Add configuration option to allow invalid TLS certificates

2025-12-16 23:31:24 +01:00 · 2025-08-21 17:43:56 -04:00 · 2025-08-21 17:43:56 -04:00 · b5bc53bb2d
commit b5bc53bb2d
parent d8ec961589
3 changed files with 18 additions and 0 deletions
--- a/book/changelog.md
+++ b/book/changelog.md
@ -336,3 +336,5 @@ This will be the first release of Grapevine since it was forked from Conduit
    ([!189](https://gitlab.computer.surgery/matrix/grapevine/-/merge_requests/189))
 28. Added the ability to listen on Unix sockets
    ([!187](https://gitlab.computer.surgery/matrix/grapevine/-/merge_requests/187))
+29. Added the ability to allow invalid TLS certificates
+    ([!203](https://gitlab.computer.surgery/matrix/grapevine/-/merge_requests/203))
--- a/src/config.rs
+++ b/src/config.rs
@ -439,6 +439,7 @@ pub(crate) struct ObservabilityConfig {
 #[serde(default)]
 pub(crate) struct FederationConfig {
    pub(crate) enable: bool,
+    pub(crate) allow_invalid_tls_certificates: bool,
    pub(crate) self_test: bool,
    pub(crate) trusted_servers: Vec<OwnedServerName>,
    pub(crate) max_fetch_prev_events: u16,
@ -456,6 +457,7 @@ impl Default for FederationConfig {
            ],
            max_fetch_prev_events: 100,
            max_concurrent_requests: 100,
+            allow_invalid_tls_certificates: false,
            old_verify_keys: BTreeMap::new(),
        }
    }
--- a/src/service/globals.rs
+++ b/src/service/globals.rs
@ -215,6 +215,9 @@ impl Resolve for FederationResolver {

 impl Service {
    #[tracing::instrument(skip_all)]
+    // there are a lot of fields to initialize, not easy to break up but logic
+    // is fairly linear
+    #[allow(clippy::too_many_lines)]
    pub(crate) fn new(
        db: &'static dyn Data,
        config: Config,
@ -258,6 +261,14 @@ impl Service {
        let default_client = reqwest_client_builder(&config)?
            .dns_resolver(default_resolver)
            .build()?;
+
+        if config.federation.allow_invalid_tls_certificates {
+            warn!(
+                "TLS certificate validation is disabled, this is insecure and \
+                 should not be used in production"
+            );
+        }
+
        let federation_client = reqwest_client_builder(&config)?
            .dns_resolver(federation_resolver)
            .build()?;
@ -647,6 +658,9 @@ fn reqwest_client_builder(config: &Config) -> Result<reqwest::ClientBuilder> {
        .pool_max_idle_per_host(0)
        .connect_timeout(Duration::from_secs(30))
        .timeout(Duration::from_secs(60 * 3))
+        .danger_accept_invalid_certs(
+            config.federation.allow_invalid_tls_certificates,
+        )
        .user_agent(format!("{}/{}", env!("CARGO_PKG_NAME"), crate::version()));

    if let Some(proxy) = config.proxy.to_proxy()? {