Allow HTTPS sources that have SSL certificate problems (#5674)

Author: Nigusu-Allehu

src/NuGet.Clients/NuGet.PackageManagement.VisualStudio/Services/NuGetSourcesService.cs

@@ -94,6 +94,7 @@ private IReadOnlyList<PackageSource> GetPackageSourcesToUpdate(IReadOnlyList<Pac
                         && packageSource.Source.Equals(packageSourceContextInfo.Source, StringComparison.InvariantCulture)
                         && packageSource.ProtocolVersion == packageSourceContextInfo.ProtocolVersion
                         && packageSource.AllowInsecureConnections == packageSourceContextInfo.AllowInsecureConnections
+                        && packageSource.DisableTLSCertificateValidation == packageSourceContextInfo.DisableTLSCertificateValidation
                         && packageSource.IsEnabled == packageSourceContextInfo.IsEnabled)
                     {
                         newPackageSources.Add(packageSource);
@@ -113,6 +114,7 @@ private IReadOnlyList<PackageSource> GetPackageSourcesToUpdate(IReadOnlyList<Pac
                             Description = packageSource.Description,
                             ProtocolVersion = packageSourceContextInfo.ProtocolVersion,
                             AllowInsecureConnections = packageSourceContextInfo.AllowInsecureConnections,
+                            DisableTLSCertificateValidation = packageSourceContextInfo.DisableTLSCertificateValidation,
                             MaxHttpRequestsPerSource = packageSource.MaxHttpRequestsPerSource,
                         };
 

src/NuGet.Clients/NuGet.VisualStudio.Internal.Contracts/ContextInfos/PackageSourceContextInfo.cs

@@ -33,6 +33,11 @@ public PackageSourceContextInfo(string source, string name, bool isEnabled, int
         }
 
         public PackageSourceContextInfo(string source, string name, bool isEnabled, int protocolVersion, bool allowInsecureConnections)
+            : this(source, name, isEnabled, protocolVersion, allowInsecureConnections, disableTLSCertificateValidation: false)
+        {
+        }
+
+        public PackageSourceContextInfo(string source, string name, bool isEnabled, int protocolVersion, bool allowInsecureConnections, bool disableTLSCertificateValidation)
         {
             Assumes.NotNullOrEmpty(name);
             Assumes.NotNullOrEmpty(source);
@@ -42,12 +47,14 @@ public PackageSourceContextInfo(string source, string name, bool isEnabled, int
             IsEnabled = isEnabled;
             ProtocolVersion = protocolVersion;
             AllowInsecureConnections = allowInsecureConnections;
+            DisableTLSCertificateValidation = disableTLSCertificateValidation;
 
             var hash = new HashCodeCombiner();
             hash.AddStringIgnoreCase(Name);
             hash.AddStringIgnoreCase(Source);
             hash.AddObject(ProtocolVersion);
             hash.AddObject(AllowInsecureConnections);
+            hash.AddObject(DisableTLSCertificateValidation);
             _hashCode = hash.CombinedHash;
             OriginalHashCode = _hashCode;
         }
@@ -56,6 +63,7 @@ public PackageSourceContextInfo(string source, string name, bool isEnabled, int
         public string Source { get; set; }
         public int ProtocolVersion { get; set; }
         public bool AllowInsecureConnections { get; set; }
+        public bool DisableTLSCertificateValidation { get; set; }
         public bool IsMachineWide { get; internal set; }
         public bool IsEnabled { get; set; }
         public string? Description { get; internal set; }
@@ -94,7 +102,7 @@ public override int GetHashCode()
 
         public PackageSourceContextInfo Clone()
         {
-            return new PackageSourceContextInfo(Source, Name, IsEnabled, ProtocolVersion, AllowInsecureConnections)
+            return new PackageSourceContextInfo(Source, Name, IsEnabled, ProtocolVersion, AllowInsecureConnections, DisableTLSCertificateValidation)
             {
                 IsMachineWide = IsMachineWide,
                 Description = Description,
@@ -104,7 +112,7 @@ public PackageSourceContextInfo Clone()
 
         public static PackageSourceContextInfo Create(PackageSource packageSource)
         {
-            return new PackageSourceContextInfo(packageSource.Source, packageSource.Name, packageSource.IsEnabled, packageSource.ProtocolVersion, packageSource.AllowInsecureConnections)
+            return new PackageSourceContextInfo(packageSource.Source, packageSource.Name, packageSource.IsEnabled, packageSource.ProtocolVersion, packageSource.AllowInsecureConnections, packageSource.DisableTLSCertificateValidation)
             {
                 IsMachineWide = packageSource.IsMachineWide,
                 Description = packageSource.Description,

src/NuGet.Clients/NuGet.VisualStudio.Internal.Contracts/Formatters/PackageSourceContextInfoFormatter.cs

