Ale*_*gin 5 php ssl curl spoofing
我正在编写从远程服务器请求机密数据的PHP脚本.我正在使用cURL获取远程服务器的证书信息(请在下面输出).
我需要检查哪些数组密钥证书有效性,没有人可以欺骗它们?
例如,密钥[certinfo] [0] [Subject] [CN]可以通过自签名证书进行欺骗.
我可以检查我在客户端使用的ca-bundle文件的md5文件哈希值,但是当服务器的证书过期时,我需要相应地替换ca-bundle文件,并在php脚本中更新md5文件哈希 - 这是不可接受的为了我.唯一一个默认是替换ca-bundle文件而不更新php脚本.为此,我需要验证服务器证书的属性,通过未来的证书重新生成保持相同,并且不能被犯罪分子欺骗.
print_r(curl_getinfo($ ch)):
[url] => https://remoteserver.com
[content_type] => text/html
[http_code] => 200
[header_size] => 148
[request_size] => 79
[filetime] => -1
[ssl_verify_result] => 0
[redirect_count] => 0
[total_time] => 0.374
[namelookup_time] => 0
[connect_time] => 0.062
[pretransfer_time] => 0.203
[size_upload] => 0
[size_download] => 20618
[speed_download] => 55128
[speed_upload] => 0
[download_content_length] => -1
[upload_content_length] => 0
[starttransfer_time] => 0.281
[redirect_time] => 0
[certinfo] => Array
(
[0] => Array
(
[Subject] => Array
(
[OU] => Globe Standard SSL
[CN] => www.remoteserver.com
)
[Issuer] => Array
(
[C] => US
[O] => Globe Hosting, Inc.
[OU] => GlobeSSL DV Certification Authority
[CN] => GlobeSSL CA
)
[Version] => 2
[Signature Algorithm] => sha1WithRSAEncryption
[Start date] => 2011-09-30 00:00:00 GMT
[Expire date] => 2014-09-30 23:59:59 GMT
[Public Key Algorithm] => rsaEncryption
[RSA Public Key] => 2048
[rsa(n)] => d7:c0:0b:3f:f3:3e:d6:ed:92:56:22:12:64:c1:c4:00:d7:c9:a1:1e:..cut..
[rsa(e)] => 01:00:01:
[X509v3 Authority Key Identifier] => keyid:C3:AB:A0:02:F0:9B:F5:66:7F:28:15:92:22:95:DB:B8:4E:D3:93:08
[X509v3 Subject Key Identifier] => 13:1B:B2:52:14:3C:70:1C:B2:93:F1:C5:04:06:86:60:8A:D4:E5:5C
[X509v3 Key Usage] => DigitalSignature,KeyEncipherment
[X509v3 Basic Constraints] => CA:FALSE
[X509v3 Extended Key Usage] => TLSWebServerAuthentication,TLSWebClientAuthentication
[X509v3 Certificate Policies] => Policy:1.3.6.1.4.1.6449.1.2.2.27, CPS:http://www.globessl.com/docs/GlobeSSL_CPS.pdf
[X509v3 CRL Distribution Points] => URI:http://crl.globessl.com/GlobeSSLDVCertificationAuthority.crl
[Authority Information Access] => CAIssuers-URI:http://crt.globessl.com/GlobeSSLDVCertificationAuthority.crt, OCSP-URI:http://ocsp.globessl.com
[X509v3 Subject Alternative Name] => DNS:www.remoteserver.com,DNS:remoteserver.com
[Signature] => 61:38:06:d4:30:9c:14:a4:e5:1e:b2:c8:c4:..cut..
[Cert] => -----BEGIN CERTIFICATE-----cut-----END CERTIFICATE-----
)
[1] => Array
(
[Subject] => Array
(
[C] => US
[O] => Globe Hosting, Inc.
[OU] => GlobeSSL DV Certification Authority
[CN] => GlobeSSL CA
)
[Issuer] => Array
(
[C] => SE
[O] => AddTrust AB
[OU] => AddTrust External TTP Network
[CN] => AddTrust External CA Root
)
[Version] => 2
[Signature Algorithm] => sha1WithRSAEncryption
[Start date] => 2010-06-22 00:00:00 GMT
[Expire date] => 2020-05-30 10:48:38 GMT
[Public Key Algorithm] => rsaEncryption
[RSA Public Key] => 2048
[rsa(n)] => a0:47:04:ce:a8:33:ab:..cut..
[rsa(e)] => 01:00:01:
[X509v3 Authority Key Identifier] => keyid:AD:BD:98:7A:34:B4:26:F7:FA:C4:26:54:EF:03:BD:E0:24:CB:54:1A
[X509v3 Subject Key Identifier] => C3:AB:A0:02:F0:9B:F5:66:7F:28:15:92:22:95:DB:B8:4E:D3:93:08
[X509v3 Key Usage] => CertificateSign,CRLSign
[X509v3 Basic Constraints] => CA:TRUE,pathlen:0
[X509v3 Certificate Policies] => Policy:1.3.6.1.4.1.6449.1.2.2.27
[X509v3 CRL Distribution Points] => URI:http://crl.usertrust.com/AddTrustExternalCARoot.crl
[Authority Information Access] => CAIssuers-URI:http://crt.usertrust.com/AddTrustExternalCARoot.p7c, CAIssuers-URI:http://crt.usertrust.com/AddTrustUTNSGCCA.crt, OCSP-URI:http://ocsp.usertrust.com
[Signature] => 66:9c:13:6d:d2:7e:2c:..cut..
[Cert] => -----BEGIN CERTIFICATE-----cut-----END CERTIFICATE-----
)
)
谢谢你的帮助.
小智 0
没有太多方法可以完全防止欺骗,但是,就像浏览器一样,您可以尝试验证证书的真实性。有关 SSL 证书如何工作的一些有用信息,请访问以下链接:
现在,您可以执行一些操作来确保您正在与正确的计算机进行通信,即使没有完全验证证书,但它们将要求您有权访问远程计算机。最简单的事情之一就是使用加盐变量进行简单的握手。
例如,调用远程计算机上的一个文件,该文件会生成唯一的哈希值,例如用您选择的单词加盐的时间戳,以及到目前为止您已进行握手的次数。您的计算机将该哈希值与预期值进行匹配,并使用不同的盐执行相同的操作,将其发送回远程计算机,表明握手已完成,并且两台计算机都会增加其计数,以便下次哈希值会有所不同。
| 归档时间: |
|
| 查看次数: |
1142 次 |
| 最近记录: |