忽略 SSL 证书验证的含义是什么? [英] What are the implications of ignoring SSL certificate verification?

问题描述

我对 Python 的请求库中的 SSL 验证有疑问，但我认为这比这更笼统.

I have a question regarding SSL verification within the requests library for Python, but I believe it to me more general than that.

我目前忽略证书验证，因为我需要连接的第三方 API 使用的是自签名证书.

I am currently ignoring certificate verification because the third party API I need to connect to is using a self-signed certificate.

在请求中关闭 SSL 验证有什么影响?以及在现实世界中不验证 SSL 证书的含义是什么.我可以保证传输的数据是安全/加密的吗?

What are the implications for turning SSL verification off in requests? And what are the implications for not verifying SSL certificates in the real-world. Can I gaurantee the data transported is secure/encrypted?

推荐答案

这是一个安全问题，因为任何人都可以欺骗此证书并拦截您的流量.您应该只将自签名证书添加到使用 API 的机器的可信证书链中.您如何执行此操作取决于操作系统和特定设置，但快速 google 将引导您找到正确的解决方案.

This is a security sin, as anyone could spoof this certificate and intercept your traffic. You should just add the self-signed certificate to the trusted certificate chain of the machine which is using the API. How you do that depends on the operating system and specific setup, but a quick google will guide you to the right solution.

这篇关于忽略 SSL 证书验证的含义是什么?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！