我正在尝试使用ssl证书验证来调试问题,并确定openssl获取了返回错误路径的证书位置。 (见下文)
我如何弄清楚如何设置?我查看了php.ini文件,无法在任何地方找到此引用。
cmuench-air:bin cmuench$ ./php -r "print_r(openssl_get_cert_locations());"
Array
(
[default_cert_file] => /bitnami/mampstack56Dev-osx-x64/output/common/openssl/cert.pem
[default_cert_file_env] => SSL_CERT_FILE
[default_cert_dir] => /bitnami/mampstack56Dev-osx-x64/output/common/openssl/certs
[default_cert_dir_env] => SSL_CERT_DIR
[default_private_dir] => /bitnami/mampstack56Dev-osx-x64/output/common/openssl/private
[default_default_cert_area] => /bitnami/mampstack56Dev-osx-x64/output/common/openssl
[ini_cafile] =>
[ini_capath] =>
)
php.ini(相关部分)......我在任何地方都看不到bitnami / mampstack56Dev ......
[openssl]
; The location of a Certificate Authority (CA) file on the local filesystem
; to use when verifying the identity of SSL/TLS peers. Most users should
; not specify a value for this directive as PHP will attempt to use the
; OS-managed cert stores in its absence. If specified, this value may still
; be overridden on a per-stream basis via the "cafile" SSL stream context
; option.
;openssl.cafile=
; If openssl.cafile is not specified or if the CA file is not found, the
; directory pointed to by openssl.capath is searched for a suitable
; certificate. This value must be a correctly hashed certificate directory.
; Most users should not specify a value for this directive as PHP will
; attempt to use the OS-managed cert stores in its absence. If specified,
; this value may still be overridden on a per-stream basis via the "capath"
; SSL stream context option.
;openssl.capath=
;Curl ca bundle certificate
curl.cainfo="/Applications/phppos/common/openssl/certs/curl-ca-bundle.crt"
编辑:
我知道这很愚蠢,但有时候ssl证书会自行签名。是否有一个ini设置我可以修改以禁用检查所有证书?或者我必须在套接字和卷曲的代码中执行此操作吗?
答案 0 :(得分:9)
如果您检查openssl_get_cert_locations()函数的PHP源代码,它会通过调用X509_get_default_cert_file等各种OpenSSL函数并查看php.ini值openssl.cafile来获取这些位置。 openssl.capath描述了here。
您正在寻找哪些证书/路径?如果您尝试获取CA捆绑文件,则可以设置上面引用的php.ini值,以便openssl_get_cert_locations返回它们。
PHP 5.6的默认php.ini文件没有针对那些OpenSSL ini设置的默认设置,因为它们需要手动定义。此配置位于php.ini
[openssl]
; The location of a Certificate Authority (CA) file on the local filesystem
; to use when verifying the identity of SSL/TLS peers. Most users should
; not specify a value for this directive as PHP will attempt to use the
; OS-managed cert stores in its absence. If specified, this value may still
; be overridden on a per-stream basis via the "cafile" SSL stream context
; option.
;openssl.cafile=
; If openssl.cafile is not specified or if the CA file is not found, the
; directory pointed to by openssl.capath is searched for a suitable
; certificate. This value must be a correctly hashed certificate directory.
; Most users should not specify a value for this directive as PHP will
; attempt to use the OS-managed cert stores in its absence. If specified,
; this value may still be overridden on a per-stream basis via the "capath"
; SSL stream context option.
;openssl.capath=
使用cURL时,如果要禁用证书验证,可以将这些选项传递给curl_setopt():
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false); // shouldn't need this
CURLOPT_SSL_VERIFYPEER被描述为:
FALSE阻止cURL验证对等方的证书。备用 可以使用指定要验证的证书 可以使用CURLOPT_CAINFO选项或证书目录指定 CURLOPT_CAPATH选项。
CURLOPT_SSL_VERIFYHOST被描述为:
1检查SSL对等证书中是否存在公用名。 2检查是否存在通用名称并验证它 匹配提供的主机名。在生产环境中的价值 此选项应保持为2(默认值)。
如果您有CA文件,则可以使用选项CURLOPT_CAINFO提供包含一个或多个证书的文件的完整路径,以验证对等方。
要禁用检查使用fsockopen打开的流,请尝试:
<?php
$context = stream_context_create();
$result = stream_context_set_option($context, 'ssl', 'verify_peer', false);
$socket = stream_socket_client('ssl://'.$host . ':443', $errno, $errstr, 30, STREAM_CLIENT_CONNECT, $context);
有关详细信息,请参阅SSL Context Options和stream_socket_client()。