使用CURLOPT_SSL_VERIFYHOST的替代方法，2 [英] Alternative for using CURLOPT_SSL_VERIFYHOST, 2

问题描述

我正在使用John Conde编写的auth.net XML类，

I am using the auth.net XML class written by John Conde, http://www.johnconde.net/blog/tutorial-integrate-authorize-net-xml-api-universal-php-class/,. In it it has two lines.

curl_setopt($this->ch, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($this->ch, CURLOPT_CAINFO, dirname(__FILE__) . '/ssl/cert.pem');

我可以替换为

curl_easy_setopt(curl,CURLOPT_SSL_VERIFYPEER, 0);
curl_easy_setopt(curl,CURLOPT_CAINFO, NULL);
curl_easy_setopt(curl,CURLOPT_CAPATH, NULL);

我可能无法获取.pem文件或需要创建的信息.这种选择是否会同样安全?

I might not be able to get the .pem file, or info I need to create it. Would this alternative be just as secure?

推荐答案

这种选择是否同样安全?

Would this alternative be just as secure?

否，禁用CURLOPT_SSL_VERIFYHOST或CURLOPT_SSL_VERIFYPEER将允许可能的MITM攻击(请参阅此答案).

No, disabling CURLOPT_SSL_VERIFYHOST or CURLOPT_SSL_VERIFYPEER would allow for possible MITM attacks (see this answer).

我可能无法获取.pem文件或需要创建的信息

I might not be able to get the .pem file, or info I need to create it

创建所需的信息最终是您的判断电话，选择您要信任的CA.浏览器和操作系统倾向于为您进行预选. Curl 带有使用Firefox CA选择的便捷脚本和CA捆绑包(此选择是偶尔更新一次).某些Linux发行版还提供了您可能可以使用的默认CA捆绑软件文件.

The info you need to create it is ultimately a judgement call from you, choosing which CAs you want to trust. Browsers and OSes tend to make a pre-selection for you. Curl comes with a convenient script and CA bundle using the Firefox CA selection (this selection is updated once in a while). Some Linux distributions also provide a default CA bundle file that you may be able to use.

这篇关于使用CURLOPT_SSL_VERIFYHOST的替代方法，2的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！