From b5bc53bb2ddd9e6111c66a92a98229eaf647ebf0 Mon Sep 17 00:00:00 2001
From: Kierre <vel@riseup.net>
Date: Thu, 21 Aug 2025 17:43:56 -0400
Subject: [PATCH] Add configuration option to allow invalid TLS certificates

---
 book/changelog.md      |  2 ++
 src/config.rs          |  2 ++
 src/service/globals.rs | 14 ++++++++++++++
 3 files changed, 18 insertions(+)

diff --git a/book/changelog.md b/book/changelog.md
index 40a8abea..9614862f 100644
--- a/book/changelog.md
+++ b/book/changelog.md
@@ -336,3 +336,5 @@ This will be the first release of Grapevine since it was forked from Conduit
     ([!189](https://gitlab.computer.surgery/matrix/grapevine/-/merge_requests/189))
 28. Added the ability to listen on Unix sockets
     ([!187](https://gitlab.computer.surgery/matrix/grapevine/-/merge_requests/187))
+29. Added the ability to allow invalid TLS certificates
+    ([!203](https://gitlab.computer.surgery/matrix/grapevine/-/merge_requests/203))
diff --git a/src/config.rs b/src/config.rs
index 5924d232..a485d4d3 100644
--- a/src/config.rs
+++ b/src/config.rs
@@ -439,6 +439,7 @@ pub(crate) struct ObservabilityConfig {
 #[serde(default)]
 pub(crate) struct FederationConfig {
     pub(crate) enable: bool,
+    pub(crate) allow_invalid_tls_certificates: bool,
     pub(crate) self_test: bool,
     pub(crate) trusted_servers: Vec<OwnedServerName>,
     pub(crate) max_fetch_prev_events: u16,
@@ -456,6 +457,7 @@ impl Default for FederationConfig {
             ],
             max_fetch_prev_events: 100,
             max_concurrent_requests: 100,
+            allow_invalid_tls_certificates: false,
             old_verify_keys: BTreeMap::new(),
         }
     }
diff --git a/src/service/globals.rs b/src/service/globals.rs
index 76817fcf..c0dff71e 100644
--- a/src/service/globals.rs
+++ b/src/service/globals.rs
@@ -215,6 +215,9 @@ impl Resolve for FederationResolver {
 
 impl Service {
     #[tracing::instrument(skip_all)]
+    // there are a lot of fields to initialize, not easy to break up but logic
+    // is fairly linear
+    #[allow(clippy::too_many_lines)]
     pub(crate) fn new(
         db: &'static dyn Data,
         config: Config,
@@ -258,6 +261,14 @@ impl Service {
         let default_client = reqwest_client_builder(&config)?
             .dns_resolver(default_resolver)
             .build()?;
+
+        if config.federation.allow_invalid_tls_certificates {
+            warn!(
+                "TLS certificate validation is disabled, this is insecure and \
+                 should not be used in production"
+            );
+        }
+
         let federation_client = reqwest_client_builder(&config)?
             .dns_resolver(federation_resolver)
             .build()?;
@@ -647,6 +658,9 @@ fn reqwest_client_builder(config: &Config) -> Result<reqwest::ClientBuilder> {
         .pool_max_idle_per_host(0)
         .connect_timeout(Duration::from_secs(30))
         .timeout(Duration::from_secs(60 * 3))
+        .danger_accept_invalid_certs(
+            config.federation.allow_invalid_tls_certificates,
+        )
         .user_agent(format!("{}/{}", env!("CARGO_PKG_NAME"), crate::version()));
 
     if let Some(proxy) = config.proxy.to_proxy()? {