使用curl如果想发起的https请求正常的话有2种做法:

方法一、设定为不验证证书和host。

在执行curl_exec()之前。设置option

$ch = curl_init();

......

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);

方法二、设定一个正确的证书。

本地ssl判别证书太旧,导致链接报错ssl证书不正确。

我们需要下载新的ssl 本地判别文件

http://curl.haxx.se/ca/cacert.pem

放到 程序文件目录

curl 增加下面