禁用 CURLOPT_SSL_VERIFYPEER (libcurl/openssl) 的安全后果 [英] Security consequences of disabling CURLOPT_SSL_VERIFYPEER (libcurl/openssl)

问题描述

我从 这个线程知道什么攻击当 CURLOPT_SSL_VERIFYHOST 被禁用时是可能的.我想知道禁用 VERIFYPEER 而不是 _VERIFYHOST 时可能会发生哪些攻击.使用信用卡付款的风险是否可接受?

I know from this thread what attacks are possible when CURLOPT_SSL_VERIFYHOST is disabled. I'd like to know what attacks are possible when VERIFYPEER, not _VERIFYHOST, is disabled. Is it an acceptable risk for payments with credit cards?

(我问的原因是因为我的 code 仅适用于 _VERIFYPEER 禁用，但似乎没有人知道为什么)

(the reason I ask is because my code works only with _VERIFYPEER disabled, though nobody seems to know why)

推荐答案

如果禁用 CURLOPT_SSL_VERIFYPEER，curl 将不会检查证书是否实际由受信任的机构签署.这很危险！ 在 MITM 情况下，如果没有 VERIFYPEER，攻击者可以简单地将自己的自签名"证书替换为真实证书，并且只要主机名匹配(他总是可以这样做，因为他正在制作证书)，您的应用将接受它.

If you disable CURLOPT_SSL_VERIFYPEER, curl will not check that the certificate is actually signed by a trusted authority. This is very dangerous! In a MITM situation, without VERIFYPEER, the attacker can simply substitute his own "self-signed" certificate for the real certificate, and as long as the host name matches (which he can always do, since he's making the certificate), your app will accept it.

您的代码可能会失败，因为您没有设置 CA 证书存储，并且您正在与之通信的服务器是由不在 curl 的默认存储库中的 CA 签名的.考虑使用 CURLOPT_CAINFO 或 CURLOPT_CAPATH 指定要验证的证书，并确保您用于验证的证书可访问并与目标服务器的证书匹配.

Your code is likely failing because you don't have the CA certificate store set up, and the server you are talking to is signed by a CA not in curl's default repository. Consider using CURLOPT_CAINFO or CURLOPT_CAPATH to specify the certificates to verify against, and ensure that the certificates you are using for verification are accessible and match the target server's certificates.

这篇关于禁用 CURLOPT_SSL_VERIFYPEER (libcurl/openssl) 的安全后果的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！