Implement "default" functions of the trait to fix "insecure" mode (#1259

) Ignoring validation seems broken as some default functions actually do check. That is fine for the proper TLS validation, but gets in the way when someone wants to skip TLS validation (e.g. for self-signed certificates). This change re-implements these default functions in a way that they do not check, but return "success" all the time. Fixes #1210
seanmonstar · Apr 29, 2021 · b0af278 · b0af278
1 parent 8d3e279
commit b0af278
Showing 1 changed file with 22 additions and 1 deletion.
diff --git a/src/tls.rs b/src/tls.rs
@@ -1,5 +1,8 @@
 #[cfg(feature = "__rustls")]
-use rustls::{RootCertStore, ServerCertVerified, ServerCertVerifier, TLSError};
+use rustls::{
+    internal::msgs::handshake::DigitallySignedStruct, HandshakeSignatureValid, RootCertStore,
+    ServerCertVerified, ServerCertVerifier, TLSError,
+};
 use std::fmt;
 #[cfg(feature = "__rustls")]
 use tokio_rustls::webpki::DNSNameRef;
@@ -323,6 +326,24 @@ impl ServerCertVerifier for NoVerifier {
     ) -> Result<ServerCertVerified, TLSError> {
         Ok(ServerCertVerified::assertion())
     }
+
+    fn verify_tls12_signature(
+        &self,
+        _message: &[u8],
+        _cert: &rustls::Certificate,
+        _dss: &DigitallySignedStruct,
+    ) -> Result<HandshakeSignatureValid, TLSError> {
+        Ok(HandshakeSignatureValid::assertion())
+    }
+
+    fn verify_tls13_signature(
+        &self,
+        _message: &[u8],
+        _cert: &rustls::Certificate,
+        _dss: &DigitallySignedStruct,
+    ) -> Result<HandshakeSignatureValid, TLSError> {
+        Ok(HandshakeSignatureValid::assertion())
+    }
 }
 
 #[cfg(test)]