Disable cert verification for client certs?

[alex]

I want to start by saying that I recognize that in many senses this goes against the spirit of this (excellent) library, so if there's no interest, I'll be understanding.

I've got a use case where I'd like to be able to accept truly any client cert. I've also had use cases in previous contexts where I'd really want to be able to bring my own cert verification as a typical verifier would present a challenge, the most recent of these was wanting to use SCVP for verification instead of doing it myself.

[ctz]

I think I'm kind of softening on this as time goes on. But stuff like this is still going to always be behind a scarily-named feature, and probably exposed in a deliberately obtuse place in the API. I guess this is similar to PR #64

[alex]

I am ok with that; I solemnly swear that I'll never use the scarily named option without a long comment explaining why in this very narrow context it's ok.

If you can suggest where in the API you'd like it, I'm happy to send a PR.

[alex]

Here's a proposal:

• New feature dangerous_configuration, which you have to enable in order to be able to use this stuff
• On rustls::ServerConfig add a dangerous_configuration field, which is an instance of Option<rustls::DangerousServerConfig>
• rustls::DangerousServerConfig has a disable_certificate_verification bool field
• None of these fields exist unless the dangerous_configuration feature is enabled.

I think this makes things relatively inaccessible -- it also means that if a library wants to use all this, it's clearly propagated in a way that consumers can see it.