backups/grapevine
1
0
Fork 0
mirror of https://gitlab.computer.surgery/matrix/grapevine.git synced 2025-12-16 23:31:24 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Add configuration option to allow invalid TLS certificates

Browse source
This commit is contained in:
Kierre 2025-08-21 17:43:56 -04:00
parent d8ec961589
commit b5bc53bb2d
No known key found for this signature in database
GPG key ID: 1C50B6A26C5B1C6E
3 changed files with 18 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

2
book/changelog.md
View file

@ -336,3 +336,5 @@ This will be the first release of Grapevine since it was forked from Conduit
([!189](https://gitlab.computer.surgery/matrix/grapevine/-/merge_requests/189)) ([!189](https://gitlab.computer.surgery/matrix/grapevine/-/merge_requests/189))
28. Added the ability to listen on Unix sockets 28. Added the ability to listen on Unix sockets
([!187](https://gitlab.computer.surgery/matrix/grapevine/-/merge_requests/187)) ([!187](https://gitlab.computer.surgery/matrix/grapevine/-/merge_requests/187))
29. Added the ability to allow invalid TLS certificates
([!203](https://gitlab.computer.surgery/matrix/grapevine/-/merge_requests/203))

2
src/config.rs
View file

@ -439,6 +439,7 @@ pub(crate) struct ObservabilityConfig {
#[serde(default)] #[serde(default)]
pub(crate) struct FederationConfig { pub(crate) struct FederationConfig {
pub(crate) enable: bool, pub(crate) enable: bool,
pub(crate) allow_invalid_tls_certificates: bool,
pub(crate) self_test: bool, pub(crate) self_test: bool,
pub(crate) trusted_servers: Vec<OwnedServerName>, pub(crate) trusted_servers: Vec<OwnedServerName>,
pub(crate) max_fetch_prev_events: u16, pub(crate) max_fetch_prev_events: u16,
@ -456,6 +457,7 @@ impl Default for FederationConfig {
], ],
max_fetch_prev_events: 100, max_fetch_prev_events: 100,
max_concurrent_requests: 100, max_concurrent_requests: 100,
allow_invalid_tls_certificates: false,
old_verify_keys: BTreeMap::new(), old_verify_keys: BTreeMap::new(),
} }
} }

14
src/service/globals.rs
View file

@ -215,6 +215,9 @@ impl Resolve for FederationResolver {
impl Service { impl Service {
#[tracing::instrument(skip_all)] #[tracing::instrument(skip_all)]
// there are a lot of fields to initialize, not easy to break up but logic
// is fairly linear
#[allow(clippy::too_many_lines)]
pub(crate) fn new( pub(crate) fn new(
db: &'static dyn Data, db: &'static dyn Data,
config: Config, config: Config,
@ -258,6 +261,14 @@ impl Service {
let default_client = reqwest_client_builder(&config)? let default_client = reqwest_client_builder(&config)?
.dns_resolver(default_resolver) .dns_resolver(default_resolver)
.build()?; .build()?;
if config.federation.allow_invalid_tls_certificates {
warn!(
"TLS certificate validation is disabled, this is insecure and \
should not be used in production"
);
}
let federation_client = reqwest_client_builder(&config)? let federation_client = reqwest_client_builder(&config)?
.dns_resolver(federation_resolver) .dns_resolver(federation_resolver)
.build()?; .build()?;
@ -647,6 +658,9 @@ fn reqwest_client_builder(config: &Config) -> Result<reqwest::ClientBuilder> {
.pool_max_idle_per_host(0) .pool_max_idle_per_host(0)
.connect_timeout(Duration::from_secs(30)) .connect_timeout(Duration::from_secs(30))
.timeout(Duration::from_secs(60 * 3)) .timeout(Duration::from_secs(60 * 3))
.danger_accept_invalid_certs(
config.federation.allow_invalid_tls_certificates,
)
.user_agent(format!("{}/{}", env!("CARGO_PKG_NAME"), crate::version())); .user_agent(format!("{}/{}", env!("CARGO_PKG_NAME"), crate::version()));
if let Some(proxy) = config.proxy.to_proxy()? { if let Some(proxy) = config.proxy.to_proxy()? {