Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Impossible to configure custom TLS validation #887

Closed
jethrogb opened this issue Aug 11, 2016 · 9 comments
Closed

Impossible to configure custom TLS validation #887

jethrogb opened this issue Aug 11, 2016 · 9 comments

Comments

@jethrogb
Copy link
Contributor

jethrogb commented Aug 11, 2016
edited
Loading

Regardless of what was previously configured in SslContext, this line simply overrides any verification settings.
@seanmonstar
Copy link
Member

True. Does SslContext have a way of setting that? I imagine it didn't, and so the verify option was set on the Ssl instead. If it does, that line could be moved the Default implementation.

@jethrogb
Copy link
Contributor Author

SslContext has the same functions for verification as Ssl.

@seanmonstar
Copy link
Member

I just looked again, and clearly that isn't possible, because the hostname must be passed to the verify callback. Is there a different verification you'd hope to do, or just hoping to disable it?

@jethrogb
Copy link
Contributor Author

I want to pin to a specific certificate and don't care about hostname verification.

@seanmonstar
Copy link
Member

To unblock your use-case, you can impl SslClient for PinnedCert to do exactly as you like, and then use Client::with_connector(HttpsConnector::new(PinnedCert))

I feel the SSL/TLS design needs a bit of help in general.

@jethrogb
Copy link
Contributor Author

Yup, did that. :)

You could do

pub struct OpensslClient {
    ctx: SslContext,
    default_verify: bool,
}

@tatref
Copy link

tatref commented Sep 20, 2016

I would like to connect to a fake certificate (the certificate does not match the domain), which is currently impossible.

It would be really great if we could connect to an invalid domain/ expired certificate / unknown issuer...

Can I just impl SslClient to make this work?

@seanmonstar
Copy link
Member

Yes, you can implement SslClient however you'd like.

On Tue, Sep 20, 2016, 8:50 AM Tatref notifications@github.com wrote:

I would like to connect to a fake certificate (the certificate does not
match the domain), which is currently impossible.

It would be really great if we could connect to an invalid domain/ expired
certificate / unknown issuer...

Can I just impl SslClient to make this work?


You are receiving this because you commented.

Reply to this email directly, view it on GitHub
#887 (comment), or mute
the thread
https://github.com/notifications/unsubscribe-auth/AADJF8HihVDqDgX3R16yyrEJejFEW5sfks5qsACrgaJpZM4Jhx0n
.

@seanmonstar
Copy link
Member

With the release of 0.10, hyper no longer bundles a default SslClient, and instead proposes use of pluggable crates to provide it. So I'm going to close this.

@Darkspirit Darkspirit mentioned this issue Mar 1, 2017
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@seanmonstar @jethrogb @tatref