为 SSL 配置 cURL [英] Configuring cURL for SSL

问题描述

我们的网站最近从 http 转移到了 https.它有我们客户调用的 REST API 调用，但现在不起作用:

Our site recently shifted from http to https. It has REST API calls called by our customers which is now not working:

SSL 前的 cURL(工作):

cURL before SSL (working):

$ch = curl_init();

curl_setopt($ch,CURLOPT_URL,$api_call_url);
curl_setopt($ch,CURLOPT_POST,1);
curl_setopt($ch,CURLOPT_POSTFIELDS,$post_fields);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); 

$result = curl_exec($ch);

curl_close($ch);

SSL 后的 cURL(不起作用):

cURL after SSL(not working):

$ch = curl_init();

curl_setopt($ch,CURLOPT_URL,$api_call_url);
curl_setopt($ch,CURLOPT_POST,1);
curl_setopt($ch,CURLOPT_POSTFIELDS,$post_fields);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($ch, CURLOPT_CAINFO, "/customers_path_on_their_server/to/our_cacert_they_exported_via_firefox.crt");   //X.509 Certificate

$result = curl_exec($ch);

curl_close($ch);

除了要求客户端在他们的 REST 集成代码上添加 CURLOPT_SSL_VERIFYPEER、CURLOPT_SSL_VERIFYHOST、CURLOPT_CAINFO 之外，我是否需要在我们的服务器上设置任何东西?

Do I need to setup anything on our server other than ask client to add CURLOPT_SSL_VERIFYPEER, CURLOPT_SSL_VERIFYHOST, CURLOPT_CAINFO on their REST integration code?

我真的是一个 https 新手，我不知道我需要搜索的术语到底是什么，已经搜索了几个小时的 cURL SSL...

I'm really a newbie in https and I don't know what exactly is the term I need to search, searched cURL SSL for hours already...

顺便说一句，如果该信息很重要，我们的网站正在使用亚马逊 ec2 托管...

BTW, our site is using amazon ec2 hosting if that information is important...

这是返回的 cURL 错误:

Here is the returned cURL error:

 error:SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

<小时>

卷曲版本:7.21.6

---

cURL version: 7.21.6

SSL 版本:OpenSSL/1.0.0e

SSL version: OpenSSL/1.0.0e

推荐答案

不要像其他人通常建议的那样关闭对等和主机验证.这是解决实际问题的不安全方法.这些功能的存在有充分的理由:因此您可以通过 3rd 方相信您所连接的系统是您期望的系统.

Do not turn off peer and host verification as others often suggest. This is an insecure workaround to the real problem. These features exist for good reason: so you can trust, via 3rd party, that the system you're connecting to is the one you expect.

首先查看您的操作系统是否包含证书目录.通常包括证书颁发机构.例如，在 Ubuntu 上，它通常在目录 /etc/ssl/certs 中，而基于 Red Hat 的发行版会将它包含在 /etc/pki/tls/certs.如果此目录存在，设置CA路径参数:

First find if your OS includes a directory of certificates. Certificate authorities will often be included. On Ubuntu, for example, it's often in the directory /etc/ssl/certs, while Red Hat-based distros will include it in /etc/pki/tls/certs. If this directory exists, set the CA path parameter:

curl_setopt($ch, CURLOPT_CAPATH, '/etc/ssl/certs');

或者，您可以引用单个 CA 证书文件.在您的项目中包含 cacert.pem 文件或将其安装在您的服务器上.从可信来源下载，例如cacert.org.对于单个文件不要设置 CAPATH 而只设置 CAINFO:

Alternatively you can reference a single CA certificate file. Include a cacert.pem file in your project or install it on your server. Download from a trusted source, e.g. cacert.org. For a single file do not set the CAPATH and instead only set CAINFO:

curl_setopt($ch, CURLOPT_CAINFO, '/path/to/cacert.pem');

这篇关于为 SSL 配置 cURL的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！