是否建议禁用ssl验证而不是在生产中提供ca证书?
我们的客户为其中一项内部服务提供了自签名证书。我们正在使用 curl 在我们的 shell 脚本中访问此服务。为了连接到该服务,我们需要在 curl 命令中提供 certiface,或者我们可以在 curl 命令中使用 -k 禁用 ssl 验证。我们想知道在生产中禁用 ssl 验证是否安全?
回答
不
禁用证书验证将从 HTTPS 连接中删除所有安全属性。强烈建议您不要禁用它。
- Yes, but "privacy" and "integrity" usually mean that you protect those two properties **against** adversaries. When you drop authentication checks, you might feed your privacy and integrity straight to the adversaries. And you won't know. Thus, you're not protected.
- Not it doesn't. Since you don't know **who** you're communicating with, the privacy and integrity properties are lost too. You might be talking to an impostor.
- @kevinnls: verifying the certificate is the only way you can be really sure that nobody has hijacked the IP or spoofed the name or whatever.
- "your conversation with that imposter is still private and still has integrity" No : you don't know what your imposter is doing, if it's an insecure MitM, your communications with that imposter is neither private nor has integrity!