ClientBuilder::danger_accept_invalid_certs(true) does not appear to work when .impersonate(...) is enabled.
The same option is expected to disable certificate validation, but in the impersonation path primp builds a custom rustls::ClientConfig and passes it to reqwest via use_preconfigured_tls(...). Because of that, the reqwest builder's danger_accept_invalid_certs(true) setting is not applied to the preconfigured TLS config.
In the impersonation build path, apply_impersonation(...) creates a custom rustls::ClientConfig:
let tls_config = build_impersonate_tls_config(&settings, custom_certs)?;
let builder = builder.use_preconfigured_tls(tls_config);
At this point, the danger_accept_invalid_certs(true) setting from the underlying reqwest builder is no longer applied, because the TLS verifier has already been selected inside the preconfigured rustls config.
Possible fix:
Track the accept_invalid_certs setting in primp::ClientBuilder and pass it into build_impersonate_tls_config(...). When enabled, build the rustls config with a custom verifier, similar to reqwest's NoVerifier path:
let config = if accept_invalid_certs {
builder
.dangerous()
.with_custom_certificate_verifier(Arc::new(NoVerifier))
.with_no_client_auth()
} else {
builder
.with_root_certificates(root_store)
.with_no_client_auth()
};
ClientBuilder::danger_accept_invalid_certs(true)does not appear to work when.impersonate(...)is enabled.The same option is expected to disable certificate validation, but in the impersonation path
primpbuilds a customrustls::ClientConfigand passes it to reqwest viause_preconfigured_tls(...). Because of that, the reqwest builder'sdanger_accept_invalid_certs(true)setting is not applied to the preconfigured TLS config.In the impersonation build path,
apply_impersonation(...)creates a customrustls::ClientConfig:At this point, the
danger_accept_invalid_certs(true)setting from the underlying reqwest builder is no longer applied, because the TLS verifier has already been selected inside the preconfigured rustls config.Possible fix:
Track the
accept_invalid_certssetting inprimp::ClientBuilderand pass it intobuild_impersonate_tls_config(...). When enabled, build the rustls config with a custom verifier, similar to reqwest'sNoVerifierpath: