Reqwest: HTTPS requests with no certificate verification

Created on 10 Aug 2017  路  8Comments  路  Source: seanmonstar/reqwest

Is it possible now to make https requests with no cert verification? Call of danger_disable_hostname_verification() on ClientBuilder seems to have no effect in 0.7.2.

Most helpful comment

Since this issue is high in search results... working example with reqwest = "0.9.11":
```rust
extern crate reqwest;

fn main() {
let res = reqwest::Client::builder()
.danger_accept_invalid_certs(true)
.build()
.unwrap()
.get("https://invalidcert.example.com")
.send()
.unwrap();

println!("res: is {}", res.status());

}

All 8 comments

Yes, that method is supposed to disable hostname verification. From what I've seen, it works as advertised. Do you have a specific problem? It would be useful to see some example code that fails, the error that you get, and what version and OS is this on.

I used this simple https server:

https://gist.github.com/dergachev/7028596

It is accessible via other clients. The code:

use std::io::Read;

extern crate reqwest;

use reqwest::ClientBuilder;

fn main() {
    let client = ClientBuilder::new().unwrap().danger_disable_hostname_verification().build().unwrap();
    let mut res = client.get("https://localhost:4443/").unwrap().send();
    match res {
        Ok(mut correct_result) => {
            let mut content = String::new();
            correct_result.read_to_string(&mut content);
            println!("{}", content);
        }
        Err(e) =>
            println!("{}", e)
    }
}

The error:

https://localhost:4443/: The trust policy was not trusted.

Ah, you want to completely disable verification. That method doesn't do that, just verifying the hostname. You can use add_root_certificate to use a self signed cert.

So there is no way to completely disable certificate verification, I see?) I would like to establish connections with no need to add any certificates (even self-signed).

No, there isn't. In those cases, better to just not use HTTPS, because it's a lie.

Yes, it kinda is)
Anyway, thanks.

This would really be useful for some of us. Most libraries in other languages support this option.

Since this issue is high in search results... working example with reqwest = "0.9.11":
```rust
extern crate reqwest;

fn main() {
let res = reqwest::Client::builder()
.danger_accept_invalid_certs(true)
.build()
.unwrap()
.get("https://invalidcert.example.com")
.send()
.unwrap();

println!("res: is {}", res.status());

}

Was this page helpful?
0 / 5 - 0 ratings