无法使PHP cURL SSL正常工作 [英] Can't Get PHP cURL SSL To Work

问题描述

我正在尝试让PHP cURL从 https://www.google.com 返回标题。我这样做是为了让我能够理解如何配置PHP curl_setopt参数以正确使用SSL网站。 正确是指我希望cURL应用CURLOPT_SSL_VERIFYPEER参数来验证服务器的安全证书。

I'm trying to get PHP cURL to return the headers from https://www.google.com. I'm doing this so that I can understand how to configure the PHP curl_setopt parameters to work correctly with SSL websites. By "correctly" I mean that I want cURL to apply the CURLOPT_SSL_VERIFYPEER parameter to validate a server's security certificate.

这对我来说是个新的理由。我对这个过程的工作方式有一个朦胧的理解，但是我无法获得以下代码来返回google.com标题：

This is new ground for me. I've got a hazy understanding of how this process works, but I can't get the following code to return the google.com headers:

<?php

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, 'https://www.google.com');

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER,1);
curl_setopt($ch, CURLOPT_CAINFO, "c:/wamp/www/certificates/googleCA.cer");

curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_NOBODY, true); // HTTP request is 'HEAD only'
curl_setopt($ch, CURLOPT_USERAGENT,'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Firefox/31.0');
curl_setopt($ch, CURLOPT_REFERER,'https://www.google.com');
$headers=curl_exec($ch);

print_r($headers);

echo "Got to end!";

?>

我已按照以下链接中的说明从中提取google.com证书的副本Windows使用IE11：

I've followed the instructions at the following link to extract a copy of the google.com certificate from Windows using IE11:

http://unitstep.net/blog/2009/05/05/using-curl-in-php-to-access-https-ssltls-protected -sites /

上述链接描述的证书提取似乎没问题。我在Windows 7 64位机器上。我将来自IE11的顶级证书作为'base-64编码的x.509（CER）'文件保存到我的'c：\ WAMP \\\certificates \'文件夹中，作为'googleCA.cer'。然后我将CURLOPT_CAINFO参数设置为'c：/wamp/www/certificates/googleCA.cer'。当我执行PHP代码时，不返回谷歌标题，并且CURLOPT_VERIFYPEER参数设置为1（我知道将CURLOPT_VERIFYPEER设置为0指示cURL不验证服务器证书，该证书确实返回标题，但是这是一个我不想使用的完全不安全的配置。）

The certificate extraction described by the above link seems to go fine. I'm on a Windows 7 64-bit machine. I save the top-level certificate from IE11 as a 'Base-64 encoded x.509 (CER)' file to my 'c:\WAMP\www\certificates\' folder as 'googleCA.cer'. I then set the CURLOPT_CAINFO parameter to 'c:/wamp/www/certificates/googleCA.cer'. When I execute the PHP code, the google headers AREN'T returned with the CURLOPT_VERIFYPEER parameter is set to "1" (I know setting the CURLOPT_VERIFYPEER to "0" instructs cURL to not validate the server certificate, which does return the headers, but that is a totally insecure configuration which I don't want to use ).

这感觉就像我使用IE11从Windows导出的证书有问题。我还发现此链接描述了从cURL网站下载cacert.pem文件：

This feels like a problem with the certificate I exported from Windows using IE11. I also found this link that describes downloading the cacert.pem file from the cURL website:

https://curl.haxx.se/docs/caextract.html

当我点击链接时上面我得到了IE11中提供的caextract文件的文本。我不知道接下来该做什么。任何帮助将不胜感激。

When I click on the link above I get the text of the caextract file presented in IE11. I don't know what to do next. Any help would be greatly appreciated.

非常感谢提前!! -

Many Thanks In Advance!! --

编辑：以下是googleCA.cer文件的内容：

Here is the content of the googleCA.cer file:

-----BEGIN CERTIFICATE-----
MIIDVDCCAjygAwIBAgIDAjRWMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMDIwNTIxMDQwMDAwWhcNMjIwNTIxMDQwMDAwWjBCMQswCQYDVQQG
EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMSR2VvVHJ1c3Qg
R2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2swYYzD9
9BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9mOSm9BXiLnTjoBbdq
fnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIuT8rxh0PBFpVXLVDv
iS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6cJmTM386DGXHKTubU
1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmRCw7+OC7RHQWa9k0+
bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5aszPeE4uwc2hGKceeoW
MPRfwCvocWvk+QIDAQABo1MwUTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTA
ephojYn7qwVkDBF9qn1luMrMTjAfBgNVHSMEGDAWgBTAephojYn7qwVkDBF9qn1l
uMrMTjANBgkqhkiG9w0BAQUFAAOCAQEANeMpauUvXVSOKVCUn5kaFOSPeCpilKIn
Z57QzxpeR+nBsqTP3UEaBU6bS+5Kb1VSsyShNwrrZHYqLizz/Tt1kL/6cdjHPTfS
tQWVYrmm3ok9Nns4d0iXrKYgjy6myQzCsplFAMfOEVEiIuCl6rYVSAlk6l5PdPcF
PseKUgzbFbS9bZvlxrFUaKnjaZC2mqUPuLk/IH2uSrW4nOQdtqvmlKXBx4Ot2/Un
hw4EbNX/3aBd7YdStysVAq45pmp06drE57xNNB6pXE0zX5IJL4hmXXeXxx12E6nV
5fEWCRE11azbJHFwLJhWC9kXtNHjUStedejV0NxPNO3CBWaAocvmMw==
-----END CERTIFICATE-----

