如何在 Web 服务器中从 PHP 建立 TLS 连接,并且安全
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/3153206/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to make TLS connection from PHP in web server, and safely
提问by Jim Flood
Suppose I have some PHP code running inside a web server, for example, running a simple CakePHP app. From this app, I want to occasionally make a TLS connection out to some server to exchange some data. How is this typically done? (I have little experience with PHP.)
假设我在 Web 服务器中运行了一些 PHP 代码,例如,运行一个简单的 CakePHP 应用程序。从这个应用程序中,我想偶尔与某个服务器建立 TLS 连接以交换一些数据。这通常是如何完成的?(我对 PHP 的经验很少。)
What PHP plug-ins or libraries or whatever, are recommended to accomplish TLS connections? Where are some good places to start looking? (My initial Google searches give me a huge ratio of noise to signal.)
建议使用哪些 PHP 插件或库或其他什么来完成 TLS 连接?从哪里开始寻找一些好的地方?(我最初的谷歌搜索给了我很大的噪声与信号的比率。)
What are the security issues involved with having the X509 private key sitting on the web server? To make a TLS connection out, I'm going to need both the X509 certificate and the corresponding private key, as perhaps PEM files, or DER files, or in a Java keystore, or whatever. Is that private key going to be sitting somewhere vulnerable under the web root? How is this typically handled? What are the security issues, specifically, of securing the private key that is to be used to make a TLS connection out? What are the best practices?
将 X509 私钥放在 Web 服务器上会涉及哪些安全问题?要建立 TLS 连接,我将需要 X509 证书和相应的私钥,可能是 PEM 文件、DER 文件、Java 密钥库或其他任何文件。该私钥是否会位于网络根目录下的某个易受攻击的地方?这通常是如何处理的?什么是安全问题,特别是保护用于建立 TLS 连接的私钥的安全问题是什么?最佳做法是什么?
Edit: I forgot to mention that the server that the PHP app connects to requires a client certificate to be presented. The client doesneed the private key to connect. Also, the server I am connecting to is notan HTTP server -- I just need to read/write on a plain socket connection to the server (over the SSL/TLS connection).
编辑:我忘了提到 PHP 应用程序连接到的服务器需要提供客户端证书。客户端确实需要私钥才能连接。此外,我连接的服务器不是HTTP 服务器——我只需要在到服务器的普通套接字连接上读/写(通过 SSL/TLS 连接)。
回答by rook
TLS is the proper name, however most people still call it SSL. In PHP you can make this connection using CURL.
TLS 是正确的名称,但大多数人仍然称其为 SSL。在 PHP 中,您可以使用 CURL进行此连接。
With a TLS/SSL client you only need the public key to verify a remote host. This public key is just that public, it doesn't matter if it gets leaked to an attacker. On the server side Apache has access both the public and private key. These keys are protected using normal file access privileges. Under *nix systems these keys are commonly stored somewhere in /etc/, owned by the Apache process and chmod 400is best.
使用 TLS/SSL 客户端,您只需要公钥来验证远程主机。这个公钥就是那个公钥,它是否泄露给攻击者并不重要。在服务器端,Apache 可以访问公钥和私钥。这些密钥使用普通文件访问权限进行保护。在 *nix 系统下,这些密钥通常存储在 中的某个位置/etc/,由 Apache 进程拥有并且chmod 400是最好的。
The easiest authentication method for clients would be a simple username/password. You can use SSL to authenticate both the client and server. This would require you to store the private key somewhere where your PHP app has access, ideally outside of the webroot with a chmod 400, but you could easily rename it to .php or put it in a folder with a .htaccess that contains deny from all. On the server side you can verify the clients certificate using these environmental variables.
客户端最简单的身份验证方法是简单的用户名/密码。您可以使用 SSL 对客户端和服务器进行身份验证。这就需要你有一个存储在您的PHP应用程序访问私有密钥的地方,最好是外面的根目录的chmod 400,但你可以很容易地重新命名为.PHP或把它放在一个文件夹中使用包含的.htaccess deny from all。在服务器端,您可以使用这些环境变量验证客户端证书。
If you just want a TLS connection and not an HTTPs. Then you can use stream_context_set_option by setting the Context Options:
如果您只想要 TLS 连接而不是 HTTPS。然后您可以通过设置Context Options来使用 stream_context_set_option :
<?php
$context = stream_context_create();
$result = stream_context_set_option($context, 'ssl', 'local_cert', '/path/to/keys.pem');
// This line is needed if your cert has a passphrase
$result = stream_context_set_option($context, 'ssl', 'passphrase', 'pass_to_access_keys');
$socket = stream_socket_client('tls://'.$host.':443', $errno, $errstr, 30, STREAM_CLIENT_CONNECT, $context);
?>
