[QUESTION] Effect of strict-ssl=false is unclear

[cedws]

strict-ssl is documented as follows:

Whether or not to do SSL key validation when making requests to the registry via https.

The questions that come to mind around this is:

• Is SSL really meant here, not TLS?
• Validation of what key against what? Presumably the client's? Is it relevant if not using mutual authentication?
• What happens if said validation fails?
• Does disabling this introduce an MITM risk, like curl -k would?
• When is there a good reason for disabling this? Is it required if you're using a self signed certificate? What if you pass that CA certificate into npm, does it need to be disabled still?

[MylesBorins]

@cedws this specific section is from the npm CLI documentation which is maintained in https://github.com/npm/cli. I'm going to transfer this issue there

[Stargator]

@cedws Given the recent announcement to deprecate tls 1.0 and tls 1.1. This is an important question.

My team uses our client's NPM registry (built off of Nexus) as well as public npm registry. When I run npm install I see this message:

You are currently using plaintext http to connect.

I have strict-ssl set to false, is that causing me to use plaintext http because the documentation is not clear.

[Traveller23]

Is there a clear answer to this question?