cURL PHP具有自签名证书的私有服务器之间的适当SSL [英] cURL PHP Proper SSL between private servers with self-signed certificate
问题描述
我最初在运行CURLOPT_SSL_VERIFYPEER的两台服务器之间建立了连接,并且SSL证书中没有公共名称,以避免错误。以下是使用证书连接到服务器的客户端代码:
I originally had a connection between my 2 servers running with CURLOPT_SSL_VERIFYPEER set to "false" with no Common Name in the SSL cert to avoid errors. The following is the client code that connected to the server with the certificate:
curl_setopt($ch,CURLOPT_SSL_VERIFYPEER,FALSE);
curl_setopt($ch,CURLOPT_SSL_VERIFYHOST,2);
但是,我最近更改了此代码(将其设置为true)并以PEM格式指定了计算机证书。
However, I recently changed this code (set it to true) and specified the computers certificate in PEM format.
curl_setopt($ch,CURLOPT_SSL_VERIFYPEER,TRUE);
curl_setopt($ch,CURLOPT_SSL_VERIFYHOST,2);
curl_setopt($ch,CURLOPT_CAINFO,getcwd().'/includes/hostcert/Hostname.crt');
这在测试机器的本地网络上运行良好,因为证书是用它的主机名签名的CN。如何设置PHP代码,使其只信任主机名计算机并保持安全连接。
This worked great on the local network from a test machine, as the certificate is signed with it's hostname for a CN. How can I setup the PHP code so it only trusts the hostname computer and maintains a secure connection.
我很清楚你可以将CURLOPT_SSL_VERIFYHOST设置为0或1和CURLOPT_SSL_VERIFYPEER为false,但这些都不是有效的解决方案,因为它们破坏了SSL安全性。
I'm well aware you can just set CURLOPT_SSL_VERIFYHOST to "0" or "1" and CURLOPT_SSL_VERIFYPEER to "false", but these are not valid solutions as they break the SSL security.
我的/ etc / hosts文件如下:
My /etc/hosts file is as follows:
#<ip-address> <hostname.domain.org> <hostname>
127.0.0.1 localhost.localdomain localhost ExampleHostName
::1 localhost.localdomain localhost
推荐答案
您需要根据客户端的请求生成具有有效主机名的证书。如果您已使用 machine.local
作为内部名称,但现在想要使用通过 machine.example.org $调用它的外部客户端c $ c>,那么您需要使用的证书对
machine.example.org
有效。
You need to generate a certificate with a valid host name, as requested by the client. If you've used machine.local
for your internal name, but now want to use external clients calling it via machine.example.org
, then you need the certificate you use to be valid for machine.example.org
.
如果您需要两者(因为可以使用不同的主机名调用同一台机器),请使用主题备用名称扩展名并在证书中放入多个DNS条目。
If you need both (since the same machine may be called with different host names), use the Subject Alternative Name extension and put multiple DNS entries in your certificate.
这篇关于cURL PHP具有自签名证书的私有服务器之间的适当SSL的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!