implement disable TLS validation config option

Signed-off-by: June Clementine Strawberry <june@3.dog>
This commit is contained in:
June Clementine Strawberry 2025-03-09 21:55:07 -04:00
parent 0e342aab7f
commit 0e2ca7d719
No known key found for this signature in database
4 changed files with 19 additions and 2 deletions

View file

@ -32,6 +32,8 @@ allow_legacy_media = true
startup_netburst = true
startup_netburst_keep = -1
allow_invalid_tls_certificates_yes_i_know_what_the_fuck_i_am_doing_with_this_and_i_know_this_is_insecure = true
# valgrind makes things so slow
dns_timeout = 60
dns_attempts = 20

View file

@ -28,6 +28,10 @@ pub fn check(config: &Config) -> Result {
warn!("Note: conduwuit was built without optimisations (i.e. debug build)");
}
if config.allow_invalid_tls_certificates_yes_i_know_what_the_fuck_i_am_doing_with_this_and_i_know_this_is_insecure {
warn!("\n\nWARNING: \n\nTLS CERTIFICATE VALIDATION IS DISABLED, THIS IS HIGHLY INSECURE AND SHOULD NOT BE USED IN PRODUCTION.\n\n");
}
warn_deprecated(config);
warn_unknown_key(config);

View file

@ -52,7 +52,7 @@ use crate::{Result, err, error::Error, utils::sys};
### For more information, see:
### https://conduwuit.puppyirl.gay/configuration.html
"#,
ignore = "catchall well_known tls blurhashing"
ignore = "catchall well_known tls blurhashing allow_invalid_tls_certificates_yes_i_know_what_the_fuck_i_am_doing_with_this_and_i_know_this_is_insecure"
)]
pub struct Config {
/// The server_name is the pretty name of this server. It is used as a
@ -1806,6 +1806,16 @@ pub struct Config {
#[serde(default = "true_fn")]
pub config_reload_signal: bool,
/// Toggles ignore checking/validating TLS certificates
///
/// This applies to everything, including URL previews, federation requests,
/// etc. This is a hidden argument that should NOT be used in production as
/// it is highly insecure and I will personally yell at you if I catch you
/// using this.
#[serde(default)]
pub allow_invalid_tls_certificates_yes_i_know_what_the_fuck_i_am_doing_with_this_and_i_know_this_is_insecure:
bool,
// external structure; separate section
#[serde(default)]
pub blurhashing: BlurhashConfig,

View file

@ -128,7 +128,8 @@ fn base(config: &Config) -> Result<reqwest::ClientBuilder> {
.pool_max_idle_per_host(config.request_idle_per_host.into())
.user_agent(conduwuit::version::user_agent())
.redirect(redirect::Policy::limited(6))
.connection_verbose(true);
.danger_accept_invalid_certs(config.allow_invalid_tls_certificates_yes_i_know_what_the_fuck_i_am_doing_with_this_and_i_know_this_is_insecure)
.connection_verbose(cfg!(debug_assertions));
#[cfg(feature = "gzip_compression")]
{