无法使PHP cURL SSL正常工作 [英] Can't Get PHP cURL SSL To Work
问题描述
我正在尝试让PHP cURL从 https://www.google.com 返回标题。我这样做是为了让我能够理解如何配置PHP curl_setopt参数以正确使用SSL网站。 正确是指我希望cURL应用CURLOPT_SSL_VERIFYPEER参数来验证服务器的安全证书。
I'm trying to get PHP cURL to return the headers from https://www.google.com. I'm doing this so that I can understand how to configure the PHP curl_setopt parameters to work correctly with SSL websites. By "correctly" I mean that I want cURL to apply the CURLOPT_SSL_VERIFYPEER parameter to validate a server's security certificate.
这对我来说是个新的理由。我对这个过程的工作方式有一个朦胧的理解,但是我无法获得以下代码来返回google.com标题:
This is new ground for me. I've got a hazy understanding of how this process works, but I can't get the following code to return the google.com headers:
<?php
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, 'https://www.google.com');
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER,1);
curl_setopt($ch, CURLOPT_CAINFO, "c:/wamp/www/certificates/googleCA.cer");
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_NOBODY, true); // HTTP request is 'HEAD only'
curl_setopt($ch, CURLOPT_USERAGENT,'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Firefox/31.0');
curl_setopt($ch, CURLOPT_REFERER,'https://www.google.com');
$headers=curl_exec($ch);
print_r($headers);
echo "Got to end!";
?>
我已按照以下链接中的说明从中提取google.com证书的副本Windows使用IE11:
I've followed the instructions at the following link to extract a copy of the google.com certificate from Windows using IE11:
http://unitstep.net/blog/2009/05/05/using-curl-in-php-to-access-https-ssltls-protected -sites /
上述链接描述的证书提取似乎没问题。我在Windows 7 64位机器上。我将来自IE11的顶级证书作为'base-64编码的x.509(CER)'文件保存到我的'c:\ WAMP \\\certificates \'文件夹中,作为'googleCA.cer'。然后我将CURLOPT_CAINFO参数设置为'c:/wamp/www/certificates/googleCA.cer'。当我执行PHP代码时,不返回谷歌标题,并且CURLOPT_VERIFYPEER参数设置为1(我知道将CURLOPT_VERIFYPEER设置为0指示cURL不验证服务器证书,该证书确实返回标题,但是这是一个我不想使用的完全不安全的配置。)
The certificate extraction described by the above link seems to go fine. I'm on a Windows 7 64-bit machine. I save the top-level certificate from IE11 as a 'Base-64 encoded x.509 (CER)' file to my 'c:\WAMP\www\certificates\' folder as 'googleCA.cer'. I then set the CURLOPT_CAINFO parameter to 'c:/wamp/www/certificates/googleCA.cer'. When I execute the PHP code, the google headers AREN'T returned with the CURLOPT_VERIFYPEER parameter is set to "1" (I know setting the CURLOPT_VERIFYPEER to "0" instructs cURL to not validate the server certificate, which does return the headers, but that is a totally insecure configuration which I don't want to use ).
这感觉就像我使用IE11从Windows导出的证书有问题。我还发现此链接描述了从cURL网站下载cacert.pem文件:
This feels like a problem with the certificate I exported from Windows using IE11. I also found this link that describes downloading the cacert.pem file from the cURL website:
https://curl.haxx.se/docs/caextract.html
当我点击链接时上面我得到了IE11中提供的caextract文件的文本。我不知道接下来该做什么。任何帮助将不胜感激。
When I click on the link above I get the text of the caextract file presented in IE11. I don't know what to do next. Any help would be greatly appreciated.