推荐答案

这个问题的答案是在IE11中为 https://www.google.com 显示的根证书， GeoTrust Global CA，与根据名为Equifax安全证书颁发机构的旧GeoTrust根证书交叉根据。当在我的IE11中显示为3证书链中的根目录的GeoTrust Global CA证书时我的PHP脚本用作 https：// ww的根证书w.google.com 我的PHP脚本无法验证 https://www.google.com 证书 BECAUSETHE真实的根本证明为 https://www.google.com 不是 GeoTrust全球CA证书但GeoTrustEquifax安全证书颁发机构证书。一旦我弄明白，我在我的PHP .PEM文件中使用了Equifax安全证书颁发机构，我成功验证了 https://www.google.com 证书。

The answer to this problem is that the root certificate displayed for https://www.google.com in IE11, "GeoTrust Global CA," is cross-rooted to an older GeoTrust root certificate named "Equifax Secure Certificate Authority." When the "GeoTrust Global CA" certificate that displays as the root in the 3-certificate chain showing in my IE11 is used by my PHP script as the root certificate for https://www.google.com my PHP script can't authenticate https://www.google.com's certificate BECAUSETHE REAL ROOT CERTIFICATE FOR https://www.google.com ISN'T THE "GeoTrust Global CA" CERTIFICATE BUT THE GeoTrust "Equifax Secure Certificate Authority" certificate. Once I figured this out, I used the "Equifax Secure Certificate Authority" in my PHP .PEM file and I successfully validated the https://www.google.com certificate.

你可以看到如何通过执行以下操作进行交叉生成（我使用IE11）：

You can see how the cross-rooting takes place by doing the following (I used IE11 for this):

1. 打开 BLANK https://www.google.com 网页


2. 点击URL窗口中的挂锁图标，然后单击查看证书。


3. https://www.google.com 即会显示。单击证书路径选项卡。将显示三个证书的证书链。 GeoTrust Global CA证书显示为根证书 - 但这不是正确的。


4. 关闭证书窗口。在开始菜单的运行框中（我使用的是Windows 7），键入certmgr.msc并单击确定按钮。这将启动Windows的证书管理器。


5. 单击左窗格中的受信任的根证书颁发机构条目，然后单击证书。


6. 在右侧窗格中，找到GeoTrust Global CA证书。双击此条目以打开其证书窗口。


7. 单击详细信息选项卡，然后单击编辑属性按钮。注意选择服务器身份验证，客户端身份验证，代码签名，安全电子邮件和时间戳。


8. 单击禁用此证书的所有目的 按钮。这将使该证书无法使用。关于通用标签的说明本证书的到期日为5/20/2022，并且发布至：和发布者：项目已签署GeoTrust Global CA，表明这是根证书。单击确定按钮返回Windows证书管理器。最小化证书管理员。


9. 转到空白 https://www.google.com 网页。 刷新页面，然后查看证书。现在你将看到四个证书，不过在SETP＃3中显示的三个证书！


10. 发生了什么？双击GeoTrust Global CA证书。查看常规选项卡上的到期日期。这是8/20/2018，而不是在步骤＃3中显示的GeoTrust Global CA证书的5/20/2022。另请参阅发布到：和发布者：项目 - 它们是不同的。 颁发给：是GeoTrust Global CA，颁发者是Equifax安全证书颁发机构。这是一个不同的GeoTrust全球CA证书，它在第3步显示！ 此版本的GeoTrust Global CA证书与Equifax Security Certificate Authority交叉根据发布者：项目证明!!


11. 双击GeoTrust根证书。请注意，这是由Equifax安全证书颁发机构颁发的自签名根证书。 这是 https://www.google.com 使用的真实根证书！当我将此证书复制到我的PHP .PEM文件中并用它来验证 https://www.google.com 证书一切正常!!


12. 返回Windows证书管理器并撤消在步骤5 - 8中执行的禁用。单击仅启用以下目的按钮和重新检查步骤＃7中列出的目的。这会将您在日期为5/20/2022的GeoTrust Global CA证书恢复为正常运行状态。

1. Open a BLANK https://www.google.com Web page
2. Click the padlock icon in the URL window, then click "View certificates."
3. The Certificates window for https://www.google.com appears. Click the Certification Path tab. The certificate chain of three certificates will be displayed. The "GeoTrust Global CA" certificate shows as the root certificate - BUT THAT'S NOT TRUE.
4. Close the Certificate window. In the "Run" box in the Start Menu (I'm using Windows 7) type "certmgr.msc" and click the "OK" button. This will launch Windows' Certificate Manager.
5. Click the "Trusted Root Certification Authorities" entry in the left pane, then click "Certificates."
6. In the right pane, locate the "GeoTrust Global CA" certiticate. Double-click this entry to open it's certificate window.
7. Click the "Details" tab, then click the "Edit properties" button. NOTE THAT "Server Authentication," "Client Authentication," "Code Signing," "Secure Email," and "Time Stamping" are selected.
8. Click the "Disable all purposes for this certificate" button. THIS WILL DISABLE THIS CERTIFICATE FROM USE. NOTE ON THE "General" TAB THAT THE EXPIRATION DATE FOR THIS CERTIFICATE IS 5/20/2022 AND THE "Issued to:" and "Issued by:" ITEMS ARE BOTH SIGNED "GeoTrust Global CA," INDICATING THAT THIS IS A ROOT CERTIFICATE. Click the "OK" button to return to the Windows Certificate Manager. Minimize the Certificate Manager.
9. Move to your blank https://www.google.com Web page. Refresh the page, then view the certificates. NOW YOU WILL SEE FOUR CERTIFICATES, INSTEAD OF THE THREE THAT WERE DISPLAYED IN SETP #3!!
10. WHAT HAPPENED? Double-click the "GeoTrust Global CA" certificate. Look at the expiration date on the "General" tab. It's 8/20/2018, NOT THE 5/20/2022 displayed for the "GeoTrust Global CA" certificate in Step #3. Also look at the "Issued to:" and "Issued by:" items - THEY ARE DIFFERENT. The "Issued to:" is "GeoTrust Global CA" and the "Issued by" is "Equifax Secure Certificate Authority." THIS IS A DIFFERENT "GeoTrust Global CA" CERTIFICATE THAT THE ONE DISPLAYED IN STEP #3!! This version of the "GeoTrust Global CA" certificate is cross-rooted to "Equifax Security Certificate Authority" as evidenced in the "Issued by:" item!!
11. Double click the "GeoTrust" root certificate. Notice that this is a self-signed root certificate issued by "Equifax Secure Certificate Authority." THIS IS THE REAL ROOT CERTIFICATE USED BY https://www.google.com!! When I copied this certificate into my PHP .PEM file and used it to validate https://www.google.com's certificate everything work perfectly!!
12. Go back to the Windows Certificate Manager and reverse the disablement you performed in Steps 5 - 8. Click the "Enable only the following purposes" button and re-check the purposes listed in Step #7. This will restore your "GeoTrust Global CA" certificate dated 5/20/2022 to functioning status.

GeoTrust网站上有一个链接描述了步骤＃9中出现的GeoTrust Global CA交叉根证书。你也可以下载它。但是，对于我的应用程序，交叉根证书未验证 https://www.google.com 的证书 - 我需要使用GeoTrustROOT证书，因为它是唯一有效的 https://www.google .COM 。这是链接：

There's a link on the GeoTrust Website that describes the "GeoTrust Global CA" cross-root certificate that appeared in Step #9. You can download it as well. However, for my application the cross-root certificate didn't validate https://www.google.com's certificate - I NEEDED TO USE THE "GeoTrust" ROOT CERTIFICATE BECAUSE IT IS THE ONLY ONE THAT WORKS TO VALIDATE https://www.google.com. Here's the link:

https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=AR1426

您还可以从GeoTrust网站下载相应的GeoTrust证书。它在本网站的资源>根证书部分列为Equifax安全证书颁发机构。这是链接：

You can also download the equivalent of the "GeoTrust" certificate from the GeoTrust Website. It's listed as the "Equifax Secure Certificate Authority" in the Resources > Root Certificates section of the Website. Here's the link:

https：/ /www.geotrust.com/resources/root-certificates/

您还可以找到有关任何访问以下Symantec网页的网页：

You can also find more details about the certificate chain for any Web page by visiting the following Symantec Web page:

https ：//cryptoreport.websecurity.symantec.com

我希望这可以帮助那些需要验证与Google.com的HTTPS连接的PHP开发人员。 DREW010 - 感谢您通过此挂我！感谢您的帮助。

I hope this helps you PHP developers who need to validate an HTTPS connection with Google.com. DREW010 - Thanks for hanging with me through this! I appreciate your help.

这篇关于无法使PHP cURL SSL正常工作的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！