禁用CURLOPT_SSL_VERIFYHOST(libcurl / openssl)的安全后果 [英] Security consequences of disabling CURLOPT_SSL_VERIFYHOST (libcurl/openssl)
问题描述
启用 CURLOPT_SSL_VERIFYPEER 和停用 CURLOPT_SSL_VERIFYHOST 的安全后果是什么?
What are the security consequences of Enabling CURLOPT_SSL_VERIFYPEER and Disabling CURLOPT_SSL_VERIFYHOST?
推荐答案
-
CURLOPT_SSL_VERIFYHOST 检查证书是否已发送给您要与之通信的实体。
CURLOPT_SSL_VERIFYHOST checks that the cert was issued to the entity you wanted to talk to.
要比较它与现实生活场景,VERIFYPEER就像检查ID的形式是你认出的你信任的国家,你知道的公司的工作人员卡,...)。
To compare it to a real-life scenario, VERIFYPEER is like checking that the form of ID is one that you recognise (i.e. passport from a country you trust, staff card from a company you know, ...). VERIFYHOST is like checking the actual name on the card matches who you wanted to talk to.
如果您不使用VERIFYHOST(正确的值为2,而不是1, btw),您禁用主机名验证并打开MITM攻击的门:任何具有您信任的ID形式的人都可以假冒您信任的ID集中的任何人,例如任何拥有有效护照的人都可以假装他们是拥有有效护照的任何人。
If you don't use VERIFYHOST (the correct value is 2, not 1, btw), you disable host name verification and open the door to MITM attacks: anyone with a form of ID you trust can impersonate anyone within the set of IDs you trust, e.g. anyone with a valid passport could pretend they're anyone else with a valid passport.
这篇关于禁用CURLOPT_SSL_VERIFYHOST(libcurl / openssl)的安全后果的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
