TLS sockets without certificate validation


Greetings all.

I’m building a private project at the moment for $EMPLOYER, and it contains a number of components. One of the components is a client application that will be connecting to a server via a typical TCP socket that’s TLS-wrapped. The certificate that I’m using here is just a self-generated certificate.

I’m currently working through a few examples of using sockets with TLS support to connect to this endpoint. I’ve tried using native-tls, tokio and straight openssl, but I’m bumping in the same problem in every case, and that is that I can’t turn off certificate validation.

When it comes to a production scenario, certificate validation is something that I will definitely be interested in. However, for the sake of development, I’m wondering is there a way to disable certificate validation at all for TLS wrapped sockets in Rust?

If the answer is “no”, then that’s cool. I’ll go through the pain of handling that situation.

I appreciate the help. Cheers!



This is For now, you can just add the self-signed certificate to your trust store using TlsConnectorBuilder::add_root_certificate. You can turn off hostname validation with TlsConnector::danger_connect_without_providing_domain_for_certificate_verification_and_server_name_indication.

Using straight OpenSSL, it’s definitely possible to turn off certificate validation. I don’t exactly remember how, though.


Thank you for responding. I had seen that issue on the repo, and saw that it had gone a little quiet. Was kind of hoping the option to do it via openssl would be easy. Seems I fail at finding the appropriate documentation!

Unless someone else here knows the trick, I’ll probably just deal with the cert store locally.

Cheers for the help!


It’s also possible to do it through native-tls if one uses a backend-specific connector builder:

extern crate native_tls;
extern crate openssl;

use native_tls::TlsConnector;
use native_tls::backend::openssl::TlsConnectorBuilderExt;
use openssl::ssl::SSL_VERIFY_NONE;

let mut builder = TlsConnector::builder()?;
let connector =;

The connection must be opened with the danger_connect...() method for SSL_VERIFY_NONE to have effect.

This has to be hidden behind some kind of #[cfg(...)] if you’re writing cross-platform code, since there’s no equivalent functionality for non-OpenSSL backends I’m aware of.


Great, thanks very much for taking the time to respond.