使用 PHP 中的 curl 连接到在证书包中提供过期根证书的站点 [英] Connect to a site presenting an expired root certificate in the certificate bundle with curl in PHP
问题描述
周末,Sectigo AddTrust 外部 CA 根已过期.对于现代浏览器,这应该不会对受影响站点的用户产生任何影响.
Over the weekend, the Sectigo AddTrust External CA Root expired. For modern browsers, this should not have made any difference for users of affected sites.
我们的 PHP 应用程序连接到我们无法控制的站点,该站点在其证书包中包含此过期的根.我们使用 curl 连接,并验证证书.但是由于这个根现在已经过期,curl 现在拒绝连接,错误是证书过期.
Our PHP application connects to a site which we don't control, which includes this expired root in its certificate bundle. We connect using curl, and verify the certificates. But since this root is now expired, curl is now refusing to connect, with an error that the certificate is expired.
在 https://addtrustchain.test.certificatetest.com 上有一个示例站点表现出相同的行为/
表现出相同行为的示例代码是
And sample code which exhibits the same behaviour is
$ch = curl_init();
$url = 'https://addtrustchain.test.certificatetest.com/';
//$url = 'https://google.com';
$caPath = '/path/to/cacert.pem';
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch,CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($ch,CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($ch,CURLOPT_CAINFO, $caPath);
$output = curl_exec($ch);
var_dump($output);
var_dump(curl_getinfo($ch));
var_dump(curl_errno($ch));
var_dump(curl_error($ch));
curl_close($ch);
php 方面是否有解决方法,我们可以忽略捆绑包中提供的过期根证书?我们正在尝试与另一方的各方合作,从他们的捆绑包中删除/更新过期的根,但下次出现这种情况时,如果我们能提供解决方案,那就太好了.
Is there a workaround from the php side where we can ignore the expired root certificate provided in the bundle? We're trying to work with the parties on the other side to remove/update the expired root from their bundle, but it would be great to have a solution from our side for the next time this comes up.
我尝试更新我们的本地 cacert.pem 以包含实际证书本身和提供的中介,但这些似乎都不能解决问题.
I have tried updating our local cacert.pem to include the actual certificate itself, and the provided intermediaries, but neither of those seems to fix the issue.
推荐答案
您需要从 cacert.pem 中删除 AddTrust External Root.
you need to remove AddTrust External Root from your cacert.pem.
对于那些想知道的人,您可以从 Mozilla 那里获取 cacert.pem:https://curl.haxx.se/docs/caextract.html然后您需要删除 AddTrust External Root.
For those who are wondering, you can take the cacert.pem from Mozilla there: https://curl.haxx.se/docs/caextract.html
You then need to remove AddTrust External Root.
删除 AddTrust External Root 强制软件使用正确的路径认证(当您有多个路径认证时).
Removing AddTrust External Root force software to use correct path certification (when you have multiple ones).
例如,twinoid.com 有 3 个路径.其中两个是有效的,最后一个包含 AddTrust External Root.https://www.ssllabs.com/ssltest/分析.html?d=twinoid.com&hideResults=on(你可以检查那里的3条路径)
For example, twinoid.com has 3 paths. Two of them are valid, the last contain AddTrust External Root. https://www.ssllabs.com/ssltest/analyze.html?d=twinoid.com&hideResults=on (you can check the 3 paths there)
这篇关于使用 PHP 中的 curl 连接到在证书包中提供过期根证书的站点的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
