Unfortunately there are times where you need tls_insecure_skip_verify in production, like reverse proxying to old, outdated devices, with awfully wrong self-signed certificates that might be expired and never updated.
I propose an option for pinning fixed certificates to such endpoints, like a PR #6329 that I use in my own setup.
First, we get SHA256 fingerprint of the certificate:
openssl x509 -in .lnd/tls.cert -noout -fingerprint -sha256
Then we add a directive alongside tls_insecure_skip_verify:
tls_server_cert_sha256 "07:E9:E5:E8:50:54:26:CE:7D:37:A4:4F:71:15:0B:3A:53:B3:65:A6:9E:B8:D9:20:93:54:94:16:2D:48:23:01"
Now our security exception doesn't allow an easy MITM attack.
Unfortunately there are times where you need
tls_insecure_skip_verify
in production, like reverse proxying to old, outdated devices, with awfully wrong self-signed certificates that might be expired and never updated.I propose an option for pinning fixed certificates to such endpoints, like a PR #6329 that I use in my own setup.
First, we get SHA256 fingerprint of the certificate:
openssl x509 -in .lnd/tls.cert -noout -fingerprint -sha256
Then we add a directive alongside
tls_insecure_skip_verify
:tls_server_cert_sha256 "07:E9:E5:E8:50:54:26:CE:7D:37:A4:4F:71:15:0B:3A:53:B3:65:A6:9E:B8:D9:20:93:54:94:16:2D:48:23:01"
Now our security exception doesn't allow an easy MITM attack.