add danger clause for ignoring invalid certificates #2470
Conversation
|
Are you sure the changelog does not need updating? |
3 similar comments
|
Are you sure the changelog does not need updating? |
|
Are you sure the changelog does not need updating? |
|
Are you sure the changelog does not need updating? |
da-kami
force-pushed
the
lnd-certificate-mac-fix
branch
from
c9919e6 to
4071fa4
Compare
@thomaseizinger I duplicated the function and added conditionals. Is that what you had in mind, or should I rather us https://doc.rust-lang.org/reference/conditional-compilation.html#the-cfg-macro ? |
Yes that is what I meant although I would have probably only applied to the particular line like this: let mut builder = reqwest::Client::builder().add_root_certificate(cert).default_headers(default_headers);
#[cfg(target_os = "macos")]
{
// a very long and good comment on what is happening and why we need this
builder.danger_accept_invalid_certs(true);
}
builder.build()? |
@thomaseizinger unfortunately that cannot be changed that easy. running into lifetime (use of moved value...) with the builder when doing this. |
|
Seems there is an additional problem with the |
|
Also, what was the result of trying with rustls-tls? Looks like you have to pass |
I did try fixing it with |
needed to make e2e test pass on macOS Catalina
da-kami
force-pushed
the
lnd-certificate-mac-fix
branch
from
4071fa4 to
9735d3f
Compare
| #[cfg(target_os = "macos")] | ||
| let client = reqwest::Client::builder() | ||
| .danger_accept_invalid_certs(true) | ||
| .add_root_certificate(cert) | ||
| .default_headers(default_headers) | ||
| .build()?) | ||
| .build()?; | ||
|
|
||
| #[cfg(not(target_os = "macos"))] | ||
| let client = reqwest::Client::builder() | ||
| .add_root_certificate(cert) | ||
| .default_headers(default_headers) | ||
| .build()?; |
There was a problem hiding this comment.
I hope it is not too much bike-shedding but I found this: https://doc.rust-lang.org/std/macro.cfg.html
So I think we could do:
// The generated, self-signed lnd certificate is deemed invalid on macOS
// Catalina because of new certificate requirements in macOS Catalina: https://support.apple.com/en-us/HT210176
// By using this conditional compilation step for macOS we accept invalid
// certificates. This is only a minimal security risk because by default the
// certificate that lnd generates is configured to only allow connections
// from localhost. Ticket that will resolve that issue: https://github.com/lightningnetwork/lnd/issues/4201
let accept_invalid_certificates = if cfg!(target_os = "macos") {
true
} else {
false
};
let client = reqwest::Client::builder()
.danger_accept_invalid_certs(accept_invalid_certificates)
.add_root_certificate(cert)
.default_headers(default_headers)
.build()?;There was a problem hiding this comment.
Up to you if you like it better :)
There was a problem hiding this comment.
Where is the 🚲🏠 comment reaction when we need it?
There was a problem hiding this comment.
beautiful, but saw it too late. Feel free to push a follow up :)
|
bors r+ |
|
Build succeeded: |
fixes #2464
needed to make
ether-halighte2e test pass on macOS Catalina.Questionable if this is a good fix, since it is a security concern.