我正在尝试调试ssl证书验证的问题,并确定openssl获得返回错误路径的证书位置。(见下文)
我如何知道如何设置这个?我在php.ini文件中找不到这个引用。
cmuench-air:bin cmuench$ ./php -r "print_r(openssl_get_cert_locations());"
Array
(
[default_cert_file] => /bitnami/mampstack56Dev-osx-x64/output/common/openssl/cert.pem
[default_cert_file_env] => SSL_CERT_FILE
[default_cert_dir] => /bitnami/mampstack56Dev-osx-x64/output/common/openssl/certs
[default_cert_dir_env] => SSL_CERT_DIR
[default_private_dir] => /bitnami/mampstack56Dev-osx-x64/output/common/openssl/private
[default_default_cert_area] => /bitnami/mampstack56Dev-osx-x64/output/common/openssl
[ini_cafile] =>
[ini_capath] =>
)
php.ini(相关部分)…我没有在任何地方看到bitnami/mampstack56Dev…
[openssl]
; The location of a Certificate Authority (CA) file on the local filesystem
; to use when verifying the identity of SSL/TLS peers. Most users should
; not specify a value for this directive as PHP will attempt to use the
; OS-managed cert stores in its absence. If specified, this value may still
; be overridden on a per-stream basis via the "cafile" SSL stream context
; option.
;openssl.cafile=
; If openssl.cafile is not specified or if the CA file is not found, the
; directory pointed to by openssl.capath is searched for a suitable
; certificate. This value must be a correctly hashed certificate directory.
; Most users should not specify a value for this directive as PHP will
; attempt to use the OS-managed cert stores in its absence. If specified,
; this value may still be overridden on a per-stream basis via the "capath"
; SSL stream context option.
;openssl.capath=
;Curl ca bundle certificate
curl.cainfo="/Applications/phppos/common/openssl/certs/curl-ca-bundle.crt"
我知道这是愚蠢的,但有时ssl证书将是自签名的。是否有我可以修改的ini设置来禁用检查所有证书?还是我必须在socket和curl的代码中做这些?
如果您检查openssl_get_cert_locations()函数的PHP源代码,它通过调用各种OpenSSL函数(如X509_get_default_cert_file)并查看此处描述的php.ini值openssl.cafile和openssl.capath来获得这些位置。
您究竟在寻找哪些证书/路径?如果您试图获得CA bundle文件,您可以设置上述引用的php.ini值,以便它们由openssl_get_cert_locations返回。
PHP 5.6的默认php.ini文件没有这些OpenSSL ini设置的默认设置,因为它们需要手动定义。该配置位于php.ini
[openssl]
; The location of a Certificate Authority (CA) file on the local filesystem
; to use when verifying the identity of SSL/TLS peers. Most users should
; not specify a value for this directive as PHP will attempt to use the
; OS-managed cert stores in its absence. If specified, this value may still
; be overridden on a per-stream basis via the "cafile" SSL stream context
; option.
;openssl.cafile=
; If openssl.cafile is not specified or if the CA file is not found, the
; directory pointed to by openssl.capath is searched for a suitable
; certificate. This value must be a correctly hashed certificate directory.
; Most users should not specify a value for this directive as PHP will
; attempt to use the OS-managed cert stores in its absence. If specified,
; this value may still be overridden on a per-stream basis via the "capath"
; SSL stream context option.
;openssl.capath=
当使用cURL时,您可以使用选项CURLOPT_CAINFO来提供包含一个或多个证书的文件的完整路径,通过使用curl_setopt()来验证对等体:
curl_setopt($ch, CURLOPT_CAINFO, "/path/to/ca/bundle");
也可以在php.ini:
[curl]
; A default value for the CURLOPT_CAINFO option. This is required to be an
; absolute path.
;curl.cainfo =