rustls 忽略证书校验
0.23.6
解决方案:需要配置 rustls::ClientConfig 设置 set_certificate_verifier
代码:(参考自官方 Example)
use rustls::crypto::CryptoProvider;
use std::sync::Arc;
pub fn rustls_config() -> rustls::ClientConfig {
let mut config = rustls::ClientConfig::builder()
.with_root_certificates(rustls::RootCertStore::empty())
.with_no_client_auth();
config
.dangerous()
.set_certificate_verifier(Arc::new(danger::NoCertificateVerification::new(
Arc::clone(CryptoProvider::get_default().unwrap()),
)));
config
}
mod danger {
use rustls::client::danger::HandshakeSignatureValid;
use rustls::crypto::{verify_tls12_signature, verify_tls13_signature, CryptoProvider};
use rustls::pki_types::{CertificateDer, ServerName, UnixTime};
use rustls::DigitallySignedStruct;
use std::sync::Arc;
#[derive(Debug)]
pub struct NoCertificateVerification(Arc<CryptoProvider>);
impl NoCertificateVerification {
pub fn new(provider: Arc<CryptoProvider>) -> Self {
Self(provider)
}
}
impl rustls::client::danger::ServerCertVerifier for NoCertificateVerification {
fn verify_server_cert(
&self,
_end_entity: &CertificateDer<'_>,
_intermediates: &[CertificateDer<'_>],
_server_name: &ServerName<'_>,
_ocsp: &[u8],
_now: UnixTime,
) -> Result<rustls::client::danger::ServerCertVerified, rustls::Error> {
Ok(rustls::client::danger::ServerCertVerified::assertion())
}
fn verify_tls12_signature(
&self,
message: &[u8],
cert: &CertificateDer<'_>,
dss: &DigitallySignedStruct,
) -> Result<HandshakeSignatureValid, rustls::Error> {
verify_tls12_signature(
message,
cert,
dss,
&self.0.signature_verification_algorithms,
)
}
fn verify_tls13_signature(
&self,
message: &[u8],
cert: &CertificateDer<'_>,
dss: &DigitallySignedStruct,
) -> Result<HandshakeSignatureValid, rustls::Error> {
verify_tls13_signature(
message,
cert,
dss,
&self.0.signature_verification_algorithms,
)
}
fn supported_verify_schemes(&self) -> Vec<rustls::SignatureScheme> {
self.0.signature_verification_algorithms.supported_schemes()
}
}
}0.21.12
解决方案:需要配置 rustls::ClientConfig 设置 set_certificate_verifier
注:dangerous 方法仅在开启了 rustls 的 dangerous_configuration flag 时才会存在,配置 Cargo.toml rustls = { version = "0.21.12", features = ["dangerous_configuration"] }
代码:
use std::sync::Arc;
pub fn rustls_config() -> rustls::ClientConfig {
let mut config = rustls::ClientConfig::builder()
.with_safe_defaults()
.with_root_certificates(root_certs())
.with_no_client_auth();
let mut dangerous_config = rustls::ClientConfig::dangerous(&mut config);
dangerous_config.set_certificate_verifier(Arc::new(NoVerify {}));
config
}
struct NoVerify {}
impl rustls::client::ServerCertVerifier for NoVerify {
fn verify_server_cert(
&self,
_end_entity: &rustls::Certificate,
_intermediates: &[rustls::Certificate],
_server_name: &rustls::ServerName,
_scts: &mut dyn Iterator<Item = &[u8]>,
_ocsp: &[u8],
_now: std::time::SystemTime,
) -> std::result::Result<rustls::client::ServerCertVerified, rustls::Error> {
Ok(rustls::client::ServerCertVerified::assertion())
}
}
fn root_certs() -> rustls::RootCertStore {
// let mut roots = rustls::RootCertStore::empty();
// let certs = rustls_native_certs::load_native_certs().expect("Certs not loadable!");
// let certs: Vec<_> = certs.into_iter().map(|cert| cert.0).collect();
// roots.add_parsable_certificates(&certs);
// roots
rustls::RootCertStore::empty()
}Looking for labels? They can now be found in the details panel on the floating action bar.
Related content
学习 Rust 的资源推荐
学习 Rust 的资源推荐
More like this
配置 Teamcity 使用私有仓库
配置 Teamcity 使用私有仓库
More like this
让 Teamcity 支持同步运行状态到 Gitlab
让 Teamcity 支持同步运行状态到 Gitlab
More like this
利用 1Password 保护 kubectl 凭证
利用 1Password 保护 kubectl 凭证
More like this
Week 15 @ 2025 算法周记【随机 + 队列】
Week 15 @ 2025 算法周记【随机 + 队列】
More like this