axum_reverse_proxy/
danger.rs

1//! Utilities for creating HTTPS clients that accept invalid certificates.
2//!
3//! # Security Warning
4//!
5//! These utilities completely disable certificate validation, making connections
6//! vulnerable to man-in-the-middle attacks. Only use in development/testing environments.
7
8#[cfg(all(feature = "tls", not(feature = "native-tls")))]
9use rustls::ClientConfig;
10
11#[cfg(feature = "native-tls")]
12use native_tls::TlsConnector;
13
14/// Creates a rustls ClientConfig that accepts any certificate.
15///
16/// # Security Warning
17///
18/// This configuration will accept ANY certificate, including:
19/// - Self-signed certificates
20/// - Expired certificates  
21/// - Certificates with wrong hostnames
22/// - Certificates from untrusted CAs
23///
24/// Only use this for development or testing!
25#[cfg(all(feature = "tls", not(feature = "native-tls")))]
26pub fn create_dangerous_rustls_config() -> ClientConfig {
27    use std::sync::Arc;
28
29    #[derive(Debug)]
30    struct NoCertificateVerification;
31
32    impl rustls::client::danger::ServerCertVerifier for NoCertificateVerification {
33        fn verify_server_cert(
34            &self,
35            _end_entity: &rustls::pki_types::CertificateDer<'_>,
36            _intermediates: &[rustls::pki_types::CertificateDer<'_>],
37            _server_name: &rustls::pki_types::ServerName,
38            _ocsp_response: &[u8],
39            _now: rustls::pki_types::UnixTime,
40        ) -> Result<rustls::client::danger::ServerCertVerified, rustls::Error> {
41            Ok(rustls::client::danger::ServerCertVerified::assertion())
42        }
43
44        fn verify_tls12_signature(
45            &self,
46            _message: &[u8],
47            _cert: &rustls::pki_types::CertificateDer<'_>,
48            _dss: &rustls::DigitallySignedStruct,
49        ) -> Result<rustls::client::danger::HandshakeSignatureValid, rustls::Error> {
50            Ok(rustls::client::danger::HandshakeSignatureValid::assertion())
51        }
52
53        fn verify_tls13_signature(
54            &self,
55            _message: &[u8],
56            _cert: &rustls::pki_types::CertificateDer<'_>,
57            _dss: &rustls::DigitallySignedStruct,
58        ) -> Result<rustls::client::danger::HandshakeSignatureValid, rustls::Error> {
59            Ok(rustls::client::danger::HandshakeSignatureValid::assertion())
60        }
61
62        fn supported_verify_schemes(&self) -> Vec<rustls::SignatureScheme> {
63            // Support all signature schemes
64            vec![
65                rustls::SignatureScheme::RSA_PKCS1_SHA256,
66                rustls::SignatureScheme::RSA_PKCS1_SHA384,
67                rustls::SignatureScheme::RSA_PKCS1_SHA512,
68                rustls::SignatureScheme::ECDSA_NISTP256_SHA256,
69                rustls::SignatureScheme::ECDSA_NISTP384_SHA384,
70                rustls::SignatureScheme::ECDSA_NISTP521_SHA512,
71                rustls::SignatureScheme::RSA_PSS_SHA256,
72                rustls::SignatureScheme::RSA_PSS_SHA384,
73                rustls::SignatureScheme::RSA_PSS_SHA512,
74                rustls::SignatureScheme::ED25519,
75                rustls::SignatureScheme::RSA_PKCS1_SHA1,
76                rustls::SignatureScheme::ECDSA_SHA1_Legacy,
77            ]
78        }
79    }
80
81    ClientConfig::builder()
82        .dangerous()
83        .with_custom_certificate_verifier(Arc::new(NoCertificateVerification))
84        .with_no_client_auth()
85}
86
87/// Creates a native-tls TlsConnector that accepts any certificate.
88///
89/// # Security Warning
90///
91/// This connector will accept ANY certificate. Only use for development or testing!
92#[cfg(feature = "native-tls")]
93pub fn create_dangerous_native_tls_connector() -> Result<TlsConnector, native_tls::Error> {
94    TlsConnector::builder()
95        .danger_accept_invalid_certs(true)
96        .danger_accept_invalid_hostnames(true)
97        .build()
98}