使用 CURLOPT_SSL_VERIFYHOST 的替代方法,2 [英] Alternative for using CURLOPT_SSL_VERIFYHOST, 2
问题描述
我正在使用 John Conde 编写的 auth.net XML 类,http://www.johnconde.net/blog/tutorial-integrate-authorize-net-xml-api-universal-php-class/,.其中有两行.
I am using the auth.net XML class written by John Conde, http://www.johnconde.net/blog/tutorial-integrate-authorize-net-xml-api-universal-php-class/,. In it it has two lines.
curl_setopt($this->ch, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($this->ch, CURLOPT_CAINFO, dirname(__FILE__) . '/ssl/cert.pem');
我可以用
curl_easy_setopt(curl,CURLOPT_SSL_VERIFYPEER, 0);
curl_easy_setopt(curl,CURLOPT_CAINFO, NULL);
curl_easy_setopt(curl,CURLOPT_CAPATH, NULL);
我可能无法获取 .pem 文件或创建它所需的信息.这种替代方案是否同样安全?
I might not be able to get the .pem file, or info I need to create it. Would this alternative be just as secure?
推荐答案
这种替代方案是否同样安全?
Would this alternative be just as secure?
不,禁用 CURLOPT_SSL_VERIFYHOST
或 CURLOPT_SSL_VERIFYPEER
将允许可能的 MITM 攻击(请参阅 这个答案).
No, disabling CURLOPT_SSL_VERIFYHOST
or CURLOPT_SSL_VERIFYPEER
would allow for possible MITM attacks (see this answer).
我可能无法获取 .pem 文件或创建它所需的信息
I might not be able to get the .pem file, or info I need to create it
您创建它所需的信息最终取决于您的判断,选择您想要信任的 CA.浏览器和操作系统往往会为您预先选择.Curl 带有一个方便的脚本和使用 Firefox CA 选择的 CA 包(这个选择是不定时更新).某些 Linux 发行版还提供您可以使用的默认 CA 包文件.
The info you need to create it is ultimately a judgement call from you, choosing which CAs you want to trust. Browsers and OSes tend to make a pre-selection for you. Curl comes with a convenient script and CA bundle using the Firefox CA selection (this selection is updated once in a while). Some Linux distributions also provide a default CA bundle file that you may be able to use.
这篇关于使用 CURLOPT_SSL_VERIFYHOST 的替代方法,2的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!