非常感谢提前!! -
Many Thanks In Advance!! --
编辑:以下是googleCA.cer文件的内容:
Here is the content of the googleCA.cer file:
-----BEGIN CERTIFICATE-----
MIIDVDCCAjygAwIBAgIDAjRWMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMDIwNTIxMDQwMDAwWhcNMjIwNTIxMDQwMDAwWjBCMQswCQYDVQQG
EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMSR2VvVHJ1c3Qg
R2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2swYYzD9
9BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9mOSm9BXiLnTjoBbdq
fnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIuT8rxh0PBFpVXLVDv
iS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6cJmTM386DGXHKTubU
1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmRCw7+OC7RHQWa9k0+
bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5aszPeE4uwc2hGKceeoW
MPRfwCvocWvk+QIDAQABo1MwUTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTA
ephojYn7qwVkDBF9qn1luMrMTjAfBgNVHSMEGDAWgBTAephojYn7qwVkDBF9qn1l
uMrMTjANBgkqhkiG9w0BAQUFAAOCAQEANeMpauUvXVSOKVCUn5kaFOSPeCpilKIn
Z57QzxpeR+nBsqTP3UEaBU6bS+5Kb1VSsyShNwrrZHYqLizz/Tt1kL/6cdjHPTfS
tQWVYrmm3ok9Nns4d0iXrKYgjy6myQzCsplFAMfOEVEiIuCl6rYVSAlk6l5PdPcF
PseKUgzbFbS9bZvlxrFUaKnjaZC2mqUPuLk/IH2uSrW4nOQdtqvmlKXBx4Ot2/Un
hw4EbNX/3aBd7YdStysVAq45pmp06drE57xNNB6pXE0zX5IJL4hmXXeXxx12E6nV
5fEWCRE11azbJHFwLJhWC9kXtNHjUStedejV0NxPNO3CBWaAocvmMw==
-----END CERTIFICATE-----
推荐答案
这个问题的答案是在IE11中为 https://www.google.com 显示的根证书, GeoTrust Global CA,与根据名为Equifax安全证书颁发机构的旧GeoTrust根证书交叉根据。当在我的IE11中显示为3证书链中的根目录的GeoTrust Global CA证书时我的PHP脚本用作 https:// ww的根证书w.google.com 我的PHP脚本无法验证 https://www.google.com 证书 BECAUSETHE真实的根本证明为 https://www.google.com 不是 GeoTrust全球CA证书但GeoTrustEquifax安全证书颁发机构证书。一旦我弄明白,我在我的PHP .PEM文件中使用了Equifax安全证书颁发机构,我成功验证了 https://www.google.com 证书。
The answer to this problem is that the root certificate displayed for https://www.google.com in IE11, "GeoTrust Global CA," is cross-rooted to an older GeoTrust root certificate named "Equifax Secure Certificate Authority." When the "GeoTrust Global CA" certificate that displays as the root in the 3-certificate chain showing in my IE11 is used by my PHP script as the root certificate for https://www.google.com my PHP script can't authenticate https://www.google.com's certificate BECAUSETHE REAL ROOT CERTIFICATE FOR https://www.google.com ISN'T THE "GeoTrust Global CA" CERTIFICATE BUT THE GeoTrust "Equifax Secure Certificate Authority" certificate. Once I figured this out, I used the "Equifax Secure Certificate Authority" in my PHP .PEM file and I successfully validated the https://www.google.com certificate.
你可以看到如何通过执行以下操作进行交叉生成(我使用IE11):
You can see how the cross-rooting takes place by doing the following (I used IE11 for this):
- 打开 BLANK https://www.google.com 网页
- 点击URL窗口中的挂锁图标,然后单击查看证书。
- https://www.google.com 即会显示。单击证书路径选项卡。将显示三个证书的证书链。 GeoTrust Global CA证书显示为根证书 - 但这不是正确的。
- 关闭证书窗口。在开始菜单的运行框中(我使用的是Windows 7),键入certmgr.msc并单击确定按钮。这将启动Windows的证书管理器。
- 单击左窗格中的受信任的根证书颁发机构条目,然后单击证书。
- 在右侧窗格中,找到GeoTrust Global CA证书。双击此条目以打开其证书窗口。
- 单击详细信息选项卡,然后单击编辑属性按钮。注意选择服务器身份验证,客户端身份验证,代码签名,安全电子邮件和时间戳。
- 单击禁用此证书的所有目的 按钮。这将使该证书无法使用。关于通用标签的说明本证书的到期日为5/20/2022,并且发布至:和发布者:项目已签署GeoTrust Global CA,表明这是根证书。单击确定按钮返回Windows证书管理器。最小化证书管理员。
- 转到空白 https://www.google.com 网页。 刷新页面,然后查看证书。现在你将看到四个证书,不过在SETP#3中显示的三个证书!
- 发生了什么?双击GeoTrust Global CA证书。查看常规选项卡上的到期日期。这是8/20/2018,而不是在步骤#3中显示的GeoTrust Global CA证书的5/20/2022。另请参阅发布到:和发布者:项目 - 它们是不同的。 颁发给:是GeoTrust Global CA,颁发者是Equifax安全证书颁发机构。这是一个不同的GeoTrust全球CA证书,它在第3步显示! 此版本的GeoTrust Global CA证书与Equifax Security Certificate Authority交叉根据发布者:项目证明!!
- 双击GeoTrust根证书。请注意,这是由Equifax安全证书颁发机构颁发的自签名根证书。 这是 https://www.google.com 使用的真实根证书!当我将此证书复制到我的PHP .PEM文件中并用它来验证 https://www.google.com 证书一切正常!!
- 返回Windows证书管理器并撤消在步骤5 - 8中执行的禁用。单击仅启用以下目的按钮和重新检查步骤#7中列出的目的。这会将您在日期为5/20/2022的GeoTrust Global CA证书恢复为正常运行状态。
- Open a BLANK https://www.google.com Web page
- Click the padlock icon in the URL window, then click "View certificates."
