PHP cURL SSL密码套件订购 [英] PHP cURL SSL Cipher Suite Order

问题描述

Cloudflare将ECDHE_ECDSA和AES_128_GCM密码套件用于其https证书.使用PHP cURL时，可以指定密码套件:

Cloudflare uses the cipher suite of ECDHE_ECDSA and AES_128_GCM for their https certificates. When using PHP cURL, you can specify the cipher suite:

curl_setopt($curl, CURLOPT_SSL_CIPHER_LIST, 'ecdhe_ecdsa_aes_128_sha');

但是，如果cURL请求正在请求除ecdhe_ecdsa_aes_128_sha之外的其他内容，那对我没有帮助.

However, that doesn't help me if the cURL request is requesting something other than ecdhe_ecdsa_aes_128_sha.

设置了以下Apache配置，但是PHP cURL似乎不遵守这一要求:

The following Apache configuration is set, but PHP cURL does not seem to respect this:

SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS

是否可以为PHP cURL指定密码套件顺序?

Is there a way to specify a cipher suite order for PHP cURL?

环境信息:

[vagrant@devopsgroup ~]$ php -i | grep SSL
SSL => Yes
SSL Version => NSS/3.15.4
OpenSSL support => enabled
OpenSSL Library Version => OpenSSL 1.0.1e-fips 11 Feb 2013
OpenSSL Header Version => OpenSSL 1.0.1e-fips 11 Feb 2013
Native OpenSSL support => enabled

推荐答案

您可以像上面建议的那样指定希望cURL与CURLOPT_SSL_CIPHER_LIST一起使用的密码套件，但是如果cURL是针对OpenSSL编译的，则需要指定OpenSSL所使用格式的密码.

You can specify the cipher suites you want cURL to use with CURLOPT_SSL_CIPHER_LIST like you suggest above, but if cURL is compiled against OpenSSL, then you need to specify the ciphers in the format used by OpenSSL.

Apache配置对cURL没有影响.

The Apache configuration has no effect on cURL.

由于cURL是使用OpenSSL构建的，请尝试使用 OpenSSL密码中的密码名称.

Since cURL is built with OpenSSL, try using the cipher names from OpenSSL ciphers.

例如:

curl_setopt($curl, CURLOPT_SSL_CIPHER_LIST, 'ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA');

此答案也很有用: https://unix .stackexchange.com/questions/208437/how-to-convert-ssl-ciphers-curl格式

这篇关于PHP cURL SSL密码套件订购的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！