我正在尝试在不禁用 SSL 验证的情况下让 cURL SSL 在 PHP 5.2(我们运行的一些旧代码需要)下正常工作。 我已经下载了最新的(1月20日)cacert.pem文件并将其放入我们的PHP dir(E:''PHP)中,然后我运行了一个小测试脚本:
<?php
function nxs_cURLTest($url, $msg, $testText){
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.73 Safari/537.36");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_TIMEOUT, 10);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 10);
curl_setopt($ch, CURLOPT_VERBOSE, true);
curl_setopt($ch, CURLOPT_CAINFO, "e:'php'cacert.pem");
$verbose = fopen('php://temp', 'w+');
curl_setopt($ch, CURLOPT_STDERR, $verbose);
$response = curl_exec($ch);
$errmsg = curl_error($ch);
$cInfo = curl_getinfo($ch);
curl_close($ch);
echo "<br />Testing ... ".$url." - ".$cInfo['url']."<br />";
if (stripos($response, $testText)!==false)
echo "....".$msg." - OK<br />";
else
{
echo "....<b style='color:red;'>".$msg." - Problem</b><br /><pre>";
print_r($errmsg);
print_r($cInfo);
print_r(htmlentities($response));
echo "</pre>There is a problem with cURL. You need to contact your server admin or hosting provider.<br />";
}
rewind($verbose);
$verboseLog = stream_get_contents($verbose);
echo "<br />Verbose output:</br />";
echo "<pre>", htmlspecialchars($verboseLog), "</pre>";
}
nxs_cURLTest("https://www.google.com/", "HTTPS to Google", "Mountain View, CA");
nxs_cURLTest("https://internalserver.example.com/curl/", "HTTPS to Internal", "Internal Test");
?>
现在,我希望调用内部服务器的SSL将失败,因为它使用不在cacert.pem文件中的自签名证书(一次一步),但我什至无法调用Google工作。 这是输出:
Testing ... https://www.google.com/ - https://www.google.com/....HTTPS to Google - Problem
SSL certificate problem, verify that the CA cert is OK.
Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Array
(
[url] => https://www.google.com/
[content_type] =>
[http_code] => 0
[header_size] => 0
[request_size] => 0
[filetime] => -1
[ssl_verify_result] => 0
[redirect_count] => 0
[total_time] => 0.047
[namelookup_time] => 0.031
[connect_time] => 0.047
[pretransfer_time] => 0
[size_upload] => 0
[size_download] => 0
[speed_download] => 0
[speed_upload] => 0
[download_content_length] => -1
[upload_content_length] => -1
[starttransfer_time] => 0
[redirect_time] => 0
)
There is a problem with cURL. You need to contact your server admin or hosting provider.
Verbose output:
* About to connect() to www.google.com port 443 (#0)
* Trying 216.58.192.100... * connected
* Connected to www.google.com (216.58.192.100) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: e:'php'cacert.pem
CApath: none
* SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
* Closing connection #0
Testing ... https://internalserver.example.com/curl/ - https://internalserver.example.com/curl/.... HTTPS to InternalServer - Problem
SSL certificate problem, verify that the CA cert is OK.
Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Array
(
[url] => https://internalserver.example.com/curl/
[content_type] =>
[http_code] => 0
[header_size] => 0
[request_size] => 0
[filetime] => -1
[ssl_verify_result] => 0
[redirect_count] => 0
[total_time] => 0
[namelookup_time] => 0
[connect_time] => 0
[pretransfer_time] => 0
[size_upload] => 0
[size_download] => 0
[speed_download] => 0
[speed_upload] => 0
[download_content_length] => -1
[upload_content_length] => -1
[starttransfer_time] => 0
[redirect_time] => 0
)
There is a problem with cURL. You need to contact your server admin or hosting provider.
Verbose output:
* About to connect() to internalserver.example.com port 443 (#0)
* Trying 192.168.1.10... * connected
* Connected to internalserver.example.com (192.168.1.10) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: e:'php'cacert.pem
CApath: none
* SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
* Closing connection #0
我在这里看到了两个潜在的问题。
1:Google 仅支持 TLSv1.0、TLSv1.1 和 TLSv1.2。 由于您使用的是旧版本的PHP,可能还有cURL和OpenSSL,因此根据错误消息,您可能没有任何TLS支持。
2:在行curl_setopt($ch, CURLOPT_CAINFO, "e:'php'cacert.pem");
中,需要转义'
,因此它可能无法正确拾取证书的路径。 尝试curl_setopt($ch, CURLOPT_CAINFO, "e:''php''cacert.pem");
或干脆curl_setopt($ch, CURLOPT_CAINFO, "e:/php/cacert.pem");
但是根据错误消息,SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
我认为这是第一个问题。
检查<?php phpinfo() ?>
,看看PHP有什么cURL和OpenSSL版本。 如果是OpenSSL 0.9.8,那么您很可能没有TLS支持。