http 使用curl發(fā)起https請求

千里之行，始于足下。第2頁/共2頁精品文檔推薦http使用curl發(fā)起https請求http使用curl發(fā)起https請求

今天一具同事反映，使用curl發(fā)起https請求的時候報錯：“SSLcertificateproblem,verifythattheCAcertisOK.Details:error:14090086:SSL

routines:SSL3_GET_SERVER_CERTIFICATE:certificateverifyfailed”

非常明顯，驗證證書的時候浮現(xiàn)了咨詢題。

使用curl假如想發(fā)起的https請求正常的話有2種做法：

辦法一、設(shè)定為別驗證證書和host。

在執(zhí)行curl_exec()之前。設(shè)置option

$ch=curl_init();

curl_setopt($ch,CURLOPT_SSL_VERIFYPEER,FALSE);

curl_setopt($ch,CURLOPT_SSL_VERIFYHOST,FALSE);

辦法二、設(shè)定一具正確的證書。

本地ssl判不證書太舊，導(dǎo)致鏈接報錯ssl證書別正確。

我們需要下載新的ssl本地判不文件

http://curl.haxx.se/ca/cacert.pem

放到程序文件名目

curl增加下面的配置

curl_setopt($ch,CURLOPT_SSL_VERIFYPEER,true);;

curl_setopt($ch,CURLOPT_CAINFO,dirname(__FILE__).'/cacert.pem');

大功告成

（本人驗證未經(jīng)過。。。報錯信息為：SSLcertificateproblem,verifythattheCAcertisOK.Details:error:14090086:SSLroutines:SSL3_GET_SERVER_CERTIFICATE:certificateverifyfailed）

假如對此感興趣的話能夠參看國外一大神文章。

/blog/2009/05/05/using-curl-in-php-to-access-https-ssltls-protected-sites/

為了防止某天該文章被Q今復(fù)制過來。內(nèi)容如下：

UsingcURLinPHPtoaccessHTTPS(SSL/TLS)protectedsites

FromPHP,youcanaccesstheusefulcURLLibrary(libcurl)tomakerequeststoURLsusingavarietyofprotocolssuchasHTTP,FTP,LDAPandevenGopher.(Ifyou’vespenttimeonthe*nixcommandline,mostenviroXXXentsalsohavethecurlcommandavailablethatusesthelibcurllibrary)

Inpractice,however,themostcommonly-usedprotocoltendstobeHTTP,especiallywhenusingPHPforserver-to-servercommunication.Typicallythisinvolvesaccessinganotherwebserveraspartofawebservicecall,usingsomemethodsuchasXML-RPCorRESTtoqueryaresource.Forexample,DeliciousoffersaHTTP-basedAPItomanipulateandreadauser’sposts.However,whentryingtoaccessaHTTPSresource(suchasthedeliciousAPI),there’salittlemoreconfigurationyouhavetodobeforeyoucangetcURLworkingrightinPHP.

Theproblem

IfyousimplytrytoaccessaHTTPS(SSLorTLS-protectedresource)inPHPusingcURL,you’relikelytorunintosomedifficulty.Sayyouhavethefollowingcode:(Errorhandlingomittedforbrevity)

//InitializesessionandsetURL.

$ch=curl_init();curl_setopt($ch,CURLOPT_URL,$url);

//Setsocurl_execreturnstheresultinsteadofoutputtingit.

curl_setopt($ch,CURLOPT_RETURNTRANSFER,true);

//Gettheresponseandclosethechannel.

$response=curl_exec($ch);

curl_close($ch);

If$urlpointstowardanHTTPSresource,you’relikelytoencounteranerrorliketheonebelow:

Failed:ErrorNumber:60.Reason:SSLcertificateproblem,verifythattheCAcertisOK.Details:error:14090086:SSLroutines:SSL3_GET_SERVER_CERTIFICATE:certificateverifyfailed

TheproblemisthatcURLhasnotbeenconfiguredtotrusttheserver’sHTTPScertificate.TheconceptsofcertificatesandPKIrevolvesaroundthetrustofCertificateAuthorities(CAs),andbydefault,cURLissetuptonottrustanyCAs,thusitwon’ttrustanywebserver’scertificate.Sowhydon’tyouhaveproblemsvisitingHTTPssitesthroughyourwebbrowser?Asithappens,thebrowserdeveloperswereniceenoughtoincludealistofdefaultCAstotrust,coveringmostsituations,soaslongasthewebsiteoperatorpurchasedacertificatefromoneoftheseCAs.

