我使用http-conduit创建了一个程序,它需要与没有有效TLS证书的服务器通信。在这种情况下,这是一个自签名证书。
HTTPS-test.hs :
#!/usr/bin/env stack
-- stack --install-ghc --resolver lts-5.13 runghc --package http-conduit
{-# LANGUAGE OverloadedStrings #-}
import qualified Data.ByteString.Char8 as S8
import qualified Data.ByteString.Lazy.Char8 as L8
import Network.HTTP.Client
import Network.HTTP.Simple
import Network.Connection
( TLSSettings(..) )
main :: IO ()
main = do
authenticate "self-signed.badssl.com" "" ""
authenticate :: S8.ByteString
-> L8.ByteString
-> L8.ByteString
-> IO ()
authenticate hostname username password = do
let request
= setRequestMethod "GET"
$ setRequestSecure True
$ setRequestPort 443
$ setRequestHost hostname
$ setRequestPath "/"
$ defaultRequest
response <- httpLBS request
putStrLn $ "The status code was: " ++
show (getResponseStatusCode response)
print $ getResponseHeader "Content-Type" response
L8.putStrLn $ getResponseBody response
预期输出
The status code was: 200
["text/html"]
<!DOCTYPE html>
<html>
<head>
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="shortcut icon" href="/icons/favicon-red.ico"/>
<link rel="apple-touch-icon" href="/icons/icon-red.png"/>
<title>self-signed.badssl.com</title>
<link rel="stylesheet" href="/style.css">
<style>body { background: red; }</style>
</head>
<body>
<div id="content">
<h1 style="font-size: 12vw;">
self-signed.<br>badssl.com
</h1>
</div>
</body>
</html>
实际输出:
https-test.hs: TlsExceptionHostPort (HandshakeFailed (Error_Protocol ("certificate rejected: [SelfSigned]",True,CertificateUnknown))) "self-signed.badssl.com" 443
答案 0 :(得分:4)
这是非常糟糕的主意有很多原因。您最好修复服务器(如果可以)或鼓励运行它的人来修复它。
绕过TLS证书验证会删除TLS的所有有用方面,因为它使得处于中间位置的攻击者伪装成服务器并操纵数据变得微不足道。所有攻击者都需要使用另一个同样糟糕的自签名证书重新加密他们截获的,被操纵的内容。您的客户端软件将不再是明智之举。
http-conduit 支持请求管理器的概念。使用请求管理器,您可以提供替代方案。
首先,您可以构建一个禁用服务器证书验证的TLSSettingsSimple(TLSSettingsSimple is defined in Network.Connection in the connection package):
noVerifyTlsSettings :: TLSSettings
noVerifyTlsSettings = TLSSettingsSimple
{ settingDisableCertificateValidation = True
, settingDisableSession = True
, settingUseServerName = False
}
然后你可以建立一个使用它的请求管理器(mkManagerSettings comes from the Network.HTTP.Client.TLS module in the http-client-tls package):
noVerifyTlsManagerSettings :: ManagerSettings
noVerifyTlsManagerSettings = mkManagerSettings noVerifyTlsSettings Nothing
然后您可以初始化此请求管理器并根据请求进行设置:
manager <- newManager noVerifyTlsManagerSettings
-- ...
$ setRequestManager manager
-- ...
您还需要提供 http-client-tls 包,因此您需要修改堆栈的参数以包含此内容:
--package http-client-tls
以下是完整的解决方案:
#!/usr/bin/env stack
-- stack --install-ghc --resolver lts-5.13 runghc --package http-client-tls
{-# LANGUAGE OverloadedStrings #-}
import qualified Data.ByteString.Char8 as S8
import qualified Data.ByteString.Lazy.Char8 as L8
import Network.HTTP.Client
import Network.HTTP.Client.TLS (mkManagerSettings)
import Network.HTTP.Simple
import Network.Connection (TLSSettings(..))
main :: IO ()
main = do
authenticate "self-signed.badssl.com" "" ""
authenticate :: S8.ByteString
-> L8.ByteString
-> L8.ByteString
-> IO ()
authenticate hostname username password = do
manager <- newManager noVerifyTlsManagerSettings
let request
= setRequestMethod "GET"
$ setRequestSecure True
$ setRequestPort 443
$ setRequestHost hostname
$ setRequestPath "/"
$ setRequestManager manager
$ defaultRequest
response <- httpLBS request
putStrLn $ "The status code was: " ++
show (getResponseStatusCode response)
print $ getResponseHeader "Content-Type" response
L8.putStrLn $ getResponseBody response
noVerifyTlsManagerSettings :: ManagerSettings
noVerifyTlsManagerSettings = mkManagerSettings noVerifyTlsSettings Nothing
noVerifyTlsSettings :: TLSSettings
noVerifyTlsSettings = TLSSettingsSimple
{ settingDisableCertificateValidation = True
, settingDisableSession = True
, settingUseServerName = False
}