SSL/TLS 握手中某处出现问题 [英] A problem occurred somewhere in the SSL/TLS handshake

问题描述

我在我的开发服务器上遇到了问题，其中 cURL 在与任何 HTTP 完美配合时，在任何 HTTPS 上都无法正常运行——即使是使用不同协议的完全相同的资源(为了测试，我一直在请求 google.com同时使用 HTTP 和 HTTPS).

I've been having problems on my development server where cURL, while working perfectly with anything HTTP, does not function properly with anything HTTPS—even the exact same resource with different protocols (for testing I've been requesting google.com using both HTTP and HTTPS).

返回的 cURL 错误为 35:

The cURL error returned is 35:

SSL/TLS 握手中的某处出现问题.

A problem occurred somewhere in the SSL/TLS handshake.

我已经梳理了网络和 SO 的解决方案，所有这些都是将 CURLOPT_SSL_VERIFYPEER 设置为 false，这没有任何改变，或者下载证书文件并将 CURLOPT_CAINFO 设置为其路径，这也没有任何改变.

I have combed the web and SO for solutions, and all of them have been to either set CURLOPT_SSL_VERIFYPEER to false, which changes nothing, or to download the certificate file and set CURLOPT_CAINFO to its path, which also changes nothing.

设置证书时，我按照本教程 和本教程，尝试下载我请求的资源的证书，并下载证书包.

When setting a certificate, I followed the instructions of this tutorial and this tutorial, trying to both download the certificate for the resource I'm requesting, and downloading a cert bundle.

我还尝试将 CURLOP_PORT 显式设置为 443.为了我的问题的彻底性，我设置的其他选项是 CURLOPT_VERBOSE=true、CURLOPT_RETURNTRANSFER=true 和 CURLOPT_SSL_VERIFYHOST=2(我已经尝试了 1 和 2 的每种组合VERIFYPEER 真假).我还在 phpinfo() 中确保我有 OpenSSL 并且它已启用.

I've also tried explicitly setting CURLOP_PORT to 443. For thoroughness of my question, other options I set are CURLOPT_VERBOSE=true, CURLOPT_RETURNTRANSFER=true, and CURLOPT_SSL_VERIFYHOST=2 (I've tried every combination of 1, and 2 with VERIFYPEER both true and false). I also have made sure in phpinfo() that I have OpenSSL and it is enabled.

我使用了很多在我的上一个生产服务器上完美运行的旧代码，所以这段代码以前也能运行.但是那个托管是共享托管，我不知道那里的大部分配置.

I'm using a lot of old code that worked perfectly on my last production server, so this code has worked before. But that hosting was shared hosting and I don't know most of the configuration there.

推荐答案

Curl 没有内置根证书(就像大多数现代浏览器一样).您需要明确地将其指向 cacert.pem 文件:

Curl doesn't have built-in root certificates (like most modern browser do). You need to explicitly point it to a cacert.pem file:

  curl_setopt($ch, CURLOPT_CAINFO, '/path/to/cert/file/cacert.pem');

没有这个，curl 无法验证通过 ssl 发回的证书.每次在 curl 中使用 SSL 时都可以使用相同的根证书文件.

Without this, curl cannot verify the certificate sent back via ssl. This same root certificate file can be used every time you use SSL in curl.

您可以在此处获取 cacert.pem 文件:http://curl.haxx.se/docs/caextract.html

You can get the cacert.pem file here: http://curl.haxx.se/docs/caextract.html

这篇关于SSL/TLS 握手中某处出现问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！