我有一个定制的支付系统,使用PHP将买家送到巴克莱EPDQ进行付款。 EPDQ不再支持SSL,因此我必须将其转换为使用TLS。
看一下这个页面,在我看来只有一小块代码需要编辑 我不在这里,任何人都可以建议我应该做出的改变吗?或者它不像我想的那么简单?
我认为需要编辑这一点:
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "https://" . $requesthost . $requestdocument);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $requestbody);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
$responsedata = curl_exec($ch);
答案 0 :(得分:0)
尝试添加
CURLOPT_SSL_CIPHER_LIST => 'TLSv1'到你的PPHttpConfig.php。
和
curl_setopt($ curl_request,CURLOPT_SSLVERSION,CURL_SSLVERSION_TLSv1);在你的代码中
最初来自SSL error can not change to TLS和PHP Curl (with NSS) is probably using SSLv3 insted of TLS when connecting to https
答案 1 :(得分:0)
您的代码中还需要更多参数。
您还必须将'CURLOPT_SSL_VERIFYPEER'设置为'true'。
您可以阅读有关cacert.crt here的更多信息并获取一个。请务必阅读使用条款。
是的,您需要所有选项才能实现最大程度的保密。
您可以阅读有关TLS安全性和实施here的更多信息。
下面解释了每个选项的作用。
/**
*
* Start Fix SSLv3/TLS connectivity problems
*
* CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER prevent MITM attacks
* WARNING: Disabling this would prevent curl from detecting Man-in-the-middle (MITM) attack
*
*/
/**
* @param CURLOPT_SSL_VERIFYPEER
*
* FALSE to stop CURL from verifying the peer's certificate.
* Alternate certificates to verify against can be specified with the CURLOPT_CAINFO option or a certificate directory can be specified with the CURLOPT_CAPATH option.
* CURLOPT_SSL_VERIFYHOST may also need to be TRUE or FALSE if CURLOPT_SSL_VERIFYPEER is disabled (it defaults to 2).
* Setting CURLOPT_SSL_VERIFYHOST to 2 (This is the default value) will garantee that the certificate being presented to you have a 'common name' matching the URN you are using to access the remote resource.
* This is a healthy check but it doesn't guarantee your program is not being decieved.
*
*/
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
/**
*
* @param CURLOPT_SSL_VERIFYHOST
*
* Check the existence of a common name in the SSL peer certificate.
* Check the existence of a common name and also verify that it matches the hostname provided.
*
* @value 1 to check the existence of a common name in the SSL peer certificate.
* @value 2 to check the existence of a common name and also verify that it matches the hostname provided.
* In production environments the value of this option should be kept at 2 (default value).
* Support for value 1 removed in cURL 7.28.1
*/
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
/**
*
* Force use of TLS
*
*/
/**
*
* Let's explain the magic of comparing your TLS certificate to the verified CA Authorities and how does that affect MITM attacks
*
* Man in the middle (MITM)
* Your program could be misleaded into talking to another server instead. This can be achieved through several mechanisms, like dns or arp poisoning.
* The intruder can also self-sign a certificate with the same 'comon name' your program is expecting.
* The communication would still be encrypted but you would be giving away your secrets to an impostor.
* This kind of attack is called 'man-in-the-middle'
* Defeating the 'man-in-the-middle'
* We need to to verify the certificate being presented to us is good for real. We do this by comparing it against a certificate we reasonable* trust.
* If the remote resource is protected by a certificate issued by one of the main CA's like Verisign, GeoTrust et al, you can safely compare against Mozilla's CA certificate bundle,
* which you can get from http://curl.haxx.se/docs/caextract.html
*
*/
//TODO: If TLSv1_1 found insecure and/or unreliable change to TLSv1_1 or TLS1_2
curl_setopt($ch, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2); // CURL_SSLVERSION_TLSv1_1; CURL_SSLVERSION_TLSv1_2
if (strtoupper(substr(PHP_OS, 0, 3)) == 'WIN') {
$crt = substr(__FILE__, 0, strrpos( __FILE__, '\\'))."\crt\cacert.crt"; // WIN
}
else {
$crt = str_replace('\\', '/', substr(__FILE__, 0, strrpos( __FILE__, '/')))."/crt/cacert.crt"; // *NIX
}
// The cert path is relative to this file
curl_setopt($ch, CURLOPT_CAINFO, $crt); // Set the location of the CA-bundle
/**
* Fix Error: 35 - Unknown SSL protocol error in connections
*
* Improve maximum forward secrecy
*/
// Please keep in mind that this list has been checked against the SSL Labs' WEAK ciphers list in 2014.
$arrayCiphers = array(
'DHE-RSA-AES256-SHA',
'DHE-DSS-AES256-SHA',
'AES256-SHA',
'ADH-AES256-SHA',
'KRB5-DES-CBC3-SHA',
'EDH-RSA-DES-CBC3-SHA',
'EDH-DSS-DES-CBC3-SHA',
'DHE-RSA-AES128-SHA',
'DHE-DSS-AES128-SHA',
'ADH-AES128-SHA',
'AES128-SHA',
'KRB5-DES-CBC-SHA',
'EDH-RSA-DES-CBC-SHA',
'EDH-DSS-DES-CBC-SHA:DES-CBC-SHA',
'EXP-KRB5-DES-CBC-SHA',
'EXP-EDH-RSA-DES-CBC-SHA',
'EXP-EDH-DSS-DES-CBC-SHA',
'EXP-DES-CBC-SHA'
);
curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, implode(':', $arrayCiphers));
请告诉我,如果您有任何其他问题,我会尽力回答。