2017-02-15 22:17 阅读 58


From client I already have tls config which sets InsecureSkipVerify to true. How to write server for this client which take any cert. Can tls.config help in server too? like setting InsecureSkipVerify to true?

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享

1条回答 默认 最新

  • 已采纳
    douxian7808 douxian7808 2017-02-16 08:01

    No, as @JimB told you, TLS can't work without certificates.

    The reasoning is simple: TLS is all about security, and certificates are cryptographic keys which provide that security (TLS uses a so-called "asymmetric cryptography" where each party has a key pair consisting of a private and public parts; the public part is what get sent to another party when doing a TLS handshake).

    But on the other hand the security TLS provides is two-fold:

    1. It provides mutual authentication of the parties participating in the exchange.
    2. It provides encryption of the transmission channel.

    Certificates are used for both aspects: the fact they contain cryptographic keys is used for (2), and the fact they have owner's identity encoded in them (and verified by whoever was issued a particular cercificate( is used for (1).

    Let me not digress into discussing how (1) works in detail (though I truly urge you to read some theory on it) but (1) is what you actually want to sidestep.

    The good (for you) thing is that it's cheaply doable:

    • The TLS clients can be told to not verify the server's identity.
    • The TLS servers can be told to do the same (and often it's the default mode they operate in—which is typical for regular websites for instance).
    • You can create a so-called self-signed certificate for your TLS server.

    The latter requires nothing but something which is able to generate X.509 certificates; OpenSSL is typically used for this; just google for it.

    If you're on Debian or Debian derivative (like Ubuntu, Mint etc) consider installing the ssl-cert package and using the make-ssl-cert program it provides.

    点赞 评论 复制链接分享