对更新的CA软件包使用CURLOPT_CAINFO会导致证书验证失败 [英] Using CURLOPT_CAINFO with updated CA bundle causes certificate verify failed
问题描述
我使用cURL来验证WordPress插件中的PayPal事务。最近,我开始收到有关用户无法完成购买过程的错误报告,因为无法验证交易。我跟踪错误到:
I use cURL to verify PayPal transactions in a WordPress plugin. Recently I started receiving bug reports about user not being able to complete the purchase process because the transaction couldn't be verified. I tracked down the error to:
SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
很多问题在这里的StackOverflow相关的同一个问题,他们大多数人说,解决方案是提供一个CA使用 CURLOPT_CAINFO
cURL的选项捆绑。我已下载并目前附带了该插件的最新版本(2012年6月28日转换)的 http://curl.haxx .se / ca / cacert.pem 。这解决了我收到的大多数问题。
I found a lot of questions here in StackOverflow related to the same problem, most of them said the solution was to provide a bundle of CA using CURLOPT_CAINFO
cURL's option. I downloaded and currently ship with the plugin the most recent version (converted on Jun 28, 2012) of http://curl.haxx.se/ca/cacert.pem. That solved most of the issues I had received.
现在的问题是,我刚收到另一个失败的付款报告,错误是一样的: SSL证书问题,请验证CA证书是否正确。
。有趣的部分是,现在的解决方案是删除 CURLOPT_CAINFO
选项。我想知道是否有解释这一点。我认为使用更新的CA软件包,如我下载的软件包,是一个通用的解决方案,但似乎是其他。
The problem now, is that I just received another report of failed payments and the error was the same: SSL certificate problem, verify that the CA cert is OK.
. The interesting part is that now the solution was to remove the CURLOPT_CAINFO
option. I'm wondering if there is in explanation for this. I thought using an updated CA bundle, such as the one I downloaded, was a general solution but it appears to be otherwise.
这种问题的一般解决方案是什么?并且可以解释使用更新的CA软件包会导致SSL证书问题,而不是修复它们。
What would be a general solution for this kind of problem? and what could explain that using the updated CA bundle causes SSL certificate problems, instead of fixing them?.
这是cURL配置:
<?php
$ch = curl_init("https://www.paypal.com/cgi-bin/webscr");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_VERBOSE, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($ch, CURLOPT_CAINFO, '/path/to/cacert.pem');
curl_setopt($ch, CURLOPT_POSTFIELDS, $content);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
?>
UPDATE :
www.paypal.com的证书由VeriSign签名。证书层次结构(如Firefox所示)为:
UPDATE: The certificate for www.paypal.com is signed by VeriSign. The Certificate Hierarchy (as shown in Firefox) is:
- VeriSign 3级公共主要证书颁发机构 - G5
- VeriSign 3类扩展验证SSL CA
- www.paypal.com
可以确认 的证书。 pem> http://curl.haxx.se/ca/cacert.pem 。
I can confirm the certificate for VeriSign Class 3 Public Primary Certification Authority - G5 is included in the version I'm using of http://curl.haxx.se/ca/cacert.pem.
感谢您的帮助。
推荐答案
如果您遇到此问题,请不按照用户的建议停用对等和主机验证。
If you are having this problem, please, do not disable peer and host verification as someone has suggested.
这会让你的通信对潜在的中间人攻击,打破了使用SSL的目的。
This will leave your communications open to potential man-in-the-middle attacks, defeating the purpose of using SSL in the first place.
此问题的一个可能的解释是,设置您的 CURLOPT_CAINFO
(特别是一个不正确的证书路径 - 我会双重检查这个)覆盖您的默认路径服务器。
One potential explanation for this issue is that setting your CURLOPT_CAINFO
(especially to an incorrect certificate path - I would double-double check this) overrode the default path on your server.
一旦你删除了设置,它会返回到默认值(可以在PHP中设置)。
Once you removed the setting, it returned to its default (which can be set in PHP).
另一个要记住的是, CURLOPT_CAINFO
是一个绝对路径。
Another thing to keep in mind is that CURLOPT_CAINFO
is an absolute path.
这篇关于对更新的CA软件包使用CURLOPT_CAINFO会导致证书验证失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!