禁用CURLOPT_SSL_VERIFYPEER（libcurl / openssl）的安全后果 [英] Security consequences of disabling CURLOPT_SSL_VERIFYPEER (libcurl/openssl)

问题描述

我知道从这个线程什么攻击当CURLOPT_SSL_VERIFYHOST被禁用时是可能的。我想知道当VERIFYPEER，而不是_VERIFYHOST，被禁用时可能的攻击是可能的。使用信用卡付款是否可以接受？

I know from this thread what attacks are possible when CURLOPT_SSL_VERIFYHOST is disabled. I'd like to know what attacks are possible when VERIFYPEER, not _VERIFYHOST, is disabled. Is it an acceptable risk for payments with credit cards?

（我问的原因是因为我的代码仅适用于_VERIFYPEER已禁用，但没有人知道为什么）

(the reason I ask is because my code works only with _VERIFYPEER disabled, though nobody seems to know why)

推荐答案

禁用 CURLOPT_SSL_VERIFYPEER ，curl将不检查证书是否实际上由可信的授权机构签名。 这非常危险！在MITM情况下，如果没有 VERIFYPEER ，攻击者可以简单地将自己的自签名证书替换为真实证书，并且只要主机名匹配（他可以随时做，因为他在做证书），您的应用程序将接受它。

If you disable CURLOPT_SSL_VERIFYPEER, curl will not check that the certificate is actually signed by a trusted authority. This is very dangerous! In a MITM situation, without VERIFYPEER, the attacker can simply substitute his own "self-signed" certificate for the real certificate, and as long as the host name matches (which he can always do, since he's making the certificate), your app will accept it.

您的代码可能失败，因为您没有设置CA证书存储，并且正在与之通信的服务器由不在curl的默认存储库中的CA签名。请考虑使用 CURLOPT_CAINFO 或 CURLOPT_CAPATH 指定要验证的证书，并确保用于验证的证书是可访问和匹配目标服务器的证书。

Your code is likely failing because you don't have the CA certificate store set up, and the server you are talking to is signed by a CA not in curl's default repository. Consider using CURLOPT_CAINFO or CURLOPT_CAPATH to specify the certificates to verify against, and ensure that the certificates you are using for verification are accessible and match the target server's certificates.

这篇关于禁用CURLOPT_SSL_VERIFYPEER（libcurl / openssl）的安全后果的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！