diff --git a/.changes/updater-allow-invalid-tls.md b/.changes/updater-allow-invalid-tls.md new file mode 100644 index 000000000..7c8e275cf --- /dev/null +++ b/.changes/updater-allow-invalid-tls.md @@ -0,0 +1,6 @@ +--- +"updater": minor +"updater-js": minor +--- + +Allow configuring the updater client to accept invalid TLS certificates and hostnames for internal/self-signed update servers. These options are available via the plugin config (`dangerousAcceptInvalidCerts`, `dangerousAcceptInvalidHostnames`) and via the `UpdaterBuilder` (`dangerous_accept_invalid_certs`, `dangerous_accept_invalid_hostnames`). diff --git a/plugins/updater/src/config.rs b/plugins/updater/src/config.rs index 6b16bc01f..330443d68 100644 --- a/plugins/updater/src/config.rs +++ b/plugins/updater/src/config.rs @@ -95,6 +95,10 @@ where pub struct Config { /// Dangerously allow using insecure transport protocols for update endpoints. pub dangerous_insecure_transport_protocol: bool, + /// Dangerously accept invalid TLS certificates for update requests. + pub dangerous_accept_invalid_certs: bool, + /// Dangerously accept invalid hostnames for TLS certificates for update requests. + pub dangerous_accept_invalid_hostnames: bool, /// Updater endpoints. pub endpoints: Vec, /// Signature public key. @@ -113,6 +117,10 @@ impl<'de> Deserialize<'de> for Config { pub struct Config { #[serde(default, alias = "dangerous-insecure-transport-protocol")] pub dangerous_insecure_transport_protocol: bool, + #[serde(default, alias = "dangerous-accept-invalid-certs")] + pub dangerous_accept_invalid_certs: bool, + #[serde(default, alias = "dangerous-accept-invalid-hostnames")] + pub dangerous_accept_invalid_hostnames: bool, #[serde(default)] pub endpoints: Vec, pub pubkey: String, @@ -129,6 +137,8 @@ impl<'de> Deserialize<'de> for Config { Ok(Self { dangerous_insecure_transport_protocol: config.dangerous_insecure_transport_protocol, + dangerous_accept_invalid_certs: config.dangerous_accept_invalid_certs, + dangerous_accept_invalid_hostnames: config.dangerous_accept_invalid_hostnames, endpoints: config.endpoints, pubkey: config.pubkey, windows: config.windows, diff --git a/plugins/updater/src/updater.rs b/plugins/updater/src/updater.rs index 28c420ca8..35945b87d 100644 --- a/plugins/updater/src/updater.rs +++ b/plugins/updater/src/updater.rs @@ -425,6 +425,12 @@ impl Updater { log::debug!("checking for updates {url}"); let mut request = ClientBuilder::new().user_agent(UPDATER_USER_AGENT); + if self.config.dangerous_accept_invalid_certs { + request = request.danger_accept_invalid_certs(true); + } + if self.config.dangerous_accept_invalid_hostnames { + request = request.danger_accept_invalid_hostnames(true); + } if let Some(timeout) = self.timeout { request = request.timeout(timeout); } @@ -625,6 +631,12 @@ impl Update { } let mut request = ClientBuilder::new().user_agent(UPDATER_USER_AGENT); + if self.config.dangerous_accept_invalid_certs { + request = request.danger_accept_invalid_certs(true); + } + if self.config.dangerous_accept_invalid_hostnames { + request = request.danger_accept_invalid_hostnames(true); + } if let Some(timeout) = self.timeout { request = request.timeout(timeout); }