TLS sockets without certificate validation


#1

Greetings all.

I’m building a private project at the moment for $EMPLOYER, and it contains a number of components. One of the components is a client application that will be connecting to a server via a typical TCP socket that’s TLS-wrapped. The certificate that I’m using here is just a self-generated certificate.

I’m currently working through a few examples of using sockets with TLS support to connect to this endpoint. I’ve tried using native-tls, tokio and straight openssl, but I’m bumping in the same problem in every case, and that is that I can’t turn off certificate validation.

When it comes to a production scenario, certificate validation is something that I will definitely be interested in. However, for the sake of development, I’m wondering is there a way to disable certificate validation at all for TLS wrapped sockets in Rust?

If the answer is “no”, then that’s cool. I’ll go through the pain of handling that situation.

I appreciate the help. Cheers!

OJ


#2

This is https://github.com/sfackler/rust-native-tls/issues/13. For now, you can just add the self-signed certificate to your trust store using TlsConnectorBuilder::add_root_certificate. You can turn off hostname validation with TlsConnector::danger_connect_without_providing_domain_for_certificate_verification_and_server_name_indication.

Using straight OpenSSL, it’s definitely possible to turn off certificate validation. I don’t exactly remember how, though.


#3

Thank you for responding. I had seen that issue on the repo, and saw that it had gone a little quiet. Was kind of hoping the option to do it via openssl would be easy. Seems I fail at finding the appropriate documentation!

Unless someone else here knows the trick, I’ll probably just deal with the cert store locally.

Cheers for the help!


#4

It’s also possible to do it through native-tls if one uses a backend-specific connector builder:

extern crate native_tls;
extern crate openssl;

use native_tls::TlsConnector;
use native_tls::backend::openssl::TlsConnectorBuilderExt;
use openssl::ssl::SSL_VERIFY_NONE;

...
let mut builder = TlsConnector::builder()?;
builder.builder_mut().builder_mut().set_verify(SSL_VERIFY_NONE);
let connector = builder.build()?;
...

The connection must be opened with the danger_connect...() method for SSL_VERIFY_NONE to have effect.

This has to be hidden behind some kind of #[cfg(...)] if you’re writing cross-platform code, since there’s no equivalent functionality for non-OpenSSL backends I’m aware of.


#5

Great, thanks very much for taking the time to respond.