禁用 CURLOPT_SSL_VERIFYHOST (libcurl/openssl) 的安全后果 [英] Security consequences of disabling CURLOPT_SSL_VERIFYHOST (libcurl/openssl)

问题描述

启用 CURLOPT_SSL_VERIFYPEER 和禁用 CURLOPT_SSL_VERIFYHOST 的安全后果是什么?

What are the security consequences of Enabling CURLOPT_SSL_VERIFYPEER and Disabling CURLOPT_SSL_VERIFYHOST?

推荐答案

• CURLOPT_SSL_VERIFYPEER 检查远程证书是否有效，即您相信它是由您信任的 CA 颁发的，并且是真实的.

  • CURLOPT_SSL_VERIFYPEER checks that the remote certificate is valid, i.e. that you trust that it was issued by a CA you trust and that it's genuine.

    CURLOPT_SSL_VERIFYHOST 检查证书是否已颁发给您想与之交谈的实体.

    CURLOPT_SSL_VERIFYHOST checks that the cert was issued to the entity you wanted to talk to.

    为了将其与现实生活场景进行比较，VERIFYPEER 就像检查 ID 的形式是否是您可识别的形式(即来自您信任的国家/地区的护照、您认识的公司的员工卡等).VERIFYHOST 就像检查卡片上的真实姓名是否匹配您想与之交谈的人.

    To compare it to a real-life scenario, VERIFYPEER is like checking that the form of ID is one that you recognise (i.e. passport from a country you trust, staff card from a company you know, ...). VERIFYHOST is like checking the actual name on the card matches who you wanted to talk to.

    如果您不使用 VERIFYHOST(正确的值是 2，而不是 1，顺便说一句)，您将禁用主机名验证并为 MITM 攻击打开大门:任何拥有您信任的 ID 形式的人都可以冒充集合中的任何人您信任的 ID，例如任何持有有效护照的人都可以假装他们是其他持有有效护照的人.

    If you don't use VERIFYHOST (the correct value is 2, not 1, btw), you disable host name verification and open the door to MITM attacks: anyone with a form of ID you trust can impersonate anyone within the set of IDs you trust, e.g. anyone with a valid passport could pretend they're anyone else with a valid passport.

    这篇关于禁用 CURLOPT_SSL_VERIFYHOST (libcurl/openssl) 的安全后果的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！