Remove built-in support for disabling certificate verification

This can already be done by constructing a `ClientConfig` manually,
and probably shouldn't be made too convenient.

quinn/Cargo.toml

@@ -19,9 +19,6 @@ codecov = { repository = "djc/quinn" }
 maintenance = { status = "experimental" }
 travis-ci = { repository = "djc/quinn" }
 
-[features]
-dangerous_configuration = ["quinn-proto/dangerous_configuration"]
-
 [dependencies]
 bytes = "0.4.7"
 failure = "0.1"
@@ -54,7 +51,6 @@ name = "server"
 
 [[example]]
 name = "interop"
-required-features = ["dangerous_configuration"]
 
 [[example]]
 name = "client"

quinn/examples/client.rs

@@ -19,8 +19,6 @@ use url::Url;
 type Result<T> = std::result::Result<T, Error>;
 
 /// HTTP/0.9 over QUIC client
-///
-/// Build with the dangerous_configuration feature to support connecting to servers with invalid certificates.
 #[derive(StructOpt, Debug)]
 #[structopt(name = "client")]
 struct Opt {
@@ -33,11 +31,6 @@ struct Opt {
     /// Custom certificate authority to trust, in DER format
     #[structopt(parse(from_os_str), long = "ca")]
     ca: Option<PathBuf>,
-
-    /// Accept invalid (e.g. self-signed) TLS certificates
-    #[cfg(feature = "dangerous_configuration")]
-    #[structopt(long = "accept-insecure-certs")]
-    accept_insecure_certs: bool,
     /*
     /// file to read/write session tickets to
     #[structopt(long = "session-cache", parse(from_os_str))]
@@ -97,12 +90,6 @@ fn run(log: Logger, options: Opt) -> Result<()> {
         client_config
             .add_certificate_authority(quinn::Certificate::from_der(&fs::read(&ca_path)?)?)?;
     }
-    #[cfg(feature = "dangerous_configuration")]
-    {
-        if options.accept_insecure_certs {
-            client_config.accept_insecure_certs();
-        }
-    }
 
     endpoint.default_client_config(client_config.build());
 

quinn/src/lib.rs

@@ -402,6 +402,10 @@ impl ClientConfigBuilder {
     }
 
     /// Add a trusted certificate authority.
+    ///
+    /// For more advanced/less secure certificate verification, construct a [`ClientConfig`]
+    /// manually and use rustls's `dangerous_configuration` feature to override the certificate
+    /// verifier.
     pub fn add_certificate_authority(&mut self, cert: Certificate) -> Result<&mut Self, Error> {
         {
             let anchor = webpki::trust_anchor_util::cert_der_as_trust_anchor(
@@ -441,36 +445,6 @@ impl ClientConfigBuilder {
             tls_config: Arc::new(self.config),
         }
     }
-
-    /// DANGEROUS - Connect even if the server presents an invalid certificate.
-    ///
-    /// Restricted by the `dangerous_configuration` feature. Use with care.
-    ///
-    /// This allows connecting to servers whose certificates aren't signed by a trusted authority, e.g. servers using
-    /// self-signed certificates. This allows an attacker to impersonate the server and therefore read and modify
-    /// traffic, but is useful for applications where trust is not expected or is enforced by external means.
-    ///
-    /// Convenience method for specifying a custom `ServerCertVerifier` in the TLS configuration.
-    #[cfg(feature = "dangerous_configuration")]
-    pub fn accept_insecure_certs(&mut self) -> &mut Self {
-        struct NullVerifier;
-        impl rustls::ServerCertVerifier for NullVerifier {
-            fn verify_server_cert(
-                &self,
-                _roots: &rustls::RootCertStore,
-                _presented_certs: &[rustls::Certificate],
-                _dns_name: webpki::DNSNameRef,
-                _ocsp_response: &[u8],
-            ) -> Result<rustls::ServerCertVerified, TLSError> {
-                Ok(rustls::ServerCertVerified::assertion())
-            }
-        }
-
-        self.config
-            .dangerous()
-            .set_certificate_verifier(Arc::new(NullVerifier));
-        self
-    }
 }
 
 impl Default for ClientConfigBuilder {