Support for disabling client-side certificate verification in aws-config

[ysaito1001]

Describe the feature

During tests, it can be useful to disable certificate verification on the client side.

Use Case

There is a workaround today by configuring an HTTP connector like so:

/*
  In Cargo.toml, have these dependencies somewhere      
rustls = { version = "0.21.8", features = ["dangerous_configuration"] }      
hyper-rustls = "0.24"
*/
 
struct NoCertificateVerification {}
impl rustls::client::ServerCertVerifier for NoCertificateVerification {
    fn verify_server_cert(
        &self,
        _end_entity: &rustls::Certificate,
        _intermediates: &[rustls::Certificate],
        _server_name: &rustls::ServerName,
        _scts: &mut dyn Iterator<Item = &[u8]>,
        _ocsp: &[u8],
        _now: std::time::SystemTime,
    ) -> Result<rustls::client::ServerCertVerified, rustls::Error> {
        Ok(rustls::client::ServerCertVerified::assertion())
    }
}
 
fn get_rustls_config_dangerous() -> ClientConfig {
    let mut store = rustls::RootCertStore::empty();
 
    let mut config = ClientConfig::builder()
        .with_safe_defaults()
        .with_root_certificates(store)
        .with_no_client_auth();
   
    // this disables cert-verification
    let mut dangerous_config = ClientConfig::dangerous(&mut config);
    dangerous_config.set_certificate_verifier(Arc::new(NoCertificateVerification {}));
   
    config
}
 
#[tokio::main]
async fn foo() {
    let conn = hyper_rustls::HttpsConnectorBuilder::new()
        .with_tls_config(get_rustls_config_dangerous())
        .https_only()
        .enable_http1()
        .build();
 
    let http_client = HyperClientBuilder::new().build(conn);
 
    let shared_config = aws_config::from_env()
        .region(/* service region */)
        .endpoint_url(/* service endpoint */)
        .http_client(http_client)
        .load()
        .await;
    
    // construct a service client e.g.
    // let client = aws_sdk_s3::Client::new(&shared_config);
    //
    // and call some operation on `client`
    // ...
}

But having a method that works out of the box would be more ergonomic.

Proposed Solution

This will be an opt-in feature and the method can be called as follows (using the above snippet)

// No boilerplate like above

#[tokio::main]
async fn foo() {
    let shared_config = aws_config::from_env()
        .region(/* service region */)
        .endpoint_url(/* service endpoint */)
        .no_certificate_validation(..)
        .load()
        .await;

        // ...
}

Other Information

No response

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

A note for the community

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue, please leave a comment