堆栈内存溢出
  简体   繁体   English

如何为任何请求禁用 SSL 验证?

[英]How to disable SSL verification for any request?

 原文  2018-12-12 05:02:21       node.js/ api/ ssl/ postman

问题描述

I have a Node.JS service running, which I am trying to connect from a different system.我有一个 Node.JS 服务正在运行,我正在尝试从不同的系统进行连接。 Currently using POSTMAN to test the service.目前使用 POSTMAN 来测试服务。 Postman gives an error - There was an error connecting to https://lddbbtx.wdf......./index.xsjs.邮递员给出错误 - There was an error connecting to https://lddbbtx.wdf......./index.xsjs. Now, I retried the request by disabling 'SSL certification verification' option in Postman and it seems to work.现在,我通过禁用 Postman 中的“SSL 证书验证”选项重试了该请求,它似乎有效。 I can receive the response from the service.我可以收到服务的响应。

But in production, we will be using Recast.AI to connect to this service.但在生产中,我们将使用 Recast.AI 连接到此服务。 In Recast, they provide a means to set Headers for the GET/POST requests .在 Recast 中,它们提供了一种为 GET/POST 请求设置标头的方法。 SO , I wanted to know, is there a way to disable the SSL verification in the header of the request ?所以,我想知道,有没有办法在请求的标头中禁用 SSL 验证?

1 个解决方案

解决方案1
 0  2018-12-12 05:19:26

... is there a way to disable the SSL verification in the header of the request ? ...有没有办法在请求的标头中禁用 SSL 验证?

Validation of the server certificate is done at the client side.服务器证书的验证在客户端完成。 It is done during the TLS handshake and thus before any HTTP request is send.它在 TLS 握手期间完成,因此在发送任何 HTTP 请求之前完成。 Disabling validation cannot be triggered by the server since otherwise a man in the middle attacker could simply instruct the victim to not check the certificate.服务器不能触发禁用验证,否则中间攻击者可以简单地指示受害者不要检查证书。

In general - disabling validation or even part of the validation (like checking that hostname in URL matches certificate) is a very bad idea.一般来说 - 禁用验证甚至部分验证(例如检查 URL 中的主机名是否与证书匹配)是一个非常糟糕的主意。 With disabled certificate validation the transport is still encrypted but the client does not check that it actually communicates with the expected server.在禁用证书验证的情况下,传输仍然是加密的,但客户端不会检查它是否确实与预期的服务器通信。 This way an attacker could do a simple man in the middle attack to impersonate the server and thus sniff and also modify all traffic.这样,攻击者可以进行简单的中间人攻击来冒充服务器,从而嗅探并修改所有流量。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何禁用SSL验证Node.js回送请求插件 - How to disable SSL verification nodejs Loopback Request Plugin 如何在 node.js 中禁用 SSL 验证 - How to disable SSL verification in node.js 在axios中禁用SSL认证验证 - disable SSL certification verification in axios 节点获取:禁用 SSL 验证 - Node-fetch: Disable SSL verification SSL 证书 - 在 axios 中禁用验证并做出反应 - SSL certificate - disable verification in axios and react 如何以编程方式使用certbot启用/禁用SSL - How to programmatically use certbot to enable/disable SSL 如何在nodejs中禁用SSL 3.0和TLS 1.0 - How to disable the SSL 3.0 and TLS 1.0 in nodejs 如何使用 Typescript 在 Twilio API 的电话验证中通过发布请求 - How to pass post request in phone verification for Twilio API using Typescript 节点的http服务器是否对ReadableStream请求进行了任何Content-Length验证 - Does node's http server have any Content-Length verification for the ReadableStream request 禁用在 email 上发送的验证码在 Cognito 上的验证 - disable verification code being sent on email verification on cognito
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM