正如在OpenSSL :: X509 ::证书显示错误域证书中所引用的那样,我需要使用TLSv1或更高版本以及 服务器名称指示扩展.
即使使用ssl_version和servername_cb设置SSLContext,我仍然得到错误的证书myproair.com.
begin
timeout(1) do
tcp_client = TCPSocket.new("#{instance["domain"]}", 443)
ssl_context = OpenSSL::SSL::SSLContext.new()
ssl_context.ssl_version = :TLSv1
ssl_context.servername_cb = "https://#{instance["domain"]}"
ssl_client = OpenSSL::SSL::SSLSocket.new(tcp_client, ssl_context)
ssl_client.connect
cert = OpenSSL::X509::Certificate.new(ssl_client.peer_cert)
ssl_client.sysclose
tcp_client.close
#http://ruby-doc.org/stdlib-2.0/libdoc/openssl/rdoc/OpenSSL/X509/Certificate.html
date = Date.parse((cert.not_after).to_s)
row.push("#{date.strftime('%F')} #{cert.signature_algorithm} #{cert.subject.to_a.select{|name, _, _| name == 'CN' }.first[1]}".downcase.ljust(57))
end
rescue SocketError
row.push("down".ljust(57))
rescue Errno::ECONNREFUSED
row.push("connection refused".ljust(57))
rescue Errno::ECONNRESET
row.push("connection reset".ljust(57))
rescue Timeout::Error
row.push("no 443 listener".ljust(57))
rescue OpenSSL::SSL::SSLError
row.push("bad certificate - ssl …Cloudflare 使用 ECDHE_ECDSA 和 AES_128_GCM 密码套件作为其 https 证书。使用 PHP cURL 时,您可以指定密码套件:
curl_setopt($curl, CURLOPT_SSL_CIPHER_LIST, 'ecdhe_ecdsa_aes_128_sha');
但是,如果 cURL 请求请求除 ecdhe_ecdsa_aes_128_sha 之外的其他内容,这对我没有帮助。
设置了以下 Apache 配置,但 PHP cURL 似乎不尊重这一点:
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
有没有办法为 PHP cURL 指定密码套件顺序?
环境信息:
[vagrant@devopsgroup ~]$ php -i | grep SSL
SSL => Yes
SSL Version => NSS/3.15.4
OpenSSL support => enabled
OpenSSL Library Version => OpenSSL 1.0.1e-fips 11 Feb 2013
OpenSSL Header Version => OpenSSL 1.0.1e-fips 11 Feb 2013
Native OpenSSL support => enabled