对更新的CA软件包使用CURLOPT_CAINFO会导致证书验证失败 [英] Using CURLOPT_CAINFO with updated CA bundle causes certificate verify failed

问题描述

我使用cURL来验证WordPress插件中的PayPal事务。最近，我开始收到有关用户无法完成购买过程的错误报告，因为无法验证交易。我跟踪错误到：

I use cURL to verify PayPal transactions in a WordPress plugin. Recently I started receiving bug reports about user not being able to complete the purchase process because the transaction couldn't be verified. I tracked down the error to:

SSL certificate problem, verify that the CA cert is OK. Details: 
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

很多问题在这里的StackOverflow相关的同一个问题，他们大多数人说，解决方案是提供一个CA使用 CURLOPT_CAINFO cURL的选项捆绑。我已下载并目前附带了该插件的最新版本（2012年6月28日转换）的 http：//curl.haxx .se / ca /​​ cacert.pem 。这解决了我收到的大多数问题。

I found a lot of questions here in StackOverflow related to the same problem, most of them said the solution was to provide a bundle of CA using CURLOPT_CAINFO cURL's option. I downloaded and currently ship with the plugin the most recent version (converted on Jun 28, 2012) of http://curl.haxx.se/ca/cacert.pem. That solved most of the issues I had received.

现在的问题是，我刚收到另一个失败的付款报告，错误是一样的： SSL证书问题，请验证CA证书是否正确。。有趣的部分是，现在的解决方案是删除 CURLOPT_CAINFO 选项。我想知道是否有解释这一点。我认为使用更新的CA软件包，如我下载的软件包，是一个通用的解决方案，但似乎是其他。

The problem now, is that I just received another report of failed payments and the error was the same: SSL certificate problem, verify that the CA cert is OK.. The interesting part is that now the solution was to remove the CURLOPT_CAINFO option. I'm wondering if there is in explanation for this. I thought using an updated CA bundle, such as the one I downloaded, was a general solution but it appears to be otherwise.

这种问题的一般解决方案是什么？并且可以解释使用更新的CA软件包会导致SSL证书问题，而不是修复它们。

What would be a general solution for this kind of problem? and what could explain that using the updated CA bundle causes SSL certificate problems, instead of fixing them?.

这是cURL配置：

<?php
    $ch = curl_init("https://www.paypal.com/cgi-bin/webscr");
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_VERBOSE, true);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
    curl_setopt($ch, CURLOPT_CAINFO, '/path/to/cacert.pem');
    curl_setopt($ch, CURLOPT_POSTFIELDS, $content);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    $response = curl_exec($ch);
?>

UPDATE ：
www.paypal.com的证书由VeriSign签名。证书层次结构（如Firefox所示）为：

UPDATE: The certificate for www.paypal.com is signed by VeriSign. The Certificate Hierarchy (as shown in Firefox) is:

• VeriSign 3级公共主要证书颁发机构 - G5


• VeriSign 3类扩展验证SSL CA


• www.paypal.com

可以确认 的证书。 pem> http://curl.haxx.se/ca/cacert.pem 。

I can confirm the certificate for VeriSign Class 3 Public Primary Certification Authority - G5 is included in the version I'm using of http://curl.haxx.se/ca/cacert.pem.

感谢您的帮助。

推荐答案

如果您遇到此问题，请不按照用户的建议停用对等和主机验证。

If you are having this problem, please, do not disable peer and host verification as someone has suggested.

这会让你的通信对潜在的中间人攻击，打破了使用SSL的目的。

This will leave your communications open to potential man-in-the-middle attacks, defeating the purpose of using SSL in the first place.

此问题的一个可能的解释是，设置您的 CURLOPT_CAINFO （特别是一个不正确的证书路径 - 我会双重检查这个）覆盖您的默认路径服务器。

One potential explanation for this issue is that setting your CURLOPT_CAINFO (especially to an incorrect certificate path - I would double-double check this) overrode the default path on your server.

一旦你删除了设置，它会返回到默认值（可以在PHP中设置）。

Once you removed the setting, it returned to its default (which can be set in PHP).

另一个要记住的是， CURLOPT_CAINFO 是一个绝对路径。

Another thing to keep in mind is that CURLOPT_CAINFO is an absolute path.

这篇关于对更新的CA软件包使用CURLOPT_CAINFO会导致证书验证失败的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！