使用 php 通过 https 加载外部 xml 文件时出错:SSL3_GET_SERVER_CERTIFICATE [英] Error when loading external xml file with php via https : SSL3_GET_SERVER_CERTIFICATE

问题描述

我无法加载 xml 文件.

I can't get a xml file to load.

此代码效果很好:

$url = 'http://www.w3schools.com/xml/note.xml';
$xml = simplexml_load_file($url);
print_r($xml);

但是这个

$url = 'https://www.boardgamegeek.com/xmlapi2/thing?id=105551';
$xml = simplexml_load_file($url);
print_r($xml);

不起作用.我收到此错误:

doesn't work. I get this error:

警告:simplexml_load_file():SSL 操作失败，代码为 1.OpenSSL 错误消息:错误:14090086:SSL 例程:SSL3_GET_SERVER_CERTIFICATE:/storage/content/59/113059/boardgamelevelup.com/public_html/index 中的证书验证失败.第 19 行的 php 警告:simplexml_load_file():无法在第 19 行的/storage/content/59/113059/boardgamelevelup.com/public_html/index.php 中启用加密警告:simplexml_load_file(https://www.boardgamegeek.com/xmlapi2/thing?id=105551):无法打开流:操作失败/storage/content/59/113059/boardgamelevelup.com/public_html/index.php 第 19 行警告:simplexml_load_file():I/O 警告:无法加载外部实体https://www.boardgamegeek.com/xmlapi2/thing?id=105551" 在/storage/content/59/113059/boardgamelevelup.com/public_html/index.php 第 19 行

Warning: simplexml_load_file(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed in /storage/content/59/113059/boardgamelevelup.com/public_html/index.php on line 19 Warning: simplexml_load_file(): Failed to enable crypto in /storage/content/59/113059/boardgamelevelup.com/public_html/index.php on line 19 Warning: simplexml_load_file(https://www.boardgamegeek.com/xmlapi2/thing?id=105551): failed to open stream: operation failed in /storage/content/59/113059/boardgamelevelup.com/public_html/index.php on line 19 Warning: simplexml_load_file(): I/O warning : failed to load external entity "https://www.boardgamegeek.com/xmlapi2/thing?id=105551" in /storage/content/59/113059/boardgamelevelup.com/public_html/index.php on line 19

boardgamegeek 的 xml 文件适用于其他网站.我应该使用不同的 php 代码来加载那个 xml 文件吗?

The xml file from boardgamegeek works on other sites. Should I use a different php code to load that xml file?

推荐答案

简短的食谱答案:

1. 下载https://raw.githubusercontent.com/bagder/ca-bundle/master/ca-bundle.crt 并将该文件放在您的服务器上.

2. 添加

1. Download https://raw.githubusercontent.com/bagder/ca-bundle/master/ca-bundle.crt and place that file on your server.

2. Add

$context = stream_context_create(array('ssl'=>array(
    'verify_peer' => true,
    'cafile' => '/path/to/ca-bundle.crt'
)));
libxml_set_streams_context($context);

添加到您的脚本中，以便在 simplexml_load_file() 之前执行.
或者 - 而不是上面的代码 - 在你的 php.ini 中设置 openssl.cafile=/path/to/ca-bundle.crt.

to your script so it gets executed before simplexml_load_file().
Or - instead of the code above - set openssl.cafile=/path/to/ca-bundle.crt in your php.ini.

非常简短的说明:
您的 php 版本使用 openssl 来处理 https 传输.openssl 尝试验证服务器是否真的是它声称的那样.它通过检查其证书是否受信任来做到这一点.X.509 证书包含有关所有者的一些数据并由颁发者签名(其本身具有再次签名的证书，依此类推，直到所有者和颁发者相同的证书 -> 自签名/根证书).如果在该证书链中(至少)有一个证书，openssl 在其上说":好吧，我已经指示信任这个证书"，则该证书被认为是受信任的".此说明采用(或可以采用)这是一个包含您应该信任的证书的文件"(cafile)的形式.
上面的代码告诉php的libxml-wrapper在simplexml_load_file使用https/openssl-wrapper时告诉openssl那个cafile在哪里.
而 openssl.cafile=/path/to/ca-bundle.crt 只是将其设置为默认值；除非另有说明，否则所有 openssl 操作都将使用该文件 - 包括 libxml/simple_xml_loadfile.

Very short explaination:
Your php version uses openssl to handle the https transport. openssl tries to verify whether the server really is who it claims to be. It does that by checking whether its certificate is trusted. A X.509 certificate contains some data about the owner and is signed by an issuer (itself having a certificate that is again signed and so on and on until a certificate where owner and issuer are identical -> self-signed/root certificate). A certificate is considered "trusted" if in that chain of certificates there is (at least) one certificate on which openssl "says": "ok, I have been instructed to trust this one". This instruction takes the form of (or can take the form of) "here's a file containing certificates that you're supposed to trust" (cafile).
The above code tells the libxml-wrapper of php to tell openssl where that cafile is when simplexml_load_file uses the https/openssl-wrapper.
And openssl.cafile=/path/to/ca-bundle.crt just sets it as default; unless instructed otherwise all openssl operations will use that file - including libxml/simple_xml_loadfile.

我链接到的 ca-bundle.crt 来自一个声称"提供 mozilla firefox 附带的提取根证书的项目.关于声明":我没有理由怀疑这确实是未篡改的根证书列表；但你永远不知道:你信任 a) 这个项目 b) mozilla 做得很好，只把值得信赖的证书放在那个列表中......

The ca-bundle.crt I've linked to is from a project that "claims" to provide the extracted root certificates as shipped with mozilla firefox. Regarding "claims": I have no reason to doubt that this really is the untampered root cert list; but you never know: You're putting your trust a) in this project and b) mozilla doing a good job and only putting trustworthy certificates in that list....

更多解释见http://phpsecurity.readthedocs.org/en/latest/Transport-Layer-Security-%28HTTPS-SSL-and-TLS%29.html#php-streams

这篇关于使用 php 通过 https 加载外部 xml 文件时出错:SSL3_GET_SERVER_CERTIFICATE的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！