cURL SSL CA Config with Windows Server 2008R2 and PHP 5.2 - cURL SSL CA Config with Windows Server 2008R2 and PHP 5.2

我正在尝试在不禁用 SSL 验证的情况下让 cURL SSL 在 PHP 5.2（我们运行的一些旧代码需要）下正常工作。我已经下载了最新的（1月20日）cacert.pem文件并将其放入我们的PHP dir（E：''PHP）中，然后我运行了一个小测试脚本：

<?php
  function nxs_cURLTest($url, $msg, $testText){  
    $ch = curl_init(); 
    curl_setopt($ch, CURLOPT_URL, $url); 
    curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.73 Safari/537.36"); 
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); 
    curl_setopt($ch, CURLOPT_TIMEOUT, 10); 
    curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 10);
    curl_setopt($ch, CURLOPT_VERBOSE, true);
    curl_setopt($ch, CURLOPT_CAINFO, "e:'php'cacert.pem");
    $verbose = fopen('php://temp', 'w+');
    curl_setopt($ch, CURLOPT_STDERR, $verbose);    
    $response = curl_exec($ch); 
    $errmsg = curl_error($ch); 
    $cInfo = curl_getinfo($ch); 
    curl_close($ch); 
    echo "<br />Testing ... ".$url." - ".$cInfo['url']."<br />";
    if (stripos($response, $testText)!==false) 
      echo "....".$msg." - OK<br />"; 
    else 
    { 
      echo "....<b style='color:red;'>".$msg." - Problem</b><br /><pre>"; 
      print_r($errmsg); 
      print_r($cInfo); 
      print_r(htmlentities($response)); 
      echo "</pre>There is a problem with cURL. You need to contact your server admin or hosting provider.<br />";
    }
    rewind($verbose);
    $verboseLog = stream_get_contents($verbose);
    echo "<br />Verbose output:</br />";
    echo "<pre>", htmlspecialchars($verboseLog), "</pre>";    
  }
  nxs_cURLTest("https://www.google.com/", "HTTPS to Google", "Mountain View, CA");
  nxs_cURLTest("https://internalserver.example.com/curl/", "HTTPS to Internal", "Internal Test");
?>

现在，我希望调用内部服务器的SSL将失败，因为它使用不在cacert.pem文件中的自签名证书（一次一步），但我什至无法调用Google工作。这是输出：

Testing ... https://www.google.com/ - https://www.google.com/....HTTPS to Google - Problem
SSL certificate problem, verify that the CA cert is OK. 
Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Array
(
    [url] => https://www.google.com/
    [content_type] =>
    [http_code] => 0
    [header_size] => 0
    [request_size] => 0
    [filetime] => -1
    [ssl_verify_result] => 0
    [redirect_count] => 0
    [total_time] => 0.047
    [namelookup_time] => 0.031
    [connect_time] => 0.047
    [pretransfer_time] => 0
    [size_upload] => 0
    [size_download] => 0
    [speed_download] => 0
    [speed_upload] => 0
    [download_content_length] => -1
    [upload_content_length] => -1
    [starttransfer_time] => 0
    [redirect_time] => 0
)
There is a problem with cURL. You need to contact your server admin or hosting provider.
Verbose output:
* About to connect() to www.google.com port 443 (#0)
*   Trying 216.58.192.100... * connected
* Connected to www.google.com (216.58.192.100) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: e:'php'cacert.pem
    CApath: none
* SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
* Closing connection #0

Testing ... https://internalserver.example.com/curl/ - https://internalserver.example.com/curl/.... HTTPS to InternalServer - Problem
SSL certificate problem, verify that the CA cert is OK. 
Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Array
(
    [url] => https://internalserver.example.com/curl/
    [content_type] =>
    [http_code] => 0
    [header_size] => 0
    [request_size] => 0
    [filetime] => -1
    [ssl_verify_result] => 0
    [redirect_count] => 0
    [total_time] => 0
    [namelookup_time] => 0
    [connect_time] => 0
    [pretransfer_time] => 0
    [size_upload] => 0
    [size_download] => 0
    [speed_download] => 0
    [speed_upload] => 0
    [download_content_length] => -1
    [upload_content_length] => -1
    [starttransfer_time] => 0
    [redirect_time] => 0
)
There is a problem with cURL. You need to contact your server admin or hosting provider.
Verbose output:
* About to connect() to internalserver.example.com port 443 (#0)
*   Trying 192.168.1.10... * connected
* Connected to internalserver.example.com (192.168.1.10) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: e:'php'cacert.pem
    CApath: none
* SSL certificate problem, verify that the CA cert is OK. Details:
  error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
* Closing connection #0

我在这里看到了两个潜在的问题。

1：Google 仅支持 TLSv1.0、TLSv1.1 和 TLSv1.2。由于您使用的是旧版本的PHP，可能还有cURL和OpenSSL，因此根据错误消息，您可能没有任何TLS支持。

2：在行curl_setopt($ch, CURLOPT_CAINFO, "e:'php'cacert.pem");中，需要转义'，因此它可能无法正确拾取证书的路径。尝试curl_setopt($ch, CURLOPT_CAINFO, "e:''php''cacert.pem");或干脆curl_setopt($ch, CURLOPT_CAINFO, "e:/php/cacert.pem");

但是根据错误消息，SSL3_GET_SERVER_CERTIFICATE:certificate verify failed我认为这是第一个问题。

检查<?php phpinfo() ?>，看看PHP有什么cURL和OpenSSL版本。如果是OpenSSL 0.9.8，那么您很可能没有TLS支持。