@@ -14,6 +14,7 @@ internal sealed class PackageSourceContextInfoFormatter : NuGetMessagePackFormat
         private const string IsEnabledPropertyName = "isenabled";
         private const string ProtocolVersionPropertyName = "protocolversion";
         private const string AllowInsecureConnectionsPropertyName = "allowInsecureConnections";
+        private const string DisableTLSCertificateValidationPropertyName = "disableTLSCertificateValidation";
         private const string IsMachineWidePropertyName = "ismachinewide";
         private const string NamePropertyName = "name";
         private const string DescriptionPropertyName = "description";
@@ -35,6 +36,7 @@ private PackageSourceContextInfoFormatter()
             int originalHashCode = 0;
             int protocolVersion = PackageSource.DefaultProtocolVersion;
             bool allowInsecureConnections = false;
+            bool disableTLSCertificateValidation = false;
 
             int propertyCount = reader.ReadMapHeader();
             for (int propertyIndex = 0; propertyIndex < propertyCount; propertyIndex++)
@@ -65,6 +67,9 @@ private PackageSourceContextInfoFormatter()
                     case AllowInsecureConnectionsPropertyName:
                         allowInsecureConnections = reader.ReadBoolean();
                         break;
+                    case DisableTLSCertificateValidationPropertyName:
+                        disableTLSCertificateValidation = reader.ReadBoolean();
+                        break;
                     default:
                         reader.Skip();
                         break;
@@ -74,7 +79,7 @@ private PackageSourceContextInfoFormatter()
             Assumes.NotNullOrEmpty(source);
             Assumes.NotNullOrEmpty(name);
 
-            return new PackageSourceContextInfo(source, name, isEnabled, protocolVersion, allowInsecureConnections)
+            return new PackageSourceContextInfo(source, name, isEnabled, protocolVersion, allowInsecureConnections, disableTLSCertificateValidation)
             {
                 IsMachineWide = isMachineWide,
                 Description = description,
@@ -84,13 +89,15 @@ private PackageSourceContextInfoFormatter()
 
         protected override void SerializeCore(ref MessagePackWriter writer, PackageSourceContextInfo value, MessagePackSerializerOptions options)
         {
-            writer.WriteMapHeader(count: 8);
+            writer.WriteMapHeader(count: 9);
             writer.Write(SourcePropertyName);
             writer.Write(value.Source);
             writer.Write(ProtocolVersionPropertyName);
             writer.Write(value.ProtocolVersion);
             writer.Write(AllowInsecureConnectionsPropertyName);
             writer.Write(value.AllowInsecureConnections);
+            writer.Write(DisableTLSCertificateValidationPropertyName);
+            writer.Write(value.DisableTLSCertificateValidation);
             writer.Write(IsEnabledPropertyName);
             writer.Write(value.IsEnabled);
             writer.Write(IsMachineWidePropertyName);

src/NuGet.Core/NuGet.Configuration/PackageSource/PackageSource.cs

@@ -19,6 +19,7 @@ public class PackageSource : IEquatable<PackageSource>
         public const int MaxProtocolVersion = 3;
 
         internal const bool DefaultAllowInsecureConnections = false;
+        internal const bool DefaultDisableTLSCertificateValidation = false;
 
         private int _hashCode;
         private string _source;
@@ -107,6 +108,11 @@ public string Source
         /// </summary>
         public bool AllowInsecureConnections { get; set; } = DefaultAllowInsecureConnections;
 
+        ///<summary>
+        /// Gets or sets disableTLSCertificateValidation of the source. Defaults to false.
+        ///</summary>
+        public bool DisableTLSCertificateValidation { get; set; } = DefaultDisableTLSCertificateValidation;
+
         /// <summary>
         /// Whether the source is using the HTTP protocol, including HTTPS.
         /// </summary>
@@ -160,11 +166,16 @@ public SourceItem AsSourceItem()
             }
 
             string? allowInsecureConnections = null;
+            string? disableTLSCertificateValidation = null;
             if (AllowInsecureConnections != DefaultAllowInsecureConnections)
             {
                 allowInsecureConnections = $"{AllowInsecureConnections}";
             }
-            return new SourceItem(Name, Source, protocolVersion, allowInsecureConnections);
+            if (DisableTLSCertificateValidation != DefaultDisableTLSCertificateValidation)
+            {
+                disableTLSCertificateValidation = $"{DisableTLSCertificateValidation}";
+            }
+            return new SourceItem(Name, Source, protocolVersion, allowInsecureConnections, disableTLSCertificateValidation);
         }
 