Thequickfix

Therearetwowaystosolvethisproblem.Firstly,wecansimplyconfigurecURLtoacceptanyserver(peer)certificate.Thisisn’toptimalfromasecuritypointofview,butifyou’renotpassingsensitiveinformationbackandforth,thisisprobablyalright.Simplyaddthefollowinglinebeforecallingcurl_exec():

curl_setopt($ch,CURLOPT_SSL_VERIFYPEER,false);

ThisbasicallycausescURLtoblindlyacceptanyservercertificate,withoutdoinganyverificationastowhichCAsignedit,andwhetherornotthatCAistrusted.Ifyou’reatallconcernedaboutthedatayou’repassingtoorreceivingfromtheserver,you’llwanttoenablethispeerverificationproperly.Doingsoisabitmorecomplicated.

Theproperfix

TheproperfixinvolvessettingtheCURLOPT_CAINFOparameter.ThisisusedtopointtowardsaCAcertificatethatcURLshouldtrust.Thus,anyserver/peercertificatesissuedbythisCAwillalsobetrusted.Inordertodothis,wefirstneedtogettheCAcertificate.Inthisexample,I’llbeusingthehttps://api.del.icio.us/serverasareference.

First,you’llneedtovisittheURLwithyourwebbrowserinordertograbtheCAcertificate.Then,(inFirefox)openupthesecuritydetailsforthesitebydouble-clickingonthepadlockiconinthelowerrightcorner:

Thenclickon“ViewCertificate”:

Bringupthe“Details”tabofthecerficatespage,andselectthecertificateatthetopofthehierarchy.ThisistheCAcertificate.

Thenclick“Export”,andsavetheCAcertificatetoyourselectedlocation,makingsuretoselecttheX.509Certificate(PEM)asthesavetype/format.

NowweneedtomodifythecURLsetuptousethisCAcertificate,withCURLOPT_CAINFOsettopointtowherewesavedtheCAcertificatefileto.

curl_setopt($ch,CURLOPT_SSL_VERIFYPEER,true);

curl_setopt($ch,CURLOPT_SSL_VERIFYHOST,2);

curl_setopt($ch,CURLOPT_CAINFO,getXXXd().

"/CAcerts/BuiltinObjectToken-EquifaxSecureCA.crt");

TheotheroptionI’veincluded,CURLOPT_SSL_VERIFYHOSTcanbesettothefollowingintegervalues:

0:Don’tcheckthecommonname(CN)attribute

1:Checkthatthecommonnameattributeatleastexists

2:CheckthatthecommonnameexistsandthatitmatchesthehostnameoftheserverIfyouhaveCURLOPT_SSL_VERIFYPEERsettofalse,thenfromasecurityperspective,itdoesn’treallymatterwhatyou’vesetCURLOPT_SSL_VERIFYHOSTto,sincewithoutpeer

certificateverification,theservercoulduseanycertificate,includingaself-signedonethatwasguaranteedtohaveaCNthatmatchedtheserver’shostname.Sothissettingisreallyonlyrelevantifyou’veenabledcertificateverification.

ThisensuresthatnotjustanyservercertificatewillbetrustedbyyourcURLsession.Forexample,ifanattackerweretosomehowredirecttrafficfromtotheirownserver,thecURLsessionherewouldnotproperlyinitialize,sincetheattackerwouldnothaveaccesstoaservercertificate(i.e.wouldnothavetheprivatekey)trustedbytheCAweadded.ThesestepseffectivelyexportthetrustedCAfromthewebbrowsertothecURLconfiguration.

Moreinformation

IfyouhavetheCAce