cURL PHP具有自签名证书的私有服务器之间的适当SSL [英] cURL PHP Proper SSL between private servers with self-signed certificate

问题描述

我最初在运行CURLOPT_SSL_VERIFYPEER的两台服务器之间建立了连接，并且SSL证书中没有公共名称，以避免错误。以下是使用证书连接到服务器的客户端代码：

I originally had a connection between my 2 servers running with CURLOPT_SSL_VERIFYPEER set to "false" with no Common Name in the SSL cert to avoid errors. The following is the client code that connected to the server with the certificate:

curl_setopt($ch,CURLOPT_SSL_VERIFYPEER,FALSE);
curl_setopt($ch,CURLOPT_SSL_VERIFYHOST,2);

但是，我最近更改了此代码（将其设置为true）并以PEM格式指定了计算机证书。

However, I recently changed this code (set it to true) and specified the computers certificate in PEM format.

curl_setopt($ch,CURLOPT_SSL_VERIFYPEER,TRUE);
curl_setopt($ch,CURLOPT_SSL_VERIFYHOST,2);
curl_setopt($ch,CURLOPT_CAINFO,getcwd().'/includes/hostcert/Hostname.crt');

这在测试机器的本地网络上运行良好，因为证书是用它的主机名签名的CN。如何设置PHP代码，使其只信任主机名计算机并保持安全连接。

This worked great on the local network from a test machine, as the certificate is signed with it's hostname for a CN. How can I setup the PHP code so it only trusts the hostname computer and maintains a secure connection.

我很清楚你可以将CURLOPT_SSL_VERIFYHOST设置为0或1和CURLOPT_SSL_VERIFYPEER为false，但这些都不是有效的解决方案，因为它们破坏了SSL安全性。

I'm well aware you can just set CURLOPT_SSL_VERIFYHOST to "0" or "1" and CURLOPT_SSL_VERIFYPEER to "false", but these are not valid solutions as they break the SSL security.

我的/ etc / hosts文件如下：

My /etc/hosts file is as follows:

#<ip-address>   <hostname.domain.org>   <hostname>
127.0.0.1       localhost.localdomain   localhost ExampleHostName
::1             localhost.localdomain   localhost

推荐答案

您需要根据客户端的请求生成具有有效主机名的证书。如果您已使用 machine.local 作为内部名称，但现在想要使用通过 machine.example.org ，那么您需要使用的证书对 machine.example.org 有效。

You need to generate a certificate with a valid host name, as requested by the client. If you've used machine.local for your internal name, but now want to use external clients calling it via machine.example.org, then you need the certificate you use to be valid for machine.example.org.

如果您需要两者（因为可以使用不同的主机名调用同一台机器），请使用主题备用名称扩展名并在证书中放入多个DNS条目。

If you need both (since the same machine may be called with different host names), use the Subject Alternative Name extension and put multiple DNS entries in your certificate.

这篇关于cURL PHP具有自签名证书的私有服务器之间的适当SSL的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！