         public bool Equals(PackageSource? other)
@@ -202,6 +213,7 @@ public PackageSource Clone()
                 IsMachineWide = IsMachineWide,
                 ProtocolVersion = ProtocolVersion,
                 AllowInsecureConnections = AllowInsecureConnections,
+                DisableTLSCertificateValidation = DisableTLSCertificateValidation,
             };
         }
     }

src/NuGet.Core/NuGet.Configuration/PackageSource/PackageSourceProvider.cs

@@ -244,6 +244,7 @@ internal static PackageSource ReadPackageSource(SourceItem setting, bool isEnabl
 
             packageSource.ProtocolVersion = ReadProtocolVersion(setting);
             packageSource.AllowInsecureConnections = ReadAllowInsecureConnections(setting);
+            packageSource.DisableTLSCertificateValidation = ReadDisableTLSCertificateValidation(setting);
 
             return packageSource;
         }
@@ -258,6 +259,16 @@ private static int ReadProtocolVersion(SourceItem setting)
             return PackageSource.DefaultProtocolVersion;
         }
 
+        private static bool ReadDisableTLSCertificateValidation(SourceItem setting)
+        {
+            if (bool.TryParse(setting.DisableTLSCertificateValidation, out var disableTLSCertificateValidation))
+            {
+                return disableTLSCertificateValidation;
+            }
+
+            return PackageSource.DefaultDisableTLSCertificateValidation;
+        }
+
         private static bool ReadAllowInsecureConnections(SourceItem setting)
         {
             if (bool.TryParse(setting.AllowInsecureConnections, out var allowInsecureConnections))

src/NuGet.Core/NuGet.Configuration/PublicAPI.Unshipped.txt

@@ -1 +1,7 @@
 #nullable enable
+NuGet.Configuration.PackageSource.DisableTLSCertificateValidation.get -> bool
+NuGet.Configuration.PackageSource.DisableTLSCertificateValidation.set -> void
+NuGet.Configuration.SourceItem.DisableTLSCertificateValidation.get -> string?
+NuGet.Configuration.SourceItem.DisableTLSCertificateValidation.set -> void
+NuGet.Configuration.SourceItem.SourceItem(string! key, string! value, string? protocolVersion, string? allowInsecureConnections, string? disableTLSCertificateValidation) -> void
+static readonly NuGet.Configuration.ConfigurationConstants.DisableTLSCertificateValidation -> string!

src/NuGet.Core/NuGet.Configuration/Settings/Items/SourceItem.cs

@@ -35,17 +35,36 @@ public string? AllowInsecureConnections
             set => AddOrUpdateAttribute(ConfigurationConstants.AllowInsecureConnections, value);
         }
 
+        public string? DisableTLSCertificateValidation
+        {
+            get
+            {
+                if (Attributes.TryGetValue(ConfigurationConstants.DisableTLSCertificateValidation, out var attribute))
+                {
+                    return Settings.ApplyEnvironmentTransform(attribute);
+                }
+
+                return null;
+            }
+            set => AddOrUpdateAttribute(ConfigurationConstants.DisableTLSCertificateValidation, value);
+        }
+
         public SourceItem(string key, string value)
-            : this(key, value, protocolVersion: "", allowInsecureConnections: "")
+            : this(key, value, protocolVersion: "", allowInsecureConnections: "", disableTLSCertificateValidation: "")
         {
         }
 
         public SourceItem(string key, string value, string? protocolVersion)
-            : this(key, value, protocolVersion, allowInsecureConnections: "")
+            : this(key, value, protocolVersion, allowInsecureConnections: "", disableTLSCertificateValidation: "")
         {
         }
 
         public SourceItem(string key, string value, string? protocolVersion, string? allowInsecureConnections)
+            : this(key, value, protocolVersion, allowInsecureConnections, disableTLSCertificateValidation: "")
+        {
+        }
+
+        public SourceItem(string key, string value, string? protocolVersion, string? allowInsecureConnections, string? disableTLSCertificateValidation)
             : base(key, value)
         {
             if (!string.IsNullOrEmpty(protocolVersion))
@@ -56,6 +75,10 @@ public SourceItem(string key, string value, string? protocolVersion, string? all
             {
                 AllowInsecureConnections = allowInsecureConnections;
             }
+            if (!string.IsNullOrEmpty(disableTLSCertificateValidation))
+            {
+                DisableTLSCertificateValidation = disableTLSCertificateValidation;
+            }
         }
 
         internal SourceItem(XElement element, SettingsFile origin)
@@ -65,7 +88,7 @@ internal SourceItem(XElement element, SettingsFile origin)
 
         public override SettingBase Clone()
         {
-            var newSetting = new SourceItem(Key, Value, ProtocolVersion, AllowInsecureConnections);
+            var newSetting = new SourceItem(Key, Value, ProtocolVersion, AllowInsecureConnections, DisableTLSCertificateValidation);
 
             if (Origin != null)
             {

src/NuGet.Core/NuGet.Configuration/Utility/ConfigurationContants.cs

@@ -53,6 +53,8 @@ public static class ConfigurationConstants
 
         public static readonly string DisabledPackageSources = "disabledPackageSources";
 
