php 将 CURLOPT_CAINFO 与更新的 CA 包一起使用会导致证书验证失败
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/12305157/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Using CURLOPT_CAINFO with updated CA bundle causes certificate verify failed
提问by Willington Vega
I use cURL to verify PayPal transactions in a WordPress plugin. Recently I started receiving bug reports about user not being able to complete the purchase process because the transaction couldn't be verified. I tracked down the error to:
我使用 cURL 来验证 WordPress 插件中的 PayPal 交易。最近,我开始收到有关用户无法完成购买过程的错误报告,因为无法验证交易。我将错误追踪到:
SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
I found a lot of questions here in StackOverflow related to the same problem, most of them said the solution was to provide a bundle of CA using CURLOPT_CAINFOcURL's option. I downloaded and currently ship with the plugin the most recent version (converted on Jun 28, 2012) of http://curl.haxx.se/ca/cacert.pem. That solved most of the issues I had received.
我在 StackOverflow 中发现了很多与同一问题相关的问题,他们中的大多数人说解决方案是使用CURLOPT_CAINFOcURL 的选项提供一组 CA。我下载了http://curl.haxx.se/ca/cacert.pem 的最新版本(于 2012 年 6 月 28 日转换),目前已随插件一起提供。这解决了我收到的大部分问题。
The problem now, is that I just received another report of failed payments and the error was the same: SSL certificate problem, verify that the CA cert is OK.. The interesting part is that now the solution was to removethe CURLOPT_CAINFOoption. I'm wondering if there is in explanation for this. I thought using an updated CA bundle, such as the one I downloaded, was a general solution but it appears to be otherwise.
现在的问题是,我刚刚收到另一份付款失败的报告,错误是一样的:SSL certificate problem, verify that the CA cert is OK.. 有趣的是,现在的解决方案是删除该CURLOPT_CAINFO选项。我想知道是否有对此的解释。我认为使用更新的 CA 包(例如我下载的那个)是一种通用解决方案,但似乎并非如此。
What would be a general solution for this kind of problem? and what could explain that using the updated CA bundle causes SSL certificate problems, instead of fixing them?.
这种问题的一般解决方案是什么?什么可以解释使用更新的 CA 包会导致 SSL 证书问题,而不是修复它们?
This is the cURL configuartion:
这是卷曲配置:
<?php
$ch = curl_init("https://www.paypal.com/cgi-bin/webscr");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_VERBOSE, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($ch, CURLOPT_CAINFO, '/path/to/cacert.pem');
curl_setopt($ch, CURLOPT_POSTFIELDS, $content);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
?>
UPDATE: The certificate for www.paypal.com is signed by VeriSign. The Certificate Hierarchy (as shown in Firefox) is:
更新: www.paypal.com 的证书由 VeriSign 签名。证书层次结构(如 Firefox 中所示)是:
- VeriSign Class 3 Public Primary Certification Authority - G5
- VeriSign Class 3 Extended Validation SSL CA
- www.paypal.com
- VeriSign 3 类公共主要证书颁发机构 - G5
- VeriSign 3 类扩展验证 SSL CA
- www.paypal.com
I can confirm the certificate for VeriSign Class 3 Public Primary Certification Authority - G5is included in the version I'm using of http://curl.haxx.se/ca/cacert.pem.
我可以确认VeriSign Class 3 Public Primary Certification Authority - G5 的证书包含在我使用的http://curl.haxx.se/ca/cacert.pem版本中。
Thanks for your help.
谢谢你的帮助。
回答by Tim Krins
If you are having this problem, please, do notdisable peer and host verification as someone has suggested.
如果你有这个问题,请做不禁止同行和主机验证有人曾建议。
This will leave your communications open to potential man-in-the-middle attacks, defeating the purpose of using SSL in the first place.
这将使您的通信容易受到潜在的中间人攻击,从而破坏了使用 SSL 的初衷。
One potential explanation for this issue is that setting your CURLOPT_CAINFO(especially to an incorrect certificate path - I would double-double check this) overrode the default path on your server.
对此问题的一种可能解释是,设置您的CURLOPT_CAINFO(尤其是不正确的证书路径 - 我会仔细检查这一点)覆盖了服务器上的默认路径。
Once you removed the setting, it returned to its default (which can be set in PHP).
删除设置后,它会恢复为默认设置(可以在 PHP 中设置)。
Another thing to keep in mind is that CURLOPT_CAINFOis an absolute path.
要记住的另一件事是,这CURLOPT_CAINFO是一条绝对路径。
回答by Abid Hussain
see this url
看到这个网址
http://davidwalsh.name/php-ssl-curl-error
http://davidwalsh.name/php-ssl-curl-error
or try it
或者尝试一下
$ch = curl_init();
curl_setopt($ch,CURLOPT_URL,'https://thirdparty.com/token.php'); //not the actual site
curl_setopt($ch,CURLOPT_TIMEOUT,60);
curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch,CURLOPT_POST,1);
curl_setopt($ch,CURLOPT_POSTFIELDS,'customer_id='.$cid.'&password='.$pass);
curl_setopt($ch,CURLOPT_SSL_VERIFYPEER,true);
curl_setopt($ch,CURLOPT_CAINFO,'mozilla.pem'); /* fixed! */
$result = curl_exec($ch);
if(empty($result)) { /* error: nothing returned */ } else { /* success! */ }
curl_close($ch);
