HTTPS requests with no certificate verification

[pltb]

Is it possible now to make https requests with no cert verification? Call of danger_disable_hostname_verification() on ClientBuilder seems to have no effect in 0.7.2.

[seanmonstar]

Yes, that method is supposed to disable hostname verification. From what I've seen, it works as advertised. Do you have a specific problem? It would be useful to see some example code that fails, the error that you get, and what version and OS is this on.

[pltb]

I used this simple https server:

https://gist.github.com/dergachev/7028596

It is accessible via other clients. The code:

use std::io::Read;

extern crate reqwest;

use reqwest::ClientBuilder;

fn main() {
    let client = ClientBuilder::new().unwrap().danger_disable_hostname_verification().build().unwrap();
    let mut res = client.get("https://localhost:4443/").unwrap().send();
    match res {
        Ok(mut correct_result) => {
            let mut content = String::new();
            correct_result.read_to_string(&mut content);
            println!("{}", content);
        }
        Err(e) =>
            println!("{}", e)
    }
}

The error:

https://localhost:4443/: The trust policy was not trusted.

[seanmonstar]

Ah, you want to completely disable verification. That method doesn't do that, just verifying the hostname. You can use add_root_certificate to use a self signed cert.

[pltb]

So there is no way to completely disable certificate verification, I see?) I would like to establish connections with no need to add any certificates (even self-signed).

[seanmonstar]

No, there isn't. In those cases, better to just not use HTTPS, because it's a lie.

[pltb]

Yes, it kinda is)
Anyway, thanks.

[bigOconstant]

This would really be useful for some of us. Most libraries in other languages support this option.

[suside]

Since this issue is high in search results... working example with reqwest = "0.9.11":

extern crate reqwest;

fn main() {
    let res = reqwest::Client::builder()
        .danger_accept_invalid_certs(true)
        .build()
        .unwrap()
        .get("https://invalidcert.example.com")
        .send()
        .unwrap();

    println!("res: is {}", res.status());
}

[liudonghua123]

Since this issue is high in search results... working example with reqwest = "0.9.11":

extern crate reqwest;

fn main() {
    let res = reqwest::Client::builder()
        .danger_accept_invalid_certs(true)
        .build()
        .unwrap()
        .get("https://invalidcert.example.com")
        .send()
        .unwrap();

    println!("res: is {}", res.status());
}

I found danger_accept_invalid_certs method was added since version 0.9.0. And for attohttpc users, the same danger_accept_invalid_certs method also provided since version 0.10.0.

[alkeryn]

sorry for the necrobump, but can these kind of features be used on a single request whilst still sharing the reqwest client.
i'm sharing the client accross multiple runner, and in a specific case i must do a request with both ignore redirects and always trust cert.
because of how reqwest works rn, i have to set up two reqwest client for the program each with a different builder setting.
it would be cool if individual requests could have a more fine grained control whilst still sharing the same client.

[4aiman]

because of how reqwest works rn, i have to set up two reqwest client for the program each with a different builder setting.

Could you teach me how to ignore ssl, please?
I don't care if it's a separate runner.
Can't get http plugin to ignore cert errors :'(

[alkeryn]

@4aiman here is an example:

reqwest::Client::builder()
                .redirect(reqwest::redirect::Policy::none())
                .danger_accept_invalid_certs(true).build().expect("couldn't initialize http reqwest client")              

you don't prolly don't need the redirect line unless you want to ignore redirects.
though, you could have easily found it in the offical doc and chat gpt would have told you.

also there was literally an example above.

[4aiman]

Thanks!
Sadly, that's exactly what I've tried and it doesn't work for me (adding .danger_accept_invalid_certs(true) to the builder).
I assumed there was something else in some config file or somewhere else.
Maybe I need to try a minimal project and see if it works there

[alkeryn]

@4aiman what is your problem exactly ?
like what does it says ?
what are you trying to do?