rustls 忽略证书校验
- Bryan
Owned by Bryan
0.23.6
解决方案:需要配置 rustls::ClientConfig 设置 set_certificate_verifier
代码:(参考自官方 Example)
use rustls::crypto::CryptoProvider;
use std::sync::Arc;
pub fn rustls_config() -> rustls::ClientConfig {
let mut config = rustls::ClientConfig::builder()
.with_root_certificates(rustls::RootCertStore::empty())
.with_no_client_auth();
config
.dangerous()
.set_certificate_verifier(Arc::new(danger::NoCertificateVerification::new(
Arc::clone(CryptoProvider::get_default().unwrap()),
)));
config
}
mod danger {
use rustls::client::danger::HandshakeSignatureValid;
use rustls::crypto::{verify_tls12_signature, verify_tls13_signature, CryptoProvider};
use rustls::pki_types::{CertificateDer, ServerName, UnixTime};
use rustls::DigitallySignedStruct;
use std::sync::Arc;
#[derive(Debug)]
pub struct NoCertificateVerification(Arc<CryptoProvider>);
impl NoCertificateVerification {
pub fn new(provider: Arc<CryptoProvider>) -> Self {
Self(provider)
}
}
impl rustls::client::danger::ServerCertVerifier for NoCertificateVerification {
fn verify_server_cert(
&self,
_end_entity: &CertificateDer<'_>,
_intermediates: &[CertificateDer<'_>],
_server_name: &ServerName<'_>,
_ocsp: &[u8],
_now: UnixTime,
) -> Result<rustls::client::danger::ServerCertVerified, rustls::Error> {
Ok(rustls::client::danger::ServerCertVerified::assertion())
}
fn verify_tls12_signature(
&self,
message: &[u8],
cert: &CertificateDer<'_>,
dss: &DigitallySignedStruct,
) -> Result<HandshakeSignatureValid, rustls::Error> {
verify_tls12_signature(
message,
cert,
dss,
&self.0.signature_verification_algorithms,
)
}
fn verify_tls13_signature(
&self,
message: &[u8],
cert: &CertificateDer<'_>,
dss: &DigitallySignedStruct,
) -> Result<HandshakeSignatureValid, rustls::Error> {
verify_tls13_signature(
message,
cert,
dss,
&self.0.signature_verification_algorithms,
)
}
fn supported_verify_schemes(&self) -> Vec<rustls::SignatureScheme> {
self.0.signature_verification_algorithms.supported_schemes()
}
}
}0.21.12
解决方案:需要配置 rustls::ClientConfig 设置 set_certificate_verifier
注:dangerous 方法仅在开启了 rustls 的 dangerous_configuration flag 时才会存在,配置 Cargo.toml rustls = { version = "0.21.12", features = ["dangerous_configuration"] }
代码:
use std::sync::Arc;
pub fn rustls_config() -> rustls::ClientConfig {
let mut config = rustls::ClientConfig::builder()
.with_safe_defaults()
.with_root_certificates(root_certs())
.with_no_client_auth();
let mut dangerous_config = rustls::ClientConfig::dangerous(&mut config);
dangerous_config.set_certificate_verifier(Arc::new(NoVerify {}));
config
}
struct NoVerify {}
impl rustls::client::ServerCertVerifier for NoVerify {
fn verify_server_cert(
&self,
_end_entity: &rustls::Certificate,
_intermediates: &[rustls::Certificate],
_server_name: &rustls::ServerName,
_scts: &mut dyn Iterator<Item = &[u8]>,
_ocsp: &[u8],
_now: std::time::SystemTime,
) -> std::result::Result<rustls::client::ServerCertVerified, rustls::Error> {
Ok(rustls::client::ServerCertVerified::assertion())
}
}
fn root_certs() -> rustls::RootCertStore {
// let mut roots = rustls::RootCertStore::empty();
// let certs = rustls_native_certs::load_native_certs().expect("Certs not loadable!");
// let certs: Vec<_> = certs.into_iter().map(|cert| cert.0).collect();
// roots.add_parsable_certificates(&certs);
// roots
rustls::RootCertStore::empty()
}