diff --git a/.changes/updater-allow-invalid-tls.md b/.changes/updater-allow-invalid-tls.md new file mode 100644 index 000000000..7c8e275cf --- /dev/null +++ b/.changes/updater-allow-invalid-tls.md @@ -0,0 +1,6 @@ +--- +"updater": minor +"updater-js": minor +--- + +Allow configuring the updater client to accept invalid TLS certificates and hostnames for internal/self-signed update servers. These options are available via the plugin config (`dangerousAcceptInvalidCerts`, `dangerousAcceptInvalidHostnames`) and via the `UpdaterBuilder` (`dangerous_accept_invalid_certs`, `dangerous_accept_invalid_hostnames`). diff --git a/plugins/updater/src/config.rs b/plugins/updater/src/config.rs index 05dda11f7..8c6e8bc29 100644 --- a/plugins/updater/src/config.rs +++ b/plugins/updater/src/config.rs @@ -91,6 +91,10 @@ where pub struct Config { /// Dangerously allow using insecure transport protocols for update endpoints. pub dangerous_insecure_transport_protocol: bool, + /// Dangerously accept invalid TLS certificates for update requests. + pub dangerous_accept_invalid_certs: bool, + /// Dangerously accept invalid hostnames for TLS certificates for update requests. + pub dangerous_accept_invalid_hostnames: bool, /// Updater endpoints. pub endpoints: Vec, /// Signature public key. @@ -109,6 +113,10 @@ impl<'de> Deserialize<'de> for Config { pub struct Config { #[serde(default, alias = "dangerous-insecure-transport-protocol")] pub dangerous_insecure_transport_protocol: bool, + #[serde(default, alias = "dangerous-accept-invalid-certs")] + pub dangerous_accept_invalid_certs: bool, + #[serde(default, alias = "dangerous-accept-invalid-hostnames")] + pub dangerous_accept_invalid_hostnames: bool, #[serde(default)] pub endpoints: Vec, pub pubkey: String, @@ -125,6 +133,8 @@ impl<'de> Deserialize<'de> for Config { Ok(Self { dangerous_insecure_transport_protocol: config.dangerous_insecure_transport_protocol, + dangerous_accept_invalid_certs: config.dangerous_accept_invalid_certs, + dangerous_accept_invalid_hostnames: config.dangerous_accept_invalid_hostnames, endpoints: config.endpoints, pubkey: config.pubkey, windows: config.windows, diff --git a/plugins/updater/src/updater.rs b/plugins/updater/src/updater.rs index a8e1f6bd4..99fbacace 100644 --- a/plugins/updater/src/updater.rs +++ b/plugins/updater/src/updater.rs @@ -433,6 +433,12 @@ impl Updater { log::debug!("checking for updates {url}"); let mut request = ClientBuilder::new().user_agent(UPDATER_USER_AGENT); + if self.config.dangerous_accept_invalid_certs { + request = request.danger_accept_invalid_certs(true); + } + if self.config.dangerous_accept_invalid_hostnames { + request = request.danger_accept_invalid_hostnames(true); + } if let Some(timeout) = self.timeout { request = request.timeout(timeout); } @@ -633,6 +639,12 @@ impl Update { } let mut request = ClientBuilder::new().user_agent(UPDATER_USER_AGENT); + if self.config.dangerous_accept_invalid_certs { + request = request.danger_accept_invalid_certs(true); + } + if self.config.dangerous_accept_invalid_hostnames { + request = request.danger_accept_invalid_hostnames(true); + } if let Some(timeout) = self.timeout { request = request.timeout(timeout); }