使用带有 SSL 证书的 PHP cURL 时出错

2022-01-25 00:00:00 ssl certificate curl php

我正在尝试使用 cURL 编写一个 PHP 脚本,该脚本可以通过使用 SSL 证书的页面以及用户名和密码来授权用户,但我似乎无法通过 SSL 证书阶段.

I'm trying to write a PHP script using cURL that can authorize a user through a page that uses an SSL certificate, in addition to username and password, and I can't seem to get past the SSL cert stage.

在这种情况下,curl_setopt($handle, CURLOPT_VERIFYPEER, 0) 不幸的是不是一个选项.证书是身份验证的必需部分,否则我会收到 this other similar SO发帖.

In this case, curl_setopt($handle, CURLOPT_VERIFYPEER, 0) unfortunately isn't an option. The certificate is a required part of authentication, otherwise I get the error mentioned in this other similar SO post.

我已经用 cURL 尝试了一些命令行运行:

I've tried a few command-line runs with cURL:

<代码>>curl --url https://网站

这将返回 (60) SLL 证书问题 错误.如果我调整命令以包含 --cacert 选项:

This returns the (60) SLL certificate problem error. If I adjust the command to include the --cacert option:

<代码>>curl --url https://website --cacert/path/to/servercert.cer

它工作得很好;授权网站返回.

It works just fine; the auth website is returned.

但是,我尝试了以下 PHP 代码:

However, I've tried the following PHP code:

$handle = curl_init();
$options = array( 
                  CURLOPT_RETURNTRANSFER => false,
                  CURLOPT_HEADER         => true,
                  CURLOPT_FOLLOWLOCATION => false,
                  CURLOPT_SSL_VERIFYHOST => '0',
                  CURLOPT_SSL_VERIFYPEER => '1',
                  CURLOPT_CAINFO         => '/path/to/servercert.cer',
                  CURLOPT_USERAGENT      => 'Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)',
                  CURLOPT_VERBOSE        => true,
                  CURLOPT_URL            => 'https://website'
           );

curl_setopt_array($handle, $options);
curl_exec($handle);
if (curl_errno($handle)) {
  echo 'Error: ' . curl_error($handle);
}
curl_close($handle);

我原以为代码本质上类似于 shell 命令,但我却收到以下错误消息:

I would have thought the code was essentially analogous to the shell commands, but instead I'm greeted with the following error message:

错误:设置证书验证位置时出错:CAfile:/path/to/servercert.cer CApath: none

Error: error setting certificate verify locations: CAfile: /path/to/servercert.cer CApath: none

我已经阅读了我能找到的所有文献(尤其是关于 php.net 和 curl.haxx),但似乎找不到任何可以解决这个问题的东西.有什么建议吗?

I've read all the literature I can find (particularly on php.net and curl.haxx) and can't seem to find anything that fixes this problem. Any suggestions?

我试过 chmod 777 servercert.cer 没有成功.但是,在命令行使用上述代码而不是浏览器通过 php test.php 执行 PHP 脚本时,它可以完美运行.任何解释为什么它在浏览器中不起作用?

I have tried chmod 777 servercert.cer with no success. However, in executing the PHP script with the above code from the command line instead of the browser via php test.php, it works perfectly. Any explanation for why it doesn't work in the browser?

推荐答案

因为事情是通过命令行而不是通过使用 curl 的 php 工作的,所以我会追究 curl 的问题.

Because things work via the command line but not via php using curl then I would pursue curl being the problem.

根据此网址,http://curl.haxx.se/docs/sslcerts.html,这是您在上面引用的 SO 帖子中的引用( 阅读 SSL 页面卷曲 (php) )...

According to this URL, http://curl.haxx.se/docs/sslcerts.html, which was reference in an SO post you cited above ( reading SSL page with CURL (php) )...

直到 7.18.0,curl 捆绑了一个严重过时的 ca 捆绑文件,该文件是默认安装.这些天来,curl 档案中没有 ca 证书全部.你需要把它们带到别处.例如,请参见下文.

"Until 7.18.0, curl bundled a severely outdated ca bundle file that was installed by default. These days, the curl archives include no ca certs at all. You need to get them elsewhere. See below for example.

如果远程服务器使用自签名证书,如果您没有安装 CA证书捆绑包,如果服务器使用由非 CA 签名的证书包含在您使用的捆绑包中,或者如果远程主机是冒名顶替者冒充您最喜欢的站点,并且您想从该站点传输文件服务器,请执行以下操作之一:"

If the remote server uses a self-signed certificate, if you don't install a CA cert bundle, if the server uses a certificate signed by a CA that isn't included in the bundle you use or if the remote host is an impostor impersonating your favorite site, and you want to transfer files from this server, do one of the following:"

然后列出您可以尝试的一些步骤.

It then goes on to list a number of steps that you can try.

由于您的 7.16.3 版本的 curl 早于 7.18.0,如果您还没有,我建议您更新您的 curl 和 openssl 组件,然后完成上面引用的列表.

Since your 7.16.3 version of curl is prior to 7.18.0, if you haven't already, I would recommend updating your curl and openssl components and then working through the list referenced above.

相关文章