TLS 'rejectUnauthorized' 对我来说究竟意味着什么? [英] TLS what exactly does 'rejectUnauthorized' mean for me?

问题描述

所以，今天早些时候我遇到了一个问题，我的客户端用 node 编写，因为我连接的服务器使用了自签名证书，所以出现问题.因此，我像任何不知情的开发人员一样将选项 rejectUnauthorized: false 添加到我的 tls.connect 命令中.

So, I was having an issue earlier today where my client, written in node, was barfing because the server I was connecting to used self signed certs. So, I went and added the option rejectUnauthorized: false to my tls.connect command like any unwitting developer would do.

我现在的问题是，这对我来说到底意味着什么?我的 TLS 连接只是一个普通的 TCP 连接，也可能是一个 TLS 连接吗?把它写成 TLS 流完全没用吗?

My question is now, what the hell does this mean for me? Is my TLS connection just a vanilla TCP connection that can also possibly be a TLS connection? Is writing this as a TLS stream totally useless?

更重要的是，那个服务器，你知道那个有自签名证书的吗?我在这里和那里之间的流实际上是加密的吗?

More importantly, that server, you know the one with the self-signed certs? Is my stream between here and there actually encrypted?

推荐答案

如文档中所述:

• rejectUnauthorized:如果 true，服务器证书将根据提供的 CA 列表进行验证.如果验证失败，则发出 error 事件；err.code 包含 OpenSSL 错误代码.默认值:true.

• rejectUnauthorized: If true, the server certificate is verified against the list of supplied CAs. An error event is emitted if verification fails; err.code contains the OpenSSL error code. Default: true.

由于您使用的是自签名证书，显然不会与内置 CA 匹配，因此默认情况下连接将被拒绝，因为它无法验证服务器是他们所说的.

Since you're using self-signed certificates, obviously there won't be a match with the built-in CAs, so by default the connection would be rejected because it cannot verify the server is who they say they are.

通过设置 rejectUnauthorized: false，您是在说我不在乎我是否无法验证服务器的身份."显然，这不是一个好的解决方案，因为它使您容易受到 MITM 攻击.

By setting rejectUnauthorized: false, you're saying "I don't care if I can't verify the server's identity." Obviously this is not a good solution as it leaves you vulnerable to MITM attacks.

自签名证书的更好解决方案是在连接客户端时为您的自定义 CA 设置适当的 ca 值.此外，请确保您的 host 值与服务器自签名证书的通用名称相匹配.例如:

A better solution for self-signed certificates is to set the appropriate ca value to your custom CA when connecting client-side. Also, make sure your host value matches that of the Common Name of the server's self-signed certificate. For example:

var socket = tls.connect({
  host: 'MyTLSServer',
  port: 1337,
  ca: [ fs.readFileSync('CA.pem') ],
}, function() {
  // Connected!
});

// ...

无论使用rejectUnauthorized: false还是设置ca，连接都是加密的.

No matter if you use rejectUnauthorized: false or set ca, the connection is encrypted.

这篇关于TLS 'rejectUnauthorized' 对我来说究竟意味着什么?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！