diff --git a/openssl/src/ssl/connector.rs b/openssl/src/ssl/connector.rs index c5189c9e..f838edf4 100644 --- a/openssl/src/ssl/connector.rs +++ b/openssl/src/ssl/connector.rs @@ -61,6 +61,7 @@ impl SslConnectorBuilder { try!(ctx.set_cipher_list("ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:DH+CHACHA20:ECDH+AES256:\ DH+AES256:ECDH+AES128:DH+AES:ECDH+HIGH:DH+HIGH:RSA+AESGCM:\ RSA+AES:RSA+HIGH:!aNULL:!eNULL:!MD5:!3DES")); + ctx.set_verify(SSL_VERIFY_PEER); Ok(SslConnectorBuilder(ctx)) } @@ -103,6 +104,22 @@ impl SslConnector { ssl.connect(stream) } + + /// Initiates a client-side TLS session on a stream without performing hostname verification. + /// + /// The verification configuration of the connector's `SslContext` is not overridden. + /// + /// # Warning + /// + /// You should think very carefully before you use this method. If hostname verification is not + /// used, *any* valid certificate for *any* site will be trusted for use from any other. This + /// introduces a significant vulnerability to man-in-the-middle attacks. + pub fn connect_without_providing_domain_for_certificate_verification_and_server_name_indication( + &self, stream: S) -> Result, HandshakeError> + where S: Read + Write + { + try!(Ssl::new(&self.0)).connect(stream) + } } /// A builder for `SslAcceptor`s. diff --git a/openssl/src/ssl/tests/mod.rs b/openssl/src/ssl/tests/mod.rs index 3cc3a28c..855903c9 100644 --- a/openssl/src/ssl/tests/mod.rs +++ b/openssl/src/ssl/tests/mod.rs @@ -17,10 +17,8 @@ use tempdir::TempDir; use dh::Dh; use hash::MessageDigest; use ssl; -use ssl::SSL_VERIFY_PEER; -use ssl::{SslMethod, HandshakeError}; -use ssl::{SslContext, SslStream, Ssl, ShutdownResult, SslConnectorBuilder, SslAcceptorBuilder, - Error}; +use ssl::{SslMethod, HandshakeError, SslContext, SslStream, Ssl, ShutdownResult, + SslConnectorBuilder, SslAcceptorBuilder, Error, SSL_VERIFY_PEER, SSL_VERIFY_NONE}; use x509::{X509StoreContext, X509, X509Name, X509_FILETYPE_PEM}; #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] use x509::verify::X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS; @@ -1090,6 +1088,36 @@ fn connector_invalid_hostname() { assert!(connector.connect("foobar.com", s).is_err()); } +#[test] +fn connector_invalid_no_hostname_verification() { + let connector = SslConnectorBuilder::new(SslMethod::tls()).unwrap().build(); + + let s = TcpStream::connect("google.com:443").unwrap(); + connector.connect_without_providing_domain_for_certificate_verification_and_server_name_indication(s) + .unwrap(); +} + +#[test] +fn connector_no_hostname_still_verifies() { + let (_s, tcp) = Server::new(); + + let connector = SslConnectorBuilder::new(SslMethod::tls()).unwrap().build(); + + assert!(connector.connect_without_providing_domain_for_certificate_verification_and_server_name_indication(tcp) + .is_err()); +} + +#[test] +fn connector_no_hostname_can_disable_verify() { + let (_s, tcp) = Server::new(); + + let mut connector = SslConnectorBuilder::new(SslMethod::tls()).unwrap(); + connector.builder_mut().set_verify(SSL_VERIFY_NONE); + let connector = connector.build(); + + connector.connect_without_providing_domain_for_certificate_verification_and_server_name_indication(tcp).unwrap(); +} + #[test] fn connector_client_server_mozilla_intermediate() { let listener = TcpListener::bind("127.0.0.1:0").unwrap();