fix: use Rustls NoCertificateVerification for underscore domains instead of AcceptInvalidCertificates

Remove AcceptInvalidCertificates overrides in configure.rs and qr.rs that caused a fallback to OpenSSL/native-tls. The upstream Rustls TLS layer now handles underscore-prefixed domains via NoCertificateVerification directly. Also fix clippy lint in peer_channels.rs (map_or -> is_some_and).
2026-04-17 21:46:35 +03:00 · 2026-03-02 13:00:16 +01:00
parent 1b860372cc
commit e0768f5f37
7 changed files with 14 additions and 22 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1029,7 +1029,7 @@ dependencies = [
 "heck 0.5.0",
 "proc-macro2",
 "quote",
- "syn 2.0.114",
+ "syn 2.0.117",
 ]

 [[package]]
@@ -8011,7 +8011,7 @@ checksum = "f65c489a7071a749c849713807783f70672b28094011623e200cb86dcb835953"
 dependencies = [
 "proc-macro2",
 "quote",
- "syn 2.0.114",
+ "syn 2.0.117",
 ]

 [[package]]
--- a/deltachat-rpc-client/src/deltachat_rpc_client/pytestplugin.py
+++ b/deltachat-rpc-client/src/deltachat_rpc_client/pytestplugin.py
@@ -358,4 +358,3 @@ def remote_bob_loop(channel):
            except Exception:
                # some unserializable result
                channel.send(None)
-
--- a/deltachat-rpc-client/tests/test_something.py
+++ b/deltachat-rpc-client/tests/test_something.py
@@ -1018,7 +1018,7 @@ def test_configured_imap_certificate_checks(acfactory):
    info = alice.get_info()
    domain = alice.get_config("addr").split("@")[-1]
    if domain.startswith("_"):
-        assert "cert_accept_invalid_certificates" in info.used_transport_settings
+        assert "cert_automatic" in info.used_transport_settings
    else:
        assert "cert_strict" in info.used_transport_settings

--- a/src/configure.rs
+++ b/src/configure.rs
@@ -581,13 +581,7 @@ async fn get_configured_param(
        smtp_password,
        provider,
        certificate_checks: match param.certificate_checks {
-            EnteredCertificateChecks::Automatic => {
-                if param_domain.starts_with('_') {
-                    ConfiguredCertificateChecks::AcceptInvalidCertificates
-                } else {
-                    ConfiguredCertificateChecks::Automatic
-                }
-            }
+            EnteredCertificateChecks::Automatic => ConfiguredCertificateChecks::Automatic,
            EnteredCertificateChecks::Strict => ConfiguredCertificateChecks::Strict,
            EnteredCertificateChecks::AcceptInvalidCertificates
            | EnteredCertificateChecks::AcceptInvalidCertificates2 => {
--- a/src/peer_channels.rs
+++ b/src/peer_channels.rs
@@ -247,7 +247,7 @@ impl Context {
        {
            // Underscore-prefixed domains use self-signed TLS certificates,
            // so we need to skip relay certificate verification for them.
-            let skip = relay_url.host_str().map_or(false, |h| h.starts_with('_'));
+            let skip = relay_url.host_str().is_some_and(|h| h.starts_with('_'));
            (RelayMode::Custom(RelayUrl::from(relay_url).into()), skip)
        } else {
            // FIXME: this should be RelayMode::Disabled instead.
--- a/src/qr.rs
+++ b/src/qr.rs
@@ -817,11 +817,6 @@ pub(crate) async fn login_param_from_account_qr(
        .context("Invalid DCACCOUNT scheme")?;

    if !payload.starts_with(HTTPS_SCHEME) {
-        let certificate_checks = if payload.starts_with('_') {
-            EnteredCertificateChecks::AcceptInvalidCertificates
-        } else {
-            EnteredCertificateChecks::Strict
-        };
        let rng = &mut rand::rngs::OsRng.unwrap_err();
        let username = Alphanumeric.sample_string(rng, 9);
        let addr = username + "@" + payload;
@@ -834,7 +829,7 @@ pub(crate) async fn login_param_from_account_qr(
                ..Default::default()
            },
            smtp: Default::default(),
-            certificate_checks,
+            certificate_checks: EnteredCertificateChecks::Automatic,
            oauth2: false,
        };
        return Ok(param);
--- a/src/qr/qr_tests.rs
+++ b/src/qr/qr_tests.rs
@@ -767,18 +767,22 @@ async fn test_decode_account_underscore_domain() -> Result<()> {
        }
    );

-    // Verify login params use AcceptInvalidCertificates for underscore domain.
+    // Verify login params use Automatic for underscore domain.
+    // The TLS layer handles underscore domains via NoCertificateVerification in Rustls.
    let param = login_param_from_account_qr(&ctx.ctx, "dcaccount:_example.org").await?;
    assert!(param.addr.ends_with("@_example.org"));
    assert_eq!(
        param.certificate_checks,
-        EnteredCertificateChecks::AcceptInvalidCertificates
+        EnteredCertificateChecks::Automatic
    );

-    // Regular domain still uses Strict.
+    // Regular domain also uses Automatic.
    let param = login_param_from_account_qr(&ctx.ctx, "dcaccount:example.org").await?;
    assert!(param.addr.ends_with("@example.org"));
-    assert_eq!(param.certificate_checks, EnteredCertificateChecks::Strict);
+    assert_eq!(
+        param.certificate_checks,
+        EnteredCertificateChecks::Automatic
+    );

    Ok(())
 }