net/tls: Add a way to disable certificate validation

This feature is useful when testing TLS client with a server that does not have proper certificates setup yet. The API to control this has been added to the certificate_credentials class because an instance of that class is already accepted by functions that may want to configure TLS. This way the requirement of additional set of overloads is avoided. Controlling certificate validation is not completely unrelated to what certificate_credentials already does. It effectively controls which server certificetes the client is going to accept. Calling set_enable_certificate_verification(true) effectively adds all possible certificates to the set of accepted certificates. set_priority_string() already offers a similar control on algorithm quality. Closes #2546
scylladb · Dec 4, 2024 · 9acd1ff · 9acd1ff
1 parent 6613c08
commit 9acd1ff
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 0 deletions.
diff --git a/include/seastar/net/tls.hh b/include/seastar/net/tls.hh
@@ -221,6 +221,11 @@ namespace tls {
          */
         void set_dn_verification_callback(dn_callback);
 
+        /**
+         * Optional override to disable certificate verification
+         */
+        void set_enable_certificate_verification(bool enable);
+
     private:
         class impl;
         friend class session;
@@ -337,6 +342,10 @@ namespace tls {
         /// \brief server name to be used for the SNI TLS extension
         sstring server_name = {};
 
+        /// \brief whether server certificate should be verified. May be set to false
+        /// in test environments.
+        bool verify_certificate = true;
+
         /// \brief Optional session resume data. Must be retrieved via
         /// get_session_resume_data below.
         session_data session_resume_data;

diff --git a/src/net/tls.cc b/src/net/tls.cc
@@ -464,6 +464,11 @@ class tls::certificate_credentials::impl: public gnutlsobj {
     void set_dn_verification_callback(dn_callback cb) {
         _dn_callback = std::move(cb);
     }
+
+    void set_enable_certificate_verification(bool enable) {
+        _enable_certificate_verification = enable;
+    }
+
 private:
     friend class credentials_builder;
     friend class session;
@@ -488,6 +493,7 @@ class tls::certificate_credentials::impl: public gnutlsobj {
     bool _load_system_trust = false;
     semaphore _system_trust_sem {1};
     dn_callback _dn_callback;
+    bool _enable_certificate_verification = true;
     gnutls_datum _session_resume_key;
 };
 
@@ -566,6 +572,10 @@ void tls::certificate_credentials::set_dn_verification_callback(dn_callback cb)
     _impl->set_dn_verification_callback(std::move(cb));
 }
 
+void tls::certificate_credentials::set_enable_certificate_verification(bool enable) {
+    _impl->set_enable_certificate_verification(enable);
+}
+
 tls::server_credentials::server_credentials()
 #if GNUTLS_VERSION_NUMBER < 0x030600
     : server_credentials(dh_params{})
@@ -1288,6 +1298,10 @@ class session : public enable_lw_shared_from_this<session> {
     }
 
     void verify() {
+        if (!_creds->_enable_certificate_verification) {
+            return;
+        }
+
         unsigned int status;
         auto res = gnutls_certificate_verify_peers3(*this, _type != type::CLIENT || _options.server_name.empty()
                         ? nullptr : _options.server_name.c_str(), &status);