在Ubuntu中完全禁用SSL证书验证

分享于 

分钟阅读

 
点击句子查看译文 显示原文      显示译文      双语对照    源址


Question :

I am new to Linux and learning Linux on Ubuntu 18.040 1 LTS installed on oracle virtualbox on company system.Company has private proxy network.so all the websites i browse on ubuntu pass through proxy and get ssl certificate issued by the company.when i browse from chrome/firefox it gives error like not a trusted source.when i go to> advance> add exception i can browse that particular website for some time and then again after some time same error (probably certificate details changes) in browser atleast i can browse after such effort but the Ubuntu software does not even give such option and i am simply not able to download any software.also CLI apt-get dont work.can someone tell a way to configure such a way that we completely bypass ssl validation system wide?something like --disable ssl certificate validation..so that i am able to seamlessly connect to internet?(of course websites blocked by proxy will still be blocked )

Thanks a ton in advance!!

NK, Linux enthusiast

PS : below is the error on firefox ;

" Your connection is not secure the owner of support.mozilla.org has configured their website improperly.to protect your information from being stolen, Firefox has not connected to this website."


Answer 1 :

Disable SSL certificate validation in Ubuntu totally

Fortunately that is not really possible apart from compiling the relevant applications again and disabling certificate validation in the code.

The proper way to proceed is not to disable validation but to add the CA certificate used by the proxy as trusted.this way you can use the proxy without any warnings but are still not vulnerable to arbitrary man in the middle attacks like you would be if you disable all validation.

Please ask your network administrators for the proper CA certificate and then install it as described for example here for Firefox (although this specific site is for Windows it is the same with Firefox on Linux).


Answer 2 :

The correct way about this is to add the CA certificate used by the proxy.if they are rotated frequently this may indeed become annoying.to install the certificates such that they are used by most applications (unlike Firefox which uses its own certificate store), do the following :

  • Obtain the certificate in Base64 encoded X.509 format.
    An easy way to obtain them is through Chrome via Settings, Advanced, Manage Certificates on an it managed/auto-updated system.
  • Copy them to /usr/local/share/ca-certificates
    (Optionally make a new subfolder )
  • If the extension is not. crt rename the files.
  • sudo update-ca-certificates
  • When repeating this exercise the certificates might not update.you can work around this by first running.

    sudo rm -f/etc/ssl/certs/[certificate-name].pem

    where [certificate-name] matches the filename of the certificates without the original (.crt) extension.

    NOTE : Tested under Ubuntu 16.04, but i expect it will behave the same under 18.04.



Ubuntu  SSL  cer  Ssl证书