+        public static readonly string DisableTLSCertificateValidation = "disableTLSCertificateValidation";
+
         public static readonly string DoNotShowPackageManagementSelectionKey = "disabled";
 
         public static readonly string Enabled = "enabled";

src/NuGet.Core/NuGet.Protocol/HttpSource/HttpHandlerResourceV3Provider.cs

@@ -6,6 +6,8 @@
 using System.Linq;
 using System.Net;
 using System.Net.Http;
+using System.Net.Security;
+using System.Security.Cryptography.X509Certificates;
 using System.Threading;
 using System.Threading.Tasks;
 using NuGet.Configuration;
@@ -17,6 +19,11 @@ public class HttpHandlerResourceV3Provider : ResourceProvider
     {
         private readonly IProxyCache _proxyCache;
 
+#if NETSTANDARD2_0
+        internal static Func<HttpRequestMessage, X509Certificate2, X509Chain, SslPolicyErrors, bool> DangerousAcceptAnyServerCertificateValidator =
+            (message, certificate, chain, policyErrors) => true;
+#endif
+
         public HttpHandlerResourceV3Provider()
             : this(ProxyCache.Instance)
         {
@@ -56,6 +63,18 @@ private HttpHandlerResourceV3 CreateResource(PackageSource packageSource)
                 AutomaticDecompression = (DecompressionMethods.GZip | DecompressionMethods.Deflate),
             };
 
+#if NETSTANDARD2_0
+            if (packageSource.DisableTLSCertificateValidation)
+            {
+                clientHandler.ServerCertificateCustomValidationCallback = DangerousAcceptAnyServerCertificateValidator;
+            }
+#else
+            if (packageSource.DisableTLSCertificateValidation)
+            {
+                clientHandler.ServerCertificateCustomValidationCallback = HttpClientHandler.DangerousAcceptAnyServerCertificateValidator;
+            }
+#endif
+
 #if IS_DESKTOP
             if (packageSource.MaxHttpRequestsPerSource > 0)
             {

test/NuGet.Clients.Tests/NuGet.PackageManagement.VisualStudio.Test/Services/NuGetSourcesServiceTests.cs

@@ -168,5 +168,42 @@ public async Task Save_SourceWithDifferentAllowInsecureConnections_SavesNewValue
             savedSources[0].ProtocolVersion.Should().Be(3);
             savedSources[0].AllowInsecureConnections.Should().Be(true);
         }
+
+        [Fact]
+        public async Task Save_SourceWithDifferentDisableTLSCertificateVerification_SavesNewValue()
+        {
+            PackageSource packageSource = new(name: "Source-Name", source: "Source-Path")
+            {
+                ProtocolVersion = 3,
+                DisableTLSCertificateValidation = false
+            };
+
+            Mock<IPackageSourceProvider> packageSourceProvider = new();
+            packageSourceProvider.Setup(psp => psp.LoadPackageSources())
+                .Returns(new[] { packageSource });
+
+            List<PackageSource>? savedSources = null;
+            packageSourceProvider.Setup(psp => psp.SavePackageSources(It.IsAny<IEnumerable<PackageSource>>()))
+                .Callback((IEnumerable<PackageSource> newSources) => { savedSources = newSources.ToList(); });
+
+            var target = new NuGetSourcesService(options: default,
+                Mock.Of<IServiceBroker>(),
+                new AuthorizationServiceClient(Mock.Of<IAuthorizationService>()),
+                packageSourceProvider.Object);
+
+            List<PackageSourceContextInfo> updatedSources = new(1)
+            {
+                new PackageSourceContextInfo(packageSource.Source, packageSource.Name, packageSource.IsEnabled, protocolVersion: 3, allowInsecureConnections: false, disableTLSCertificateValidation: true)
+            };
+
+            // Act
+            await target.SavePackageSourceContextInfosAsync(updatedSources, CancellationToken.None);
+
+            // Assert
+            savedSources.Should().NotBeNull();
+            savedSources!.Count.Should().Be(1);
+            savedSources[0].ProtocolVersion.Should().Be(3);
+            savedSources[0].DisableTLSCertificateValidation.Should().Be(true);
+        }
     }
 }