如何在ssl://传输的PHP流上下文中强制使用某个TLS版本? [英] How to force a certain TLS version in a PHP stream context for the ssl:// transport?
问题描述
当尝试访问https URL时,如何在PHP流上下文中强制使用TLSv1.0?
How can I force TLSv1.0 in a PHP stream context when trying to access an https URL?
我正在寻找与此类似的东西:
I’m looking for something along the lines of this:
$context = stream_context_create(
array(
'ssl' => array(
'protocol_version' => 'tls1',
),
));
file_get_contents('https://example.com/test', false, $context);
背景
实际上,我遇到的是 Ubuntu 12.04中的问题当使用PHP的 SoapClient 时.不幸的是,我尝试连接的服务器仅支持SSLv3.0/TLSv1.0,并且在默认的TLSv1.1协商中失败.因此,我想将ssl://传输协议明确设置为TLSv1.0.
Background
Actually I’m facing an issue in Ubuntu 12.04 when working with PHP’s SoapClient. Unfortunately, the server I’m trying to connect to does only support SSLv3.0/TLSv1.0 and fails on the default TLSv1.1 negotiation. Therefore I’d like to explicitly set the protocol of the ssl:// transport to TLSv1.0.
推荐答案
PHP 5.6+用户
在撰写本文时,PHP5.6在Beta1中,因此并不太有用.未来的人-幸运的你!
未来在我们身上. PHP 5.6是一回事,应鼓励使用它.请注意,它会弃用某些相当广泛使用的东西,例如mysql_ *函数,因此在升级时应格外小心.
The future is upon us. PHP 5.6 is a thing and its use should be encouraged. Be aware that it deprecates some fairly widely used things like mysql_* functions so care should be taken when upgrading.
其他人
@toubsen的回答是正确的-这不是直接可能的.要详细说明他建议的解决方法...当解决供应商的API服务器无法正确协商TLSv1.2降至其支持的TLSv1.0的问题时,发送一小部分密码似乎可以使协商正确完成.流上下文代码为:
@toubsen is correct in his answer - this isn't directly possible. To elaborate on his suggested workarounds... when working around a problem where a supplier's API server wasn't correctly negotiating TLSv1.2 down to its supported TLSv1.0, sending a small subset of ciphers seemed to allow negotiation to complete correctly. Stream context code is:
$context = stream_context_create(
[
'ssl' => [
'ciphers' => 'DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:KRB5-DES-CBC3-MD5:KRB5-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DES-CBC3-MD5:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:RC2-CBC-MD5:KRB5-RC4-MD5:KRB5-RC4-SHA:RC4-SHA:RC4-MD5:RC4-MD5:KRB5-DES-CBC-MD5:KRB5-DES-CBC-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:DES-CBC-MD5:EXP-KRB5-RC2-CBC-MD5:EXP-KRB5-DES-CBC-MD5:EXP-KRB5-RC2-CBC-SHA:EXP-KRB5-DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC2-CBC-MD5:EXP-KRB5-RC4-MD5:EXP-KRB5-RC4-SHA:EXP-RC4-MD5:EXP-RC4-MD5',
],
]
);
SOAP用户
PHP的SOAP客户端不使用curl,也似乎不使用stream_context_set_default设置的默认上下文.这样,需要将创建的上下文在第二个参数中传递给SOAPClient构造函数,如下所示:
PHP's SOAP client doesn't use curl, nor does it seem to use the default context set with stream_context_set_default. As such, the created context needs to be passed to the SOAPClient constructor in the 2nd parameter as such:
$soap_client = new SOAPClient('http://webservices.site.com/wsdlfile.wsdl', array('stream_context' => $context));
为什么使用这些密码?
在服务器上运行命令openssl ciphers会以上述格式为您提供支持的密码列表.运行openssl ciphers -v会告诉您那些特定于TLSv1.2的内容.上面的列表是根据OpenSSL报告的所有非TLSv1.2密码编制而成的.
Running the command openssl ciphers on the server gives you a list of supported ciphers in the above format. Running openssl ciphers -v tells you those that are TLSv1.2 specific. The above list was compiled from all of the non-TLSv1.2 ciphers reported by OpenSSL.
openssl ciphers -v | grep -v 'TLSv1.2' | cut -d ' ' -f 1 | tr "\n" ':'
这篇关于如何在ssl://传输的PHP流上下文中强制使用某个TLS版本?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
