如果 CURLOPT_SSL_VERIFYPEER 为 false，数据传输是否不再安全? [英] If CURLOPT_SSL_VERIFYPEER is false, is the data transfer no longer secure?

问题描述

我最近在将数据发布到 SSL 证书已更新的服务器时遇到了问题.我做了一些研究，我发现当 CURLOPT_SSL_VERIFYPEER 设置为 false 时，发布日期成功通过.有人可以解释 CURLOPT_SSL_VERIFYPEER 和 _VERIFYHOST 之间的关系吗?另外，如果我将 VERIFYPEER 设置为 false，我是否不再通过安全连接传输数据?

非常感谢任何人可以提供的任何帮助.

解决方案

连接仍将使用 SSL 加密.您不会在使用验证为正确证书的链接上执行此操作.任何人都可以为自己创建一个 SSL 证书，该证书将在您的浏览器和网络服务器支持的任何级别进行完全可接受的加密.

但是，您会收到很多关于无法验证证书真实性的投诉.这是为了防止 Joe M. Alicious 为自己创建一个声称是microsoft.com"的证书并设置他们自己的 Windows Update 主机.该证书会说它是 microsoft.com，但它不能被验证为实际上是 microsoft.com，因为 Verisign(或任何人)实际上并未颁发该证书并在其上贴上他们自己的真实性标记(签署证书).

_VERIFYHOST 用于检查您正在连接的 URL 的主机名(例如microsoft.com")是否在 SSL 证书中列出.如果将此选项设置为 false，则 url/cert 主机名不匹配将被忽略(例如，您在 testbox.develhost.com 上有一个开发框，但使用的是您客户的真实有效的example.com"证书).

_VERIFYPEER 禁用验证整个证书.这允许自签名证书工作.否则 SSL 库会说证书的颁发者无效.

但无论哪种设置，如果您强制通过连接，它将被 ssl 加密.

I've recently run into a problem posting data to a server whose SSL certificate was updated. I did some research and I found that when CURLOPT_SSL_VERIFYPEER is set to false, post date goes through successfully. Can somebody explain the relationship between CURLOPT_SSL_VERIFYPEER and _VERIFYHOST? Also, if I set VERIFYPEER to false, am I no longer transmitting the data over a secure connection?

Thanks a ton for any help anyone can give.

解决方案

The connection will still be SSL encrypted. You just won't be doing it on a link that uses validated-as-correct certificates. Anyone can create themselves an SSL certificate which will do perfectly acceptable encryption at whatever level your browser and the webserver support.

However, what you will get is many complaints about not being able to verify the certificate's authenticity. This is to prevent Joe M. Alicious from creating themselves a certificate claiming to be "microsoft.com" and setting up their own Windows Update host. The cert will say it's microsoft.com, but it cannot be authenticated as actually being microsoft.com, as Verisign (or whoever) did not actually issue that cert and put their own stamp of authenticity (signing the cert) on it.

_VERIFYHOST is there to check that the hostname of the URL you're connecting to (e.g. "microsoft.com") is listed within the SSL cert. With this option set to false, url/cert hostname mismatches will be ignored (say, you've got a development box at testbox.develhost.com, but are using your client's real valid 'example.com' cert).

_VERIFYPEER disables validating the entire certificate. This allows self-signed certs to work. Otherwise the SSL library will barf saying that the cert's issuer isn't valid.

But regardless of either setting, if you force through a connection, it WILL be ssl encrypted.

这篇关于如果 CURLOPT_SSL_VERIFYPEER 为 false，数据传输是否不再安全?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！