-
-
Notifications
You must be signed in to change notification settings - Fork 6.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Do not recommend adding --insecure to solve certificate issues #1810
Conversation
Coverage decreased (-0.1%) to 73.233% when pulling 19bbd72fb03724ce7cc1b4c6b613aa48e38f4fac on jedisct1:jedisct1/dont-recommend-insecure into 16c71fa on curl:master. |
Thanks. Yes, recommending switching off the certificate checks is a rather terrible thing to do. That's also why the option is called This said, I'm pretty sure this error message is already a wall of text that is way too big. I think that it due to its size mostly scare people away and I doubt very many actually read the whole thing and weigh their options. Since this already refers to a URL with most of this described in detail (and it makes sense to make that the single home for those instructions and recommendations), I think we should instead strive toward shortening this error message to a few lines. Perhaps something like this:
|
Indeed, this message is already way too long. Your short version is great! That web page still lists |
That web page is simply the docs/SSLCERTS.md file rendered on the web site. It can certainly be improved! |
The previuous message was just too long for ordinary people and it was encouraging users to use `--insecure` a little too easy. Based-on-work-by: Frank Denis in #1810
Here's some rough numbers about turning off certificate verification: |
thanks @jedisct1! |
There is a massive amount of scripts, examples and tutorials unconditionally adding the
--insecure
option to thecurl
command in order to access public servers with perfectly valid certificates.A possible culprit is the
curl
command itself. As soon as a certificate error is returned, it suggests simply retrying the same command with--insecure
added to it. So, people follow the advice, and since it "fixes things", end up using it unconditionally.This is terrible.
The main causes of certificates that don't validate are:
The following diff displays some hints about what the root cause of a certificate error is likely to be, instead of suggesting
--insecure
.