node.js TLS 'rejectUnauthorized' 对我来说究竟意味着什么?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/31861109/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
TLS what exactly does 'rejectUnauthorized' mean for me?
提问by Breedly
So, I was having an issue earlier today where my client, written in node, was barfing because the server I was connecting to used self signed certs. So, I went and added the option rejectUnauthorized: falseto my tls.connectcommand like any unwitting developer would do.
所以,我今天早些时候遇到了一个问题,我node用 . 因此,我像任何不知情的开发人员一样去将选项添加rejectUnauthorized: false到我的tls.connect命令中。
My question is now, what the hell does this mean for me? Is my TLS connection just a vanilla TCP connection that can also possibly be a TLS connection? Is writing this as a TLS stream totally useless?
我现在的问题是,这对我来说到底意味着什么?我的 TLS 连接只是一个普通的 TCP 连接,也可能是一个 TLS 连接吗?把它写成 TLS 流完全没用吗?
More importantly, that server, you know the one with the self-signed certs? Is my stream between here and there actually encrypted?
更重要的是,那个服务器,你知道那个有自签名证书的吗?我在这里和那里之间的流实际上是加密的吗?
回答by mscdex
As described in the documentation:
如文档中所述:
rejectUnauthorized: Iftrue, the server certificate is verified against the list of supplied CAs. Anerrorevent is emitted if verification fails;err.codecontains the OpenSSL error code. Default:true.
rejectUnauthorized:如果true,则根据提供的 CA 列表验证服务器证书。error如果验证失败,则会发出一个事件;err.code包含 OpenSSL 错误代码。默认值:true。
Since you're using self-signed certificates, obviously there won't be a match with the built-in CAs, so by default the connection would be rejected because it cannot verify the server is who they say they are.
由于您使用的是自签名证书,显然不会与内置 CA 匹配,因此默认情况下连接将被拒绝,因为它无法验证服务器是他们所说的。
By setting rejectUnauthorized: false, you're saying "I don't care if I can't verify the server's identity." Obviously this is not a good solution as it leaves you vulnerable to MITM attacks.
通过设置rejectUnauthorized: false,您是在说“我不在乎我是否无法验证服务器的身份。” 显然,这不是一个好的解决方案,因为它使您容易受到 MITM 攻击。
A better solution for self-signed certificates is to set the appropriate cavalue to your custom CA when connecting client-side. Also, make sure your hostvalue matches that of the Common Name of the server's self-signed certificate. For example:
自签名证书的更好解决方案是ca在连接客户端时为您的自定义 CA设置适当的值。此外,请确保您的host值与服务器自签名证书的通用名称相匹配。例如:
var socket = tls.connect({
host: 'MyTLSServer',
port: 1337,
ca: [ fs.readFileSync('CA.pem') ],
}, function() {
// Connected!
});
// ...
No matter if you use rejectUnauthorized: falseor set ca, the connection is encrypted.
无论您使用rejectUnauthorized: false还是设置ca,连接都是加密的。
