PHP CURL CURLOPT_SSL_VERIFYPEER 被忽略 [英] PHP CURL CURLOPT_SSL_VERIFYPEER ignored

问题描述

出于某种原因，我无法在 HTTPS 中使用 CURL.一切正常，直到我升级 curl 库.现在，我在尝试执行 CURL 请求时遇到此响应:SSL CA 证书问题(路径?访问权限?)

For some reason I am unable to use CURL with HTTPS. Everything was working fine untill I ran upgrade of curl libraries. Now I am experiencing this response when trying to perform CURL requests: Problem with the SSL CA cert (path? access rights?)

根据此处发布的有关相关问题的建议，我尝试执行以下操作:

Following suggestions posted here on related issues I have tried to do the following:

• 禁用主机和对等方的验证

• Disable verification for host and peer

curl_setopt($cHandler, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($cHandler, CURLOPT_SSL_VERIFYPEER, true);

启用 CURLOPT_SSL_VERIFYPEER 并指向从 下载的 cacert.pemhttp://curl.haxx.se/docs/caextract.html

curl_setopt($cHandler, CURLOPT_SSL_VERIFYPEER, true);  
curl_setopt($cHandler, CURLOPT_CAINFO, getcwd() . "/positiveSSL.ca-bundle");

我也尝试使用 positiveSSL.ca-bundle 做同样的事情，它作为我尝试连接的服务器的捆绑 CA 证书提供.

I also tried to do the same thing with positiveSSL.ca-bundle which was provided as bundle CA certificate for the server I am trying to connect to.

使用 curl.cainfo=cacert.pem 编辑 php ini 设置(文件在同一目录中并且可以被 apache 访问)

Edit php ini settings with curl.cainfo=cacert.pem (file in the same directory and accessible by apache)

将/etc/pki/nssdb重命名为/etc/pki/nssdb.old

不幸的是，以上方法均无法解决我的问题，而且我不断收到 SSL CA 证书问题(路径?访问权限?)消息.

Unfortunatelly none of the above are able to solve my problem and I constantly get Problem with the SSL CA cert (path? access rights?) message.

而且我一开始就不需要这个验证(我知道有安全问题).

And I don't need this verification in the first place (I am aware of security issues).

大家还有什么建议吗?

更新

更新到最新的库并重新启动整个机器后，不仅仅是我正在做的 apache 现在似乎又开始工作了！！！

After updating to the latest libraries and restart of the whole box, not just apache which I was doing it all seems to be working now again!!!

推荐答案

根据文档:要验证主机或对等证书，您需要使用 CURLOPT_CAINFO 选项指定备用证书或证书目录可以使用 CURLOPT_CAPATH 选项指定.

According to documentation: to verify host or peer certificate you need to specify alternate certificates with the CURLOPT_CAINFO option or a certificate directory can be specified with the CURLOPT_CAPATH option.

另看CURLOPT_SSL_VERIFYHOST:

• 1 检查 SSL 对等证书中是否存在通用名称.
• 2 检查通用名称是否存在，并验证它是否与提供的主机名匹配.

curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);

这篇关于PHP CURL CURLOPT_SSL_VERIFYPEER 被忽略的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！