magmaus3/continuwuity
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

implement disable TLS validation config option

Browse source 
Signed-off-by: June Clementine Strawberry <june@3.dog>
This commit is contained in:
June Clementine Strawberry 2025-03-09 21:55:07 -04:00
parent 0e342aab7f
commit 0e2ca7d719
No known key found for this signature in database
4 changed files with 19 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

2
nix/pkgs/complement/config.toml
View file

@ -32,6 +32,8 @@ allow_legacy_media = true
startup_netburst = true startup_netburst = true
startup_netburst_keep = -1 startup_netburst_keep = -1
allow_invalid_tls_certificates_yes_i_know_what_the_fuck_i_am_doing_with_this_and_i_know_this_is_insecure = true
# valgrind makes things so slow # valgrind makes things so slow
dns_timeout = 60 dns_timeout = 60
dns_attempts = 20 dns_attempts = 20

4
src/core/config/check.rs
View file

@ -28,6 +28,10 @@ pub fn check(config: &Config) -> Result {
warn!("Note: conduwuit was built without optimisations (i.e. debug build)"); warn!("Note: conduwuit was built without optimisations (i.e. debug build)");
} }
if config.allow_invalid_tls_certificates_yes_i_know_what_the_fuck_i_am_doing_with_this_and_i_know_this_is_insecure {
warn!("\n\nWARNING: \n\nTLS CERTIFICATE VALIDATION IS DISABLED, THIS IS HIGHLY INSECURE AND SHOULD NOT BE USED IN PRODUCTION.\n\n");
}
warn_deprecated(config); warn_deprecated(config);
warn_unknown_key(config); warn_unknown_key(config);

12
src/core/config/mod.rs
View file

@ -52,7 +52,7 @@ use crate::{Result, err, error::Error, utils::sys};
### For more information, see: ### For more information, see:
### https://conduwuit.puppyirl.gay/configuration.html ### https://conduwuit.puppyirl.gay/configuration.html
"#, "#,
ignore = "catchall well_known tls blurhashing" ignore = "catchall well_known tls blurhashing allow_invalid_tls_certificates_yes_i_know_what_the_fuck_i_am_doing_with_this_and_i_know_this_is_insecure"
)] )]
pub struct Config { pub struct Config {
/// The server_name is the pretty name of this server. It is used as a /// The server_name is the pretty name of this server. It is used as a
@ -1806,6 +1806,16 @@ pub struct Config {
#[serde(default = "true_fn")] #[serde(default = "true_fn")]
pub config_reload_signal: bool, pub config_reload_signal: bool,
/// Toggles ignore checking/validating TLS certificates
///
/// This applies to everything, including URL previews, federation requests,
/// etc. This is a hidden argument that should NOT be used in production as
/// it is highly insecure and I will personally yell at you if I catch you
/// using this.
#[serde(default)]
pub allow_invalid_tls_certificates_yes_i_know_what_the_fuck_i_am_doing_with_this_and_i_know_this_is_insecure:
bool,
// external structure; separate section // external structure; separate section
#[serde(default)] #[serde(default)]
pub blurhashing: BlurhashConfig, pub blurhashing: BlurhashConfig,

3
src/service/client/mod.rs
View file

@ -128,7 +128,8 @@ fn base(config: &Config) -> Result<reqwest::ClientBuilder> {
.pool_max_idle_per_host(config.request_idle_per_host.into()) .pool_max_idle_per_host(config.request_idle_per_host.into())
.user_agent(conduwuit::version::user_agent()) .user_agent(conduwuit::version::user_agent())
.redirect(redirect::Policy::limited(6)) .redirect(redirect::Policy::limited(6))
.connection_verbose(true); .danger_accept_invalid_certs(config.allow_invalid_tls_certificates_yes_i_know_what_the_fuck_i_am_doing_with_this_and_i_know_this_is_insecure)
.connection_verbose(cfg!(debug_assertions));
#[cfg(feature = "gzip_compression")] #[cfg(feature = "gzip_compression")]
{ {