cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon npm

[QUESTION] Effect of strict-ssl=false is unclear

Open cedws opened this issue 4 years ago • 3 comments

strict-ssl is documented as follows:

Whether or not to do SSL key validation when making requests to the registry via https.

The questions that come to mind around this is:

  • Is SSL really meant here, not TLS?
  • Validation of what key against what? Presumably the client's? Is it relevant if not using mutual authentication?
  • What happens if said validation fails?
  • Does disabling this introduce an MITM risk, like curl -k would?
  • When is there a good reason for disabling this? Is it required if you're using a self signed certificate? What if you pass that CA certificate into npm, does it need to be disabled still?

cedws avatar May 27 '21 19:05 cedws

@cedws this specific section is from the npm CLI documentation which is maintained in https://github.com/npm/cli. I'm going to transfer this issue there

MylesBorins avatar May 27 '21 19:05 MylesBorins

@cedws Given the recent announcement to deprecate tls 1.0 and tls 1.1. This is an important question.

My team uses our client's NPM registry (built off of Nexus) as well as public npm registry. When I run npm install I see this message:

You are currently using plaintext http to connect.

I have strict-ssl set to false, is that causing me to use plaintext http because the documentation is not clear.

Stargator avatar Aug 30 '21 20:08 Stargator

Is there a clear answer to this question?

Traveller23 avatar Jun 07 '24 11:06 Traveller23