为SSL配置cURL [英] Configuring cURL for SSL
问题描述
我们的网站最近已从http转移到https。它有我们的客户调用的REST API调用,现在无法正常工作:
Our site recently shifted from http to https. It has REST API calls called by our customers which is now not working:
在SSL(工作)之前的cURL:
cURL before SSL (working):
$ch = curl_init();
curl_setopt($ch,CURLOPT_URL,$api_call_url);
curl_setopt($ch,CURLOPT_POST,1);
curl_setopt($ch,CURLOPT_POSTFIELDS,$post_fields);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$result = curl_exec($ch);
curl_close($ch);
SSL后的cURL(不工作):
cURL after SSL(not working):
$ch = curl_init();
curl_setopt($ch,CURLOPT_URL,$api_call_url);
curl_setopt($ch,CURLOPT_POST,1);
curl_setopt($ch,CURLOPT_POSTFIELDS,$post_fields);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($ch, CURLOPT_CAINFO, "/customers_path_on_their_server/to/our_cacert_they_exported_via_firefox.crt"); //X.509 Certificate
$result = curl_exec($ch);
curl_close($ch);
我需要在我们的服务器上设置任何东西,除了要求客户端添加CURLOPT_SSL_VERIFYPEER,CURLOPT_SSL_VERIFYHOST,CURLOPT_CAINFO他们的REST集成代码?
Do I need to setup anything on our server other than ask client to add CURLOPT_SSL_VERIFYPEER, CURLOPT_SSL_VERIFYHOST, CURLOPT_CAINFO on their REST integration code?
我真的是https的新手,我不知道什么是我需要搜索的术语,搜索cURL SSL几个小时已经...
I'm really a newbie in https and I don't know what exactly is the term I need to search, searched cURL SSL for hours already...
BTW,如果信息重要,我们的网站使用亚马逊ec2主机...
BTW, our site is using amazon ec2 hosting if that information is important...
这是返回的cURL错误:
Here is the returned cURL error:
error:SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
$ b b
cURL版本:7.21.6
cURL version: 7.21.6
SSL版本:OpenSSL / 1.0.0e
SSL version: OpenSSL/1.0.0e
推荐答案
不要像其他人经常建议的那样关闭对等和主机验证。这是一个快速但不安全的解决方法,真正的问题。这些功能存在的原因很充分:因此您可以通过第三方信任您要连接的系统是您期望的系统。
Do not turn off peer and host verification as others often suggest. This is a quick but insecure workaround to the real problem. These features exist for good reason: so you can trust, via 3rd party, that the system you're connecting to is the one you expect.
包括cacert.pem
Include a cacert.pem file in your project (downloaded from a trusted source, e.g. cacert.org) and turn on verification.
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($ch, CURLOPT_CAINFO, '/path/to/cacert.pem');
这篇关于为SSL配置cURL的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
