rustls 忽略证书校验

Owned by Bryan
Last updated: May 29, 2024
1 min read

0.23.6

解决方案:需要配置 rustls::ClientConfig 设置 set_certificate_verifier

代码:(参考自官方 Example

use rustls::crypto::CryptoProvider; use std::sync::Arc; pub fn rustls_config() -> rustls::ClientConfig { let mut config = rustls::ClientConfig::builder() .with_root_certificates(rustls::RootCertStore::empty()) .with_no_client_auth(); config .dangerous() .set_certificate_verifier(Arc::new(danger::NoCertificateVerification::new( Arc::clone(CryptoProvider::get_default().unwrap()), ))); config } mod danger { use rustls::client::danger::HandshakeSignatureValid; use rustls::crypto::{verify_tls12_signature, verify_tls13_signature, CryptoProvider}; use rustls::pki_types::{CertificateDer, ServerName, UnixTime}; use rustls::DigitallySignedStruct; use std::sync::Arc; #[derive(Debug)] pub struct NoCertificateVerification(Arc<CryptoProvider>); impl NoCertificateVerification { pub fn new(provider: Arc<CryptoProvider>) -> Self { Self(provider) } } impl rustls::client::danger::ServerCertVerifier for NoCertificateVerification { fn verify_server_cert( &self, _end_entity: &CertificateDer<'_>, _intermediates: &[CertificateDer<'_>], _server_name: &ServerName<'_>, _ocsp: &[u8], _now: UnixTime, ) -> Result<rustls::client::danger::ServerCertVerified, rustls::Error> { Ok(rustls::client::danger::ServerCertVerified::assertion()) } fn verify_tls12_signature( &self, message: &[u8], cert: &CertificateDer<'_>, dss: &DigitallySignedStruct, ) -> Result<HandshakeSignatureValid, rustls::Error> { verify_tls12_signature( message, cert, dss, &self.0.signature_verification_algorithms, ) } fn verify_tls13_signature( &self, message: &[u8], cert: &CertificateDer<'_>, dss: &DigitallySignedStruct, ) -> Result<HandshakeSignatureValid, rustls::Error> { verify_tls13_signature( message, cert, dss, &self.0.signature_verification_algorithms, ) } fn supported_verify_schemes(&self) -> Vec<rustls::SignatureScheme> { self.0.signature_verification_algorithms.supported_schemes() } } }

0.21.12

解决方案:需要配置 rustls::ClientConfig 设置 set_certificate_verifier

注:dangerous 方法仅在开启了 rustls 的 dangerous_configuration flag 时才会存在,配置 Cargo.toml rustls = { version = "0.21.12", features = ["dangerous_configuration"] }

代码:

use std::sync::Arc; pub fn rustls_config() -> rustls::ClientConfig { let mut config = rustls::ClientConfig::builder() .with_safe_defaults() .with_root_certificates(root_certs()) .with_no_client_auth(); let mut dangerous_config = rustls::ClientConfig::dangerous(&mut config); dangerous_config.set_certificate_verifier(Arc::new(NoVerify {})); config } struct NoVerify {} impl rustls::client::ServerCertVerifier for NoVerify { fn verify_server_cert( &self, _end_entity: &rustls::Certificate, _intermediates: &[rustls::Certificate], _server_name: &rustls::ServerName, _scts: &mut dyn Iterator<Item = &[u8]>, _ocsp: &[u8], _now: std::time::SystemTime, ) -> std::result::Result<rustls::client::ServerCertVerified, rustls::Error> { Ok(rustls::client::ServerCertVerified::assertion()) } } fn root_certs() -> rustls::RootCertStore { // let mut roots = rustls::RootCertStore::empty(); // let certs = rustls_native_certs::load_native_certs().expect("Certs not loadable!"); // let certs: Vec<_> = certs.into_iter().map(|cert| cert.0).collect(); // roots.add_parsable_certificates(&certs); // roots rustls::RootCertStore::empty() }