博客
关于我
强烈建议你试试无所不能的chatGPT,快点击我
php 使用curl发起https请求
阅读量:5863 次
发布时间:2019-06-19

本文共 5221 字,大约阅读时间需要 17 分钟。

今天一个同事反映,使用curl发起https请求的时候报错:“SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed”

很明显,验证证书的时候出现了问题。

使用curl如果想发起的https请求正常的话有2种做法:

方法一、设定为不验证证书和host。

在执行curl_exec()之前。设置option

$ch = curl_init();

......

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);

curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);

 

方法二、设定一个正确的证书。

本地ssl判别证书太旧,导致链接报错ssl证书不正确。

我们需要下载新的ssl 本地判别文件

放到 程序文件目录

curl 增加下面的配置

   curl_setopt($ch,CURLOPT_SSL_VERIFYPEER,true); ;

   curl_setopt($ch,CURLOPT_CAINFO,dirname(__FILE__).'/cacert.pem');

大功告成

(本人验证未通过。。。报错信息为:SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed)

如果对此感兴趣的话可以参看国外一大神文章。

为了防止某天该文章被Q今复制过来。内容如下:

Using cURL in PHP to access HTTPS (SSL/TLS) protected sites

From PHP, you can access the useful  to make requests to URLs using a variety of protocols such as HTTP, FTP, LDAP and even . (If you’ve spent time on the *nix command line, most environments also have the curl command available that uses the libcurl library)

In practice, however, the most commonly-used protocol tends to be HTTP, especially when usingPHP for server-to-server communication. Typically this involves accessing another web server as part of a web service call, using some method such as -RPC or REST to query a resource. For example,  offers  to manipulate and read a user’s posts. However, when trying to access a HTTPS resource (such as the delicious API), there’s a little more configuration you have to do before you can get cURL working right in PHP.

 

The problem

If you simply try to access a HTTPS (SSL or TLS-protected resource) in PHP using cURL, you’re likely to run into some difficulty. Say you have the following code: (Error handling omitted for brevity)

// Initialize session and set URL. $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); // Set so curl_exec returns the result instead of outputting it. curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); // Get the response and close the channel. $response = curl_exec($ch); curl_close($ch);

If $url points toward an HTTPS resource, you’re likely to encounter an error like the one below:

Failed: Error Number: 60. Reason: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

The problem is that cURL has not been configured to trust the server’s HTTPS certificate. The concepts of certificates and PKI revolves around the trust of Certificate Authorities (CAs), and by default, cURL is setup to not trust any CAs, thus it won’t trust any web server’s certificate. So why don’t you have problems visiting HTTPs sites through your web browser? As it happens, the browser developers were nice enough to , covering most situations, so as long as the website operator purchased a certificate from one of these CAs.

The quick fix

There are two ways to solve this problem. Firstly, we can simply configure cURL to accept any server(peer) certificate. This isn’t optimal from a security point of view, but if you’re not passing sensitive information back and forth, this is probably alright. Simply add the following line before calling curl_exec():

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

This basically causes cURL to blindly accept any server certificate, without doing any verification as to which CA signed it, and whether or not that CA is trusted. If you’re at all concerned about the data you’re passing to or receiving from the server, you’ll want to enable this peer verification properly. Doing so is a bit more complicated.

The proper fix

The proper fix involves setting the CURLOPT_CAINFO parameter. This is used to point towards a CA certificate that cURL should trust. Thus, any server/peer certificates issued by this CA will also be trusted. In order to do this, we first need to get the CA certificate. In this example, I’ll be using the  server as a reference.

First, you’ll need to visit the URL with your web browser in order to grab the CA certificate. Then, (in Firefox) open up the security details for the site by double-clicking on the padlock icon in the lower right corner:

Then click on “View Certificate”:

Bring up the “Details” tab of the cerficates page, and select the certificate at the top of the hierarchy. This is the CA certificate.

Then click “Export”, and save the CA certificate to your selected location, making sure to select the X.509 Certificate (PEM) as the save type/format.

Now we need to modify the cURL setup to use this CA certificate, with CURLOPT_CAINFO set to point to where we saved the CA certificate file to.

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2); curl_setopt($ch, CURLOPT_CAINFO, getcwd() . "/CAcerts/BuiltinObjectToken-EquifaxSecureCA.crt");

The other option I’ve included, CURLOPT_SSL_VERIFYHOST can be set to the following integer values:

  • 0: Don’t check the common name (CN) attribute
  • 1: Check that the common name attribute at least exists
  • 2: Check that the common name exists and that it matches the host name of the server
本文转自博客园知识天地的博客,原文链接: ,如需转载请自行联系原博主。
你可能感兴趣的文章
TortoiseGit 文件比对工具使用 Beyond Compare 和 DiffMerge
查看>>
MySQL存储引擎MyISAM与InnoDB的优劣
查看>>
Action.c(58): Error -27796: Failed to connect to server "hostname"
查看>>
webpack 入门指南
查看>>
weblogicjsp编译:查看编译后的java中间代码
查看>>
Spring Boot 入门
查看>>
[普通平衡树splay]【学习笔记】
查看>>
聊聊并发(七)——Java中的阻塞队列
查看>>
php 读取文件
查看>>
python的dir、help、str用法
查看>>
【Infobright】infobright数据导入导出测试
查看>>
编译器处理警告、错误 #pragma GCC diagnostic ignored "-Wunused"
查看>>
Qtablevies获取内容
查看>>
jdk安装配置具体分析
查看>>
[转]ASP.NET Core 中间件详解及项目实战
查看>>
eclipse编辑窗口不见了(打开左边的java、xml文件,中间不会显示代码)
查看>>
iOS动画篇:核心动画
查看>>
第一篇:《UNIX 环境高级编程》编译环境的搭建
查看>>
人脸关键点检测算法
查看>>
事物与数据库锁的关系(锁只是数据库事物一方面)
查看>>