用于Web服务访问的PEM文件的来源 [英] Source of PEM files for web service access
问题描述
我应该更多地关注我的涵盖安全的课程。我很困惑的东西。首先,这里是我想要完成的背景。
我有一个我需要访问的Web服务。 Web服务设置为HTTPS。客户端和服务器之间的流量已加密(这与身份验证无关)。
我通过cURL和PHP与Web服务进行交互。我有一个例子,通过HTTP在本地工作,我相信我在正确的轨道,关于cURL / PHP的事情。
当使用HTTP版本的代码通过HTTPS访问Web服务时,我收到一个错误代码60SSL证书问题,验证(错误:14090086:SSL例程:SSL3_GET_SERVER_CERTIFICATE:证书验证失败)
从我的阅读,我需要一个PEM文件,我需要设置额外的cURL选项,如下:
- CURLOPT_CAINFO
- CURLOPT_SSLCERT
- CURLOPT_SSLKEYPASSWD
我的问题是得到PEM文件或者我是否可以简单地做它?这可能是一个明显的答案,因为我确定我错过了一些东西,但我想我只需要问和获得背景我
:网络服务使用的是由VeriSign签名的证书。所以它不是一个自签名证书。此外,Web服务由外部组织拥有和操作。谢谢。
尽管在提出这个问题之前就进行了搜索,但似乎我在一点点回头之后,第四与'thatidiotguy'(他的用户名,而不是我的名字为他。
cURL开箱即用,不信任任何CA(VeriSign或其他)。这需要在您的服务器上设置。要解决这个问题,你有两个选择。您可以使用以下命令绕过验证:
curl_setopt($ ch,CURLOPT_SSL_VERIFYPEER,false)
请注意,这不是最佳的安全性。任何由CA签发的证书都将被接受为受信任的证书。
正确的修复涉及获取原始证书(在我的情况下,这意味着Web服务)和导出证书作为X.509证书(PEM)。然后,证书需要适当移动到服务器,并设置以下配置:
curl_setopt($ ch,CURLOPT_SSL_VERIFYPEER,true);
curl_setopt($ ch,CURLOPT_SSL_VERIFYHOST,2); //检查公用名是否存在,并且它与服务器的主机名相匹配
curl_setopt($ ch,CURLOPT_CAINFO,getcwd()。/path/to/cert/my-exported.crt); // PEM file
: http://unitstep.net/blog/ 2009/05/05 / using-curl-in-php-to-access-https-ssltls-protected-sites /
I should have paid more attention to my classes that covered security. I'm quite confused about something. To start, here's the background of what I'm trying to accomplish.
I have a web service that I need to access. The web service is set up as HTTPS. The traffic between client and server is encrypted (this doesn't have to do with authentication).
I'm interacting with the web service via cURL and PHP. I've gotten an example to work locally over HTTP and I'm fairly confident I'm on the right track with regards to cURL/PHP side of things.
When using the HTTP version of the code to access a web service over HTTPS, I am getting an error code 60 "SSL certificate problem, verify that the CA cert is OK" (error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed)
From my reading, it seems that I need a PEM file and I need to set additional cURL options such as the following:
- CURLOPT_CAINFO
- CURLOPT_SSLCERT
- CURLOPT_SSLKEYPASSWD
My question is how do I know where to get the PEM file or whether I can simply make it? This is probably going to be an obvious answer as I'm sure I'm missing something but I figure I just need to ask and get the background I'm missing.
Amendment: The web service is using a certificate signed by VeriSign. So it's not a self signed certificate. Also, the web service is owned and operated by an external organization.
Thanks.
Despite googling around prior to asking this, it seems I've stumbled upon the answer after a bit of back-n-fourth with 'thatidiotguy' (his user name, not my name for him. ;-) ).
cURL, out of the box, does not trust any CA (VeriSign or otherwise). This needs to be setup on your server. To "solve" the problem, you have two options. You can bypass the verification with the following command:
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
Note that this is not optimal with regards to security. Any certificate, signed by a CA or not, will be accepted as trusted.
The proper fix involves getting the original certificate (in my case this means the web service) and "exporting" the certificate as a X.509 Certificate (PEM). The certificate then needs to appropriately moved to the server and the following configurations set:
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2); //Check that the common name exists and that it matches the host name of the server
curl_setopt($ch, CURLOPT_CAINFO, getcwd() . "/path/to/cert/my-exported.crt"); //PEM file
Source: http://unitstep.net/blog/2009/05/05/using-curl-in-php-to-access-https-ssltls-protected-sites/
这篇关于用于Web服务访问的PEM文件的来源的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
