PHP 5.6 SSL证书验证 [英] php 5.6 ssl certificate verify

问题描述

我正在尝试调试ssl证书验证问题，并确定openssl通过返回不正确的路径获取了证书位置. (请参见下文)

I am trying to debug a problem with ssl certificate verification and have determined that openssl get cert locations with returning incorrect paths. (See below)

我如何知道如何设置?我查看了php.ini文件，却在任何地方都找不到此引用.

How do I figure out how to set this? I looked in the php.ini file and couldn't find this reference anywhere.

cmuench-air:bin cmuench$ ./php -r "print_r(openssl_get_cert_locations());"
Array
(
    [default_cert_file] => /bitnami/mampstack56Dev-osx-x64/output/common/openssl/cert.pem
    [default_cert_file_env] => SSL_CERT_FILE
    [default_cert_dir] => /bitnami/mampstack56Dev-osx-x64/output/common/openssl/certs
    [default_cert_dir_env] => SSL_CERT_DIR
    [default_private_dir] => /bitnami/mampstack56Dev-osx-x64/output/common/openssl/private
    [default_default_cert_area] => /bitnami/mampstack56Dev-osx-x64/output/common/openssl
    [ini_cafile] => 
    [ini_capath] => 
)

php.ini(相关部分)...我在任何地方都看不到bitnami/mampstack56Dev ...

php.ini (relevant parts)...I don't see bitnami/mampstack56Dev anywhere...

[openssl]
; The location of a Certificate Authority (CA) file on the local filesystem
; to use when verifying the identity of SSL/TLS peers. Most users should
; not specify a value for this directive as PHP will attempt to use the
; OS-managed cert stores in its absence. If specified, this value may still
; be overridden on a per-stream basis via the "cafile" SSL stream context
; option.
;openssl.cafile=

; If openssl.cafile is not specified or if the CA file is not found, the
; directory pointed to by openssl.capath is searched for a suitable
; certificate. This value must be a correctly hashed certificate directory.
; Most users should not specify a value for this directive as PHP will
; attempt to use the OS-managed cert stores in its absence. If specified,
; this value may still be overridden on a per-stream basis via the "capath"
; SSL stream context option.
;openssl.capath=

;Curl ca bundle certificate
curl.cainfo="/Applications/phppos/common/openssl/certs/curl-ca-bundle.crt"

我知道这很愚蠢，但有时ssl证书会自行签名.我可以修改ini设置以禁用检查所有证书吗?还是我必须在代码中针对套接字和curl做到这一点?

I know this is dumb but there are times where the ssl certificate will be self signed. Is there an ini setting I can modify to disable checking all certificates? or do I have to do this in code for sockets and curl?

推荐答案

如果检查PHP源代码中的 X509_get_default_cert_file 并查看php.ini值openssl.cafile和openssl.capath，它们描述了

If you check the PHP source for the openssl_get_cert_locations() function, it is getting those locations by calling various OpenSSL functions such as X509_get_default_cert_file and looking at php.ini values openssl.cafile and openssl.capath described here.

您到底要寻找哪些证书/路径?如果要获取CA捆绑包文件，则可以设置上面引用的php.ini值，以便它们由openssl_get_cert_locations返回.

What certificates/paths are you looking for exactly? If you are trying to get a CA bundle file you could set the above referenced php.ini values so they are returned by openssl_get_cert_locations.

PHP 5.6的默认php.ini文件没有这些OpenSSL ini设置的默认设置，因为它们需要手动定义.此配置位于php.ini

The default php.ini file for PHP 5.6 has no default settings for those OpenSSL ini settings as they need to be defined manually. This configuration is located near the end of php.ini

[openssl]
; The location of a Certificate Authority (CA) file on the local filesystem
; to use when verifying the identity of SSL/TLS peers. Most users should
; not specify a value for this directive as PHP will attempt to use the
; OS-managed cert stores in its absence. If specified, this value may still
; be overridden on a per-stream basis via the "cafile" SSL stream context
; option.
;openssl.cafile=

; If openssl.cafile is not specified or if the CA file is not found, the
; directory pointed to by openssl.capath is searched for a suitable
; certificate. This value must be a correctly hashed certificate directory.
; Most users should not specify a value for this directive as PHP will
; attempt to use the OS-managed cert stores in its absence. If specified,
; this value may still be overridden on a per-stream basis via the "capath"
; SSL stream context option.
;openssl.capath=

使用cURL时，如果要禁用证书验证，可以将这些选项传递给 curl_setopt() :

When using cURL, if you want to disable cert validation, you can pass these options to curl_setopt():

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);  // shouldn't need this

CURLOPT_SSL_VERIFYPEER被描述为:

FALSE阻止cURL验证对等方的证书.备用 可以使用以下命令指定要验证的证书 可以使用以下命令指定CURLOPT_CAINFO选项或证书目录 CURLOPT_CAPATH选项.

FALSE to stop cURL from verifying the peer's certificate. Alternate certificates to verify against can be specified with the CURLOPT_CAINFO option or a certificate directory can be specified with the CURLOPT_CAPATH option.

CURLOPT_SSL_VERIFYHOST描述为:

1，以检查SSL对等证书中是否存在公用名. 2检查公用名的存在并验证 与提供的主机名匹配.在生产环境中， 此选项应保持为2(默认值).

1 to check the existence of a common name in the SSL peer certificate. 2 to check the existence of a common name and also verify that it matches the hostname provided. In production environments the value of this option should be kept at 2 (default value).

如果有CA文件，则可以使用选项CURLOPT_CAINFO提供包含一个或多个证书以用于验证对等方的文件的完整路径.

If you have CA files, you can use the option CURLOPT_CAINFO to provide the full path to the file holding one or more certificates to verify the peer with.

要禁用检查使用fsockopen打开的流，请尝试:

To disable checking for a stream opened with fsockopen, try:

<?php
$context = stream_context_create();
$result = stream_context_set_option($context, 'ssl', 'verify_peer', false);

$socket = stream_socket_client('ssl://'.$host . ':443', $errno, $errstr, 30, STREAM_CLIENT_CONNECT, $context); 

有关更多信息，请参见 SSL上下文选项和

See SSL Context Options for more info and stream_socket_client().

这篇关于PHP 5.6 SSL证书验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！