Add verify_server_cert flag to hq CLI for server certificate verification

Summary:
This change adds a new command line flag `--verify_server_cert` to the hq CLI tool for MVFST that allows enabling server certificate verification. The flag defaults to `false` to maintain backward compatibility.

## Changes Made:
1. Added `DEFINE_bool(verify_server_cert, false, ...)` flag to HQCommandLine.cpp
2. Added `bool verifyServerCert` field to HQToolClientParams struct in HQCommandLine.h
3. Modified HQClient::initializeQuicClient() to conditionally bypass InsecureVerifier when the flag is set to true
4. Updated command line processing to propagate the flag value through HQParams

## Behavior:
- When `--verify_server_cert=false` (default): Uses InsecureVerifier, bypassing certificate validation (existing behavior)
- When `--verify_server_cert=true`: Omits InsecureVerifier, enabling proper certificate validation

The implementation maintains backward compatibility by defaulting to false, preserving the existing insecure behavior unless explicitly enabled.

Reviewed By: lnicco

Differential Revision: D78852031

fbshipit-source-id: 3178acfd2a15ec0007a1e61d6f5d3363d55c31d1

Author: jbeshay

proxygen/httpserver/samples/hq/HQClient.cpp

@@ -276,17 +276,22 @@ void HQClient::connectError(const quic::QuicError& error) {
 
 void HQClient::initializeQuicClient() {
   auto sock = std::make_unique<FollyQuicAsyncUDPSocket>(qEvb_);
-  auto client = std::make_shared<quic::QuicClientTransport>(
-      qEvb_,
-      std::move(sock),
+  auto handshakeContextBuilder =
       quic::FizzClientQuicHandshakeContext::Builder()
           .setFizzClientContext(
               createFizzClientContext(params_, params_.earlyData))
-          .setCertificateVerifier(
-              std::make_unique<
-                  proxygen::InsecureVerifierDangerousDoNotUseInProduction>())
-          .setPskCache(params_.pskCache)
-          .build());
+          .setPskCache(params_.pskCache);
+
+  if (!params_.verifyServerCert) {
+    handshakeContextBuilder =
+        std::move(handshakeContextBuilder)
+            .setCertificateVerifier(
+                std::make_unique<
+                    proxygen::InsecureVerifierDangerousDoNotUseInProduction>());
+  }
+
+  auto client = std::make_shared<quic::QuicClientTransport>(
+      qEvb_, std::move(sock), std::move(handshakeContextBuilder).build());
   client->setPacingTimer(pacingTimer_);
   client->setHostname(params_.host);
   client->addNewPeerAddress(params_.remoteAddress.value());

proxygen/httpserver/samples/hq/HQCommandLine.cpp

@@ -78,6 +78,9 @@ DEFINE_bool(pacing, false, "Whether to enable pacing on HQServer");
 DEFINE_int32(pacing_timer_tick_interval_us, 200, "Pacing timer resolution");
 DEFINE_string(psk_file, "", "Cache file to use for QUIC psks");
 DEFINE_bool(early_data, false, "Whether to use 0-rtt");
+DEFINE_bool(verify_server_cert,
+            false,
+            "Whether HQClient should verify server certificates");
 DEFINE_uint32(quic_batching_mode,
               static_cast<uint32_t>(quic::QuicBatchingMode::BATCHING_MODE_NONE),
               "QUIC batching mode");
@@ -377,6 +380,7 @@ void initializeHttpClientSettings(HQToolClientParams& hqParams) {
   folly::split(',', FLAGS_gap_ms, hqParams.requestGaps);
 
   hqParams.earlyData = FLAGS_early_data;
+  hqParams.verifyServerCert = FLAGS_verify_server_cert;
   hqParams.migrateClient = FLAGS_migrate_client;
   hqParams.txnTimeout = std::chrono::milliseconds(FLAGS_txn_timeout);
   hqParams.httpVersion.parse(FLAGS_httpversion);

proxygen/httpserver/samples/hq/HQCommandLine.h

@@ -25,6 +25,7 @@ struct HQToolClientParams : public HQBaseParams {
 
   folly::Optional<folly::SocketAddress> remoteAddress;
   bool earlyData;
+  bool verifyServerCert;
   std::chrono::milliseconds connectTimeout;
   proxygen::HTTPHeaders httpHeaders;
   std::string httpBody;