使用CURLOPT_SSL_VERIFYHOST的替代方法,2 [英] Alternative for using CURLOPT_SSL_VERIFYHOST, 2
问题描述
我正在使用John Conde编写的auth.net XML类,
I am using the auth.net XML class written by John Conde, http://www.johnconde.net/blog/tutorial-integrate-authorize-net-xml-api-universal-php-class/,. In it it has two lines.
curl_setopt($this->ch, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($this->ch, CURLOPT_CAINFO, dirname(__FILE__) . '/ssl/cert.pem');
我可以替换为
curl_easy_setopt(curl,CURLOPT_SSL_VERIFYPEER, 0);
curl_easy_setopt(curl,CURLOPT_CAINFO, NULL);
curl_easy_setopt(curl,CURLOPT_CAPATH, NULL);
我可能无法获取.pem文件或需要创建的信息.这种选择是否会同样安全?
I might not be able to get the .pem file, or info I need to create it. Would this alternative be just as secure?
推荐答案
这种选择是否同样安全?
Would this alternative be just as secure?
否,禁用CURLOPT_SSL_VERIFYHOST
或CURLOPT_SSL_VERIFYPEER
将允许可能的MITM攻击(请参阅此答案).
No, disabling CURLOPT_SSL_VERIFYHOST
or CURLOPT_SSL_VERIFYPEER
would allow for possible MITM attacks (see this answer).
我可能无法获取.pem文件或需要创建的信息
I might not be able to get the .pem file, or info I need to create it
创建所需的信息最终是您的判断电话,选择您要信任的CA.浏览器和操作系统倾向于为您进行预选. Curl 带有使用Firefox CA选择的便捷脚本和CA捆绑包(此选择是偶尔更新一次).某些Linux发行版还提供了您可能可以使用的默认CA捆绑软件文件.
The info you need to create it is ultimately a judgement call from you, choosing which CAs you want to trust. Browsers and OSes tend to make a pre-selection for you. Curl comes with a convenient script and CA bundle using the Firefox CA selection (this selection is updated once in a while). Some Linux distributions also provide a default CA bundle file that you may be able to use.
这篇关于使用CURLOPT_SSL_VERIFYHOST的替代方法,2的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!