat-rpc-client/src/deltachat_rpc_client/pytestplugin.py
View File

@@ -358,4 +358,3 @@ def remote_bob_loop(channel):
except Exception: except Exception:
# some unserializable result # some unserializable result
channel.send(None) channel.send(None)

2
deltachat-rpc-client/tests/test_something.py
View File

@@ -1018,7 +1018,7 @@ def test_configured_imap_certificate_checks(acfactory):
info = alice.get_info() info = alice.get_info()
domain = alice.get_config("addr").split("@")[-1] domain = alice.get_config("addr").split("@")[-1]
if domain.startswith("_"): if domain.startswith("_"):
assert "cert_accept_invalid_certificates" in info.used_transport_settings assert "cert_automatic" in info.used_transport_settings
else: else:
assert "cert_strict" in info.used_transport_settings assert "cert_strict" in info.used_transport_settings

8
src/configure.rs
View File

@@ -534,13 +534,7 @@ async fn get_configured_param(
smtp_password, smtp_password,
provider, provider,
certificate_checks: match param.certificate_checks { certificate_checks: match param.certificate_checks {
EnteredCertificateChecks::Automatic => { EnteredCertificateChecks::Automatic => ConfiguredCertificateChecks::Automatic,
if param_domain.starts_with('_') {
ConfiguredCertificateChecks::AcceptInvalidCertificates
} else {
ConfiguredCertificateChecks::Automatic
}
}
EnteredCertificateChecks::Strict => ConfiguredCertificateChecks::Strict, EnteredCertificateChecks::Strict => ConfiguredCertificateChecks::Strict,
EnteredCertificateChecks::AcceptInvalidCertificates EnteredCertificateChecks::AcceptInvalidCertificates
| EnteredCertificateChecks::AcceptInvalidCertificates2 => { | EnteredCertificateChecks::AcceptInvalidCertificates2 => {

2
src/peer_channels.rs
View File

@@ -247,7 +247,7 @@ impl Context {
{ {
// Underscore-prefixed domains use self-signed TLS certificates, // Underscore-prefixed domains use self-signed TLS certificates,
// so we need to skip relay certificate verification for them. // so we need to skip relay certificate verification for them.
let skip = relay_url.host_str().map_or(false, |h| h.starts_with('_')); let skip = relay_url.host_str().is_some_and(|h| h.starts_with('_'));
(RelayMode::Custom(RelayUrl::from(relay_url).into()), skip) (RelayMode::Custom(RelayUrl::from(relay_url).into()), skip)
} else { } else {
// FIXME: this should be RelayMode::Disabled instead. // FIXME: this should be RelayMode::Disabled instead.

7
src/qr.rs
View File

@@ -805,11 +805,6 @@ pub(crate) async fn login_param_from_account_qr(
.context("Invalid DCACCOUNT scheme")?; .context("Invalid DCACCOUNT scheme")?;
if !payload.starts_with(HTTPS_SCHEME) { if !payload.starts_with(HTTPS_SCHEME) {
let certificate_checks = if payload.starts_with('_') {
EnteredCertificateChecks::AcceptInvalidCertificates
} else {
EnteredCertificateChecks::Strict
};
let rng = &mut rand::rngs::OsRng.unwrap_err(); let rng = &mut rand::rngs::OsRng.unwrap_err();
let username = Alphanumeric.sample_string(rng, 9); let username = Alphanumeric.sample_string(rng, 9);
let addr = username + "@" + payload; let addr = username + "@" + payload;
@@ -822,7 +817,7 @@ pub(crate) async fn login_param_from_account_qr(
..Default::default() ..Default::default()
}, },
smtp: Default::default(), smtp: Default::default(),
certificate_checks, certificate_checks: EnteredCertificateChecks::Automatic,
oauth2: false, oauth2: false,
}; };
return Ok(param); return Ok(param);

12
src/qr/qr_tests.rs
View File

@@ -750,18 +750,22 @@ async fn test_decode_account_underscore_domain() -> Result<()> {
} }
); );
// Verify login params use AcceptInvalidCertificates for underscore domain. // Verify login params use Automatic for underscore domain.
// The TLS layer handles underscore domains via NoCertificateVerification in Rustls.
let param = login_param_from_account_qr(&ctx.ctx, "dcaccount:_example.org").await?; let param = login_param_from_account_qr(&ctx.ctx, "dcaccount:_example.org").await?;
assert!(param.addr.ends_with("@_example.org")); assert!(param.addr.ends_with("@_example.org"));
assert_eq!( assert_eq!(
param.certificate_checks, param.certificate_checks,
EnteredCertificateChecks::AcceptInvalidCertificates EnteredCertificateChecks::Automatic
); );
// Regular domain still uses Strict. // Regular domain also uses Automatic.
let param = login_param_from_account_qr(&ctx.ctx, "dcaccount:example.org").await?; let param = login_param_from_account_qr(&ctx.ctx, "dcaccount:example.org").await?;
assert!(param.addr.ends_with("@example.org")); assert!(param.addr.ends_with("@example.org"));
assert_eq!(param.certificate_checks, EnteredCertificateChecks::Strict); assert_eq!(
param.certificate_checks,
EnteredCertificateChecks::Automatic
);
Ok(()) Ok(())
} }