- The Certificates window for https://www.google.com appears. Click the Certification Path tab. The certificate chain of three certificates will be displayed. The "GeoTrust Global CA" certificate shows as the root certificate - BUT THAT'S NOT TRUE.
- Close the Certificate window. In the "Run" box in the Start Menu (I'm using Windows 7) type "certmgr.msc" and click the "OK" button. This will launch Windows' Certificate Manager.
- Click the "Trusted Root Certification Authorities" entry in the left pane, then click "Certificates."
- In the right pane, locate the "GeoTrust Global CA" certiticate. Double-click this entry to open it's certificate window.
- Click the "Details" tab, then click the "Edit properties" button. NOTE THAT "Server Authentication," "Client Authentication," "Code Signing," "Secure Email," and "Time Stamping" are selected.
- Click the "Disable all purposes for this certificate" button. THIS WILL DISABLE THIS CERTIFICATE FROM USE. NOTE ON THE "General" TAB THAT THE EXPIRATION DATE FOR THIS CERTIFICATE IS 5/20/2022 AND THE "Issued to:" and "Issued by:" ITEMS ARE BOTH SIGNED "GeoTrust Global CA," INDICATING THAT THIS IS A ROOT CERTIFICATE. Click the "OK" button to return to the Windows Certificate Manager. Minimize the Certificate Manager.
- Move to your blank https://www.google.com Web page. Refresh the page, then view the certificates. NOW YOU WILL SEE FOUR CERTIFICATES, INSTEAD OF THE THREE THAT WERE DISPLAYED IN SETP #3!!
- WHAT HAPPENED? Double-click the "GeoTrust Global CA" certificate. Look at the expiration date on the "General" tab. It's 8/20/2018, NOT THE 5/20/2022 displayed for the "GeoTrust Global CA" certificate in Step #3. Also look at the "Issued to:" and "Issued by:" items - THEY ARE DIFFERENT. The "Issued to:" is "GeoTrust Global CA" and the "Issued by" is "Equifax Secure Certificate Authority." THIS IS A DIFFERENT "GeoTrust Global CA" CERTIFICATE THAT THE ONE DISPLAYED IN STEP #3!! This version of the "GeoTrust Global CA" certificate is cross-rooted to "Equifax Security Certificate Authority" as evidenced in the "Issued by:" item!!
- Double click the "GeoTrust" root certificate. Notice that this is a self-signed root certificate issued by "Equifax Secure Certificate Authority." THIS IS THE REAL ROOT CERTIFICATE USED BY https://www.google.com!! When I copied this certificate into my PHP .PEM file and used it to validate https://www.google.com's certificate everything work perfectly!!
- Go back to the Windows Certificate Manager and reverse the disablement you performed in Steps 5 - 8. Click the "Enable only the following purposes" button and re-check the purposes listed in Step #7. This will restore your "GeoTrust Global CA" certificate dated 5/20/2022 to functioning status.
GeoTrust网站上有一个链接描述了步骤#9中出现的GeoTrust Global CA交叉根证书。你也可以下载它。但是,对于我的应用程序,交叉根证书未验证 https://www.google.com 的证书 - 我需要使用GeoTrustROOT证书,因为它是唯一有效的 https://www.google .COM 。这是链接:
There's a link on the GeoTrust Website that describes the "GeoTrust Global CA" cross-root certificate that appeared in Step #9. You can download it as well. However, for my application the cross-root certificate didn't validate https://www.google.com's certificate - I NEEDED TO USE THE "GeoTrust" ROOT CERTIFICATE BECAUSE IT IS THE ONLY ONE THAT WORKS TO VALIDATE https://www.google.com. Here's the link:
https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=AR1426
您还可以从GeoTrust网站下载相应的GeoTrust证书。它在本网站的资源>根证书部分列为Equifax安全证书颁发机构。这是链接:
You can also download the equivalent of the "GeoTrust" certificate from the GeoTrust Website. It's listed as the "Equifax Secure Certificate Authority" in the Resources > Root Certificates section of the Website. Here's the link:
https:/ /www.geotrust.com/resources/root-certificates/
您还可以找到有关任何访问以下Symantec网页的网页:
You can also find more details about the certificate chain for any Web page by visiting the following Symantec Web page:
https ://cryptoreport.websecurity.symantec.com
我希望这可以帮助那些需要验证与Google.com的HTTPS连接的PHP开发人员。 DREW010 - 感谢您通过此挂我!感谢您的帮助。
I hope this helps you PHP developers who need to validate an HTTPS connection with Google.com. DREW010 - Thanks for hanging with me through this! I appreciate your help.
这篇关于无法使PHP cURL SSL正常工作的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!