/
rustls 忽略证书校验

rustls 忽略证书校验

Owned by Bryan
Last updated: May 29, 2024
1 min read

0.23.6

解决方案:需要配置 rustls::ClientConfig 设置 set_certificate_verifier

代码:(参考自官方 Example

use rustls::crypto::CryptoProvider; use std::sync::Arc; pub fn rustls_config() -> rustls::ClientConfig { let mut config = rustls::ClientConfig::builder() .with_root_certificates(rustls::RootCertStore::empty()) .with_no_client_auth(); config .dangerous() .set_certificate_verifier(Arc::new(danger::NoCertificateVerification::new( Arc::clone(CryptoProvider::get_default().unwrap()), ))); config } mod danger { use rustls::client::danger::HandshakeSignatureValid; use rustls::crypto::{verify_tls12_signature, verify_tls13_signature, CryptoProvider}; use rustls::pki_types::{CertificateDer, ServerName, UnixTime}; use rustls::DigitallySignedStruct; use std::sync::Arc; #[derive(Debug)] pub struct NoCertificateVerification(Arc<CryptoProvider>); impl NoCertificateVerification { pub fn new(provider: Arc<CryptoProvider>) -> Self { Self(provider) } } impl rustls::client::danger::ServerCertVerifier for NoCertificateVerification { fn verify_server_cert( &self, _end_entity: &CertificateDer<'_>, _intermediates: &[CertificateDer<'_>], _server_name: &ServerName<'_>, _ocsp: &[u8], _now: UnixTime, ) -> Result<rustls::client::danger::ServerCertVerified, rustls::Error> { Ok(rustls::client::danger::ServerCertVerified::assertion()) } fn verify_tls12_signature( &self, message: &[u8], cert: &CertificateDer<'_>, dss: &DigitallySignedStruct, ) -> Result<HandshakeSignatureValid, rustls::Error> { verify_tls12_signature( message, cert, dss, &self.0.signature_verification_algorithms, ) } fn verify_tls13_signature( &self, message: &[u8], cert: &CertificateDer<'_>, dss: &DigitallySignedStruct, ) -> Result<HandshakeSignatureValid, rustls::Error> { verify_tls13_signature( message, cert, dss, &self.0.signature_verification_algorithms, ) } fn supported_verify_schemes(&self) -> Vec<rustls::SignatureScheme> { self.0.signature_verification_algorithms.supported_schemes() } } }

0.21.12

解决方案:需要配置 rustls::ClientConfig 设置 set_certificate_verifier

注:dangerous 方法仅在开启了 rustls 的 dangerous_configuration flag 时才会存在,配置 Cargo.toml rustls = { version = "0.21.12", features = ["dangerous_configuration"] }

代码:

use std::sync::Arc; pub fn rustls_config() -> rustls::ClientConfig { let mut config = rustls::ClientConfig::builder() .with_safe_defaults() .with_root_certificates(root_certs()) .with_no_client_auth(); let mut dangerous_config = rustls::ClientConfig::dangerous(&mut config); dangerous_config.set_certificate_verifier(Arc::new(NoVerify {})); config } struct NoVerify {} impl rustls::client::ServerCertVerifier for NoVerify { fn verify_server_cert( &self, _end_entity: &rustls::Certificate, _intermediates: &[rustls::Certificate], _server_name: &rustls::ServerName, _scts: &mut dyn Iterator<Item = &[u8]>, _ocsp: &[u8], _now: std::time::SystemTime, ) -> std::result::Result<rustls::client::ServerCertVerified, rustls::Error> { Ok(rustls::client::ServerCertVerified::assertion()) } } fn root_certs() -> rustls::RootCertStore { // let mut roots = rustls::RootCertStore::empty(); // let certs = rustls_native_certs::load_native_certs().expect("Certs not loadable!"); // let certs: Vec<_> = certs.into_iter().map(|cert| cert.0).collect(); // roots.add_parsable_certificates(&certs); // roots rustls::RootCertStore::empty() }

Related content

学习 Rust 的资源推荐
学习 Rust 的资源推荐
知识库
More like this
Rust 闭包类型
Rust 闭包类型
知识库
More like this
docker bind 文件修改不更新
docker bind 文件修改不更新
知识库
More like this
安装 Confluence
安装 Confluence
知识库
More like this
Traefik
Traefik
知识库
More like this
Week 46 @ 2024 算法周记【BFS+二叉树】
Week 46 @ 2024 算法周记【BFS+二叉树】
知识库
More like this