hgcli: add cli flag to allow insecure TLS connection

Summary: Allow insecure tls connections for development. Reviewed By: ikostia Differential Revision: D14855004 fbshipit-source-id: 87a8bc42e2823df2f1f480d2fb719dc08a704660
2024-10-10 16:57:49 +03:00 · 2019-04-09 11:21:41 -07:00 · 2019-04-09 11:21:41 -07:00 · 091d704947
commit 091d704947
parent 75ecc788b6
2 changed files with 9 additions and 1 deletions
--- a/hgcli/src/main.rs
+++ b/hgcli/src/main.rs
@ -87,6 +87,7 @@ fn main() {
                .arg(Arg::from_usage(
                    "--common-name [CN] 'expected SSL common name of the server see https://www.ssl.com/faqs/common-name/'",
                ))
+                .arg(Arg::from_usage("--insecure 'run hgcli without verifying peer certificate'"))
                .arg(Arg::from_usage("--stdio 'for remote clients'"))
                .arg(
                    Arg::from_usage("--cmdserver [MODE] 'for remote clients'")
--- a/hgcli/src/serve/mod.rs
+++ b/hgcli/src/serve/mod.rs
@ -15,7 +15,7 @@ use slog_term;

 use dns_lookup::lookup_addr;
 use libc::c_ulong;
-use openssl::ssl::{SslConnector, SslMethod};
+use openssl::ssl::{SslConnector, SslMethod, SslVerifyMode};
 use tokio_io::codec::{FramedRead, FramedWrite};
 use tokio_io::AsyncRead;
 use tokio_openssl::{SslConnectorExt, SslStream};
@ -63,6 +63,7 @@ pub fn cmd(main: &ArgMatches, sub: &ArgMatches) -> BoxFuture<(), Error> {
            let common_name = sub
                .value_of("common-name")
                .expect("expected SSL common name of the Mononoke server");
+            let insecure = sub.is_present("insecure");
            let is_remote_proxy = main.is_present("remote-proxy");
            let scuba_table = main.value_of("scuba-table");
            let mock_username = sub.value_of("mock-username");
@ -75,6 +76,7 @@ pub fn cmd(main: &ArgMatches, sub: &ArgMatches) -> BoxFuture<(), Error> {
                private_key,
                ca_pem,
                ssl_common_name: common_name,
+                insecure,
                is_remote_proxy,
                scuba_table,
                mock_username,
@ -94,6 +96,7 @@ struct StdioRelay<'a> {
    private_key: &'a str,
    ca_pem: &'a str,
    ssl_common_name: &'a str,
+    insecure: bool,
    is_remote_proxy: bool,
    scuba_table: Option<&'a str>,
    mock_username: Option<&'a str>,
@ -209,6 +212,10 @@ impl<'a> StdioRelay<'a> {
        let connector = {
            let mut connector = try_boxfuture!(SslConnector::builder(SslMethod::tls()));

+            if self.insecure {
+                connector.set_verify(SslVerifyMode::NONE);
+            }
+
            let pkcs12 = try_boxfuture!(build_identity(
                self.cert.to_owned(),
                self.private_key.to_owned(),