Allow verification to be disabled in OpenSsl

sfackler · sfackler · commit 99cab46f38bc · 2017-01-13T13:02:03.000-08:00
diff --git a/postgres/Cargo.toml b/postgres/Cargo.toml
@@ -43,7 +43,7 @@ hex = "0.2"
 log = "0.3"
 postgres-protocol = "0.2"
 
-openssl = { version = "0.9", optional = true }
+openssl = { version = "0.9.2", optional = true }
 native-tls = { version = "0.1", optional = true }
 rustc-serialize = { version = "0.3", optional = true }
 schannel = { version = "0.1", optional = true }
diff --git a/postgres/src/tls/openssl.rs b/postgres/src/tls/openssl.rs
@@ -21,7 +21,10 @@ impl TlsStream for SslStream<Stream> {
 /// A `TlsHandshake` implementation that uses OpenSSL.
 ///
 /// Requires the `with-openssl` feature.
-pub struct OpenSsl(SslConnector);
+pub struct OpenSsl {
+    connector: SslConnector,
+    disable_verification: bool,
+}
 
 impl fmt::Debug for OpenSsl {
     fn fmt(&self, fmt: &mut fmt::Formatter) -> fmt::Result {
@@ -33,23 +36,36 @@ impl OpenSsl {
     /// Creates a `OpenSsl` with `SslConnector`'s default configuration.
     pub fn new() -> Result<OpenSsl, ErrorStack> {
         let connector = try!(SslConnectorBuilder::new(SslMethod::tls())).build();
-        Ok(OpenSsl(connector))
+        Ok(OpenSsl::from(connector))
     }
 
     /// Returns a reference to the inner `SslConnector`.
     pub fn connector(&self) -> &SslConnector {
-        &self.0
+        &self.connector
     }
 
     /// Returns a mutable reference to the inner `SslConnector`.
     pub fn connector_mut(&mut self) -> &mut SslConnector {
-        &mut self.0
+        &mut self.connector
+    }
+
+    /// If set, the
+    /// `SslConnector::danger_connect_without_providing_domain_for_certificate_verification_and_server_name_indication`
+    /// method will be used to connect.
+    ///
+    /// If certificate verification has been disabled in the `SslConnector`, verification must be
+    /// additionally disabled here for that setting to take effect.
+    pub fn danger_disable_hostname_verification(&mut self, disable_verification: bool) {
+        self.disable_verification = disable_verification;
     }
 }
 
 impl From<SslConnector> for OpenSsl {
     fn from(connector: SslConnector) -> OpenSsl {
-        OpenSsl(connector)
+        OpenSsl {
+            connector: connector,
+            disable_verification: false,
+        }
     }
 }
 
@@ -58,7 +74,11 @@ impl TlsHandshake for OpenSsl {
                      domain: &str,
                      stream: Stream)
                      -> Result<Box<TlsStream>, Box<Error + Send + Sync>> {
-        let stream = try!(self.0.connect(domain, stream));
+        let stream = if self.disable_verification {
+            try!(self.connector.danger_connect_without_providing_domain_for_certificate_verification_and_server_name_indication(stream))
+        } else {
+            try!(self.connector.connect(domain, stream))
+        };
         Ok(Box::new(stream))
     }
 }
