我正在尝试使用ssl证书验证调试问题,并确定openssl获取返回错误路径的证书位置.(见下文)
我如何弄清楚如何设置它?我查看了php.ini文件,无法在任何地方找到此引用.
cmuench-air:bin cmuench$ ./php -r "print_r(openssl_get_cert_locations());"
Array
(
[default_cert_file] => /bitnami/mampstack56Dev-osx-x64/output/common/openssl/cert.pem
[default_cert_file_env] => SSL_CERT_FILE
[default_cert_dir] => /bitnami/mampstack56Dev-osx-x64/output/common/openssl/certs
[default_cert_dir_env] => SSL_CERT_DIR
[default_private_dir] => /bitnami/mampstack56Dev-osx-x64/output/common/openssl/private
[default_default_cert_area] => /bitnami/mampstack56Dev-osx-x64/output/common/openssl
[ini_cafile] =>
[ini_capath] =>
)
php.ini(相关部分)...我在任何地方都看不到bitnami/mampstack56Dev ......
[openssl]
; The location of a Certificate Authority (CA) file on the local filesystem
; to use when verifying the identity of SSL/TLS peers. Most users should
; not specify a value for this directive as PHP will attempt to use the
; OS-managed cert stores in its absence. If specified, this value may still
; be overridden on a per-stream basis via the "cafile" SSL stream context
; option.
;openssl.cafile=
; If openssl.cafile is not specified or if the CA file is not found, the
; directory pointed to by openssl.capath is searched for a suitable
; certificate. This value must be a correctly hashed certificate directory.
; Most users should not specify a value for this directive as PHP will
; attempt to use the OS-managed cert stores in its absence. If specified,
; this value may still be overridden on a per-stream basis via the "capath"
; SSL stream context option.
;openssl.capath=
;Curl ca bundle certificate
curl.cainfo="/Applications/phppos/common/openssl/certs/curl-ca-bundle.crt"
编辑:
我知道这很愚蠢,但有时候ssl证书会自行签名.是否有一个ini设置我可以修改以禁用检查所有证书?或者我是否必须在套接字和卷曲的代码中执行此操作?
如果检查openssl_get_cert_locations()函数的PHP源代码,它将通过调用各种OpenSSL函数来获取这些位置,例如X509_get_default_cert_file查看php.ini值openssl.cafile并在此处进行openssl.capath描述.
您正在寻找哪些证书/路径?如果您尝试获取CA捆绑文件,则可以设置上面引用的php.ini值,以便返回它们openssl_get_cert_locations.
php.iniPHP 5.6 的默认文件没有针对那些OpenSSL ini设置的默认设置,因为它们需要手动定义.此配置位于附近php.ini
[openssl]
; The location of a Certificate Authority (CA) file on the local filesystem
; to use when verifying the identity of SSL/TLS peers. Most users should
; not specify a value for this directive as PHP will attempt to use the
; OS-managed cert stores in its absence. If specified, this value may still
; be overridden on a per-stream basis via the "cafile" SSL stream context
; option.
;openssl.cafile=
; If openssl.cafile is not specified or if the CA file is not found, the
; directory pointed to by openssl.capath is searched for a suitable
; certificate. This value must be a correctly hashed certificate directory.
; Most users should not specify a value for this directive as PHP will
; attempt to use the OS-managed cert stores in its absence. If specified,
; this value may still be overridden on a per-stream basis via the "capath"
; SSL stream context option.
;openssl.capath=
使用cURL时,如果要禁用证书验证,可以将这些选项传递给curl_setopt():
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false); // shouldn't need this
CURLOPT_SSL_VERIFYPEER 被描述为:
FALSE阻止cURL验证对等方的证书.可以使用CURLOPT_CAINFO选项指定要验证的备用证书,也可以使用CURLOPT_CAPATH选项指定证书目录.
CURLOPT_SSL_VERIFYHOST 被描述为:
1检查SSL对等证书中是否存在公用名.2检查是否存在公用名,并验证它是否与提供的主机名匹配.在生产环境中,此选项的值应保持为2(默认值).
如果您有CA文件,则可以使用该选项CURLOPT_CAINFO提供包含一个或多个证书的文件的完整路径,以验证对等方.
要禁用检查打开的流fsockopen,请尝试:
<?php
$context = stream_context_create();
$result = stream_context_set_option($context, 'ssl', 'verify_peer', false);
$socket = stream_socket_client('ssl://'.$host . ':443', $errno, $errstr, 30, STREAM_CLIENT_CONNECT, $context);
有关详细信息,请参阅SSL上下文选项stream_socket_client().
| 归档时间: |
|
| 查看次数: |
25604 次 |
| 最近记录: |