SSL/TLS握手中的某处发生了问题 [英] A problem occurred somewhere in the SSL/TLS handshake

问题描述

我在开发服务器上遇到了问题，尽管cURL可以与任何HTTP完美配合，但不能与任何HTTPS正常配合使用-即使是使用不同协议的完全相同的资源(出于测试目的，我一直在要求google.com同时使用HTTP和HTTPS.

I've been having problems on my development server where cURL, while working perfectly with anything HTTP, does not function properly with anything HTTPS—even the exact same resource with different protocols (for testing I've been requesting google.com using both HTTP and HTTPS).

返回的cURL错误为35:

The cURL error returned is 35:

SSL/TLS握手中的某个地方发生了问题.

A problem occurred somewhere in the SSL/TLS handshake.

我已经梳理了网络和SO的解决方案，所有这些解决方案要么是将CURLOPT_SSL_VERIFYPEER设置为false(不更改任何内容)，要么下载证书文件并将CURLOPT_CAINFO设置为其路径，这也没有任何更改.

I have combed the web and SO for solutions, and all of them have been to either set CURLOPT_SSL_VERIFYPEER to false, which changes nothing, or to download the certificate file and set CURLOPT_CAINFO to its path, which also changes nothing.

设置证书时，我遵循本教程，尝试同时下载我请求的资源的证书和下载证书包.

When setting a certificate, I followed the instructions of this tutorial and this tutorial, trying to both download the certificate for the resource I'm requesting, and downloading a cert bundle.

我还尝试将CURLOP_PORT显式设置为443.为使问题更透彻，我设置的其他选项包括CURLOPT_VERBOSE = true，CURLOPT_RETURNTRANSFER = true和CURLOPT_SSL_VERIFYHOST = 2(我尝试将1和2的每个组合与VERIFYPEER(正确和错误).我还确保在 phpinfo()中使用OpenSSL并将其启用.

I've also tried explicitly setting CURLOP_PORT to 443. For thoroughness of my question, other options I set are CURLOPT_VERBOSE=true, CURLOPT_RETURNTRANSFER=true, and CURLOPT_SSL_VERIFYHOST=2 (I've tried every combination of 1, and 2 with VERIFYPEER both true and false). I also have made sure in phpinfo() that I have OpenSSL and it is enabled.

我使用了许多旧代码，这些代码在我的上一个生产服务器上运行良好，因此该代码以前就可以运行.但是该托管是共享托管，我不知道那里的大多数配置.

I'm using a lot of old code that worked perfectly on my last production server, so this code has worked before. But that hosting was shared hosting and I don't know most of the configuration there.

推荐答案

Curl没有内置的根证书(就像大多数现代浏览器一样).您需要将其明确指向cacert.pem文件:

Curl doesn't have built-in root certificates (like most modern browser do). You need to explicitly point it to a cacert.pem file:

  curl_setopt($ch, CURLOPT_CAINFO, '/path/to/cert/file/cacert.pem');

否则，curl无法验证通过ssl发送回的证书.每次在curl中使用SSL时，都可以使用相同的根证书文件.

Without this, curl cannot verify the certificate sent back via ssl. This same root certificate file can be used every time you use SSL in curl.

您可以在此处获取cacert.pem文件: http://curl.haxx.se/docs/caextract.html

You can get the cacert.pem file here: http://curl.haxx.se/docs/caextract.html

这篇关于SSL/TLS握手中的某处发生了问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！