使用 CURLOPT_SSL_VERIFYHOST 的替代方法，2 [英] Alternative for using CURLOPT_SSL_VERIFYHOST, 2

问题描述

我正在使用 John Conde 编写的 auth.net XML 类，http://www.johnconde.net/blog/tutorial-integrate-authorize-net-xml-api-universal-php-class/,.其中有两行.

I am using the auth.net XML class written by John Conde, http://www.johnconde.net/blog/tutorial-integrate-authorize-net-xml-api-universal-php-class/,. In it it has two lines.

curl_setopt($this->ch, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($this->ch, CURLOPT_CAINFO, dirname(__FILE__) . '/ssl/cert.pem');

我可以用

curl_easy_setopt(curl,CURLOPT_SSL_VERIFYPEER, 0);
curl_easy_setopt(curl,CURLOPT_CAINFO, NULL);
curl_easy_setopt(curl,CURLOPT_CAPATH, NULL);

我可能无法获取 .pem 文件或创建它所需的信息.这种替代方案是否同样安全?

I might not be able to get the .pem file, or info I need to create it. Would this alternative be just as secure?

推荐答案

这种替代方案是否同样安全?

Would this alternative be just as secure?

不，禁用 CURLOPT_SSL_VERIFYHOST 或 CURLOPT_SSL_VERIFYPEER 将允许可能的 MITM 攻击(请参阅 这个答案).

No, disabling CURLOPT_SSL_VERIFYHOST or CURLOPT_SSL_VERIFYPEER would allow for possible MITM attacks (see this answer).

我可能无法获取 .pem 文件或创建它所需的信息

I might not be able to get the .pem file, or info I need to create it

您创建它所需的信息最终取决于您的判断，选择您想要信任的 CA.浏览器和操作系统往往会为您预先选择.Curl 带有一个方便的脚本和使用 Firefox CA 选择的 CA 包(这个选择是不定时更新).某些 Linux 发行版还提供您可以使用的默认 CA 包文件.

The info you need to create it is ultimately a judgement call from you, choosing which CAs you want to trust. Browsers and OSes tend to make a pre-selection for you. Curl comes with a convenient script and CA bundle using the Firefox CA selection (this selection is updated once in a while). Some Linux distributions also provide a default CA bundle file that you may be able to use.

这篇关于使用 CURLOPT_SSL_VERIFYHOST 的替代方法，2的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！