在Network.HTTP.Conduit中禁用SSL / TLS证书验证 [英] Disable SSL/TLS certificate validation in Network.HTTP.Conduit

问题描述

我使用 http-conduit library version 2.0+从 http：// URL获取内容：

I use the http-conduit library version 2.0+ to fetch the contents from a http:// URL:

import Network.HTTP.Conduit
myurl = ... -- Your URL goes here
main = do content <- simpleHttp myurl
          print $ content

运行此程序时，出现此错误：

When running this program, I get this error:

*** Exception: TlsException (HandshakeFailed (Error_Protocol
      ("certificate rejected: certificate is not allowed to sign another certificate",
        True,CertificateUnknown)))

从错误信息可以看出，问题在于 Network.HTTP.Conduit 以便适当地验证服务器证书（在这种情况下，证书链中似乎存在问题）

As can be told from the error message, the problem is the inability of Network.HTTP.Conduit to validate the server certificate appropriately (in this case, there seem to be problems in the certificate chain)

我如何更改上述内容代码忽略证书错误（即通过不验证证书）？

How can I change the above code to ignore the certificate error (i.e. by not verifying certificates at all)?

推荐答案

simpleHttp 本身不会支持这个功能。您需要创建一个修改了 ManagerSettings 的管理器，然后使用它来获取该URL。

simpleHttp itself does not support this feature. You'll need to create a manager with modified ManagerSettings and then use that to fetch the URL.

请注意，此代码仅适用于 http-conduits 版本2.0+ - 库版本1为此具有类似但不同的API。

Note that this code only applies for http-conduits version 2.0+ -- the library version 1 has a similar yet different API for this purpose.

import Network.HTTP.Conduit
import Network.Connection
import qualified Data.ByteString.Lazy.Char8 as LB

myurl = ... -- Your URL goes here

-- | Get a new Manager that doesn't verify SSL certificates
noSSLVerifyManager :: IO Manager
noSSLVerifyManager = let tlsSettings = TLSSettingsSimple {
                            -- This is where we disable certificate verification
                            settingDisableCertificateValidation = True,
                            settingDisableSession=False,
                            settingUseServerName=True}
                     in newManager $ mkManagerSettings tlsSettings Nothing

-- | Download like with simpleHttp, but using an existing manager for the task
simpleHttpWithManager :: Manager -> String -> IO LB.ByteString
simpleHttpWithManager manager url = do url' <- parseUrl url
                                       fmap responseBody $ httpLbs url' manager

main = do manager <- noSSLVerifyManager
          content <- simpleHttpWithManager manager myurl
          print $ content

请注意，您应该只禁用SSL证书验证，如果绝对必要的话，因为它使你容易受到中间人攻击。

Note that you should only disable SSL certificate verification if absolutely neccessary, as it makes you vulnerable for man-in-the-middle attacks

这篇关于在Network.HTTP.Conduit中禁用SSL / TLS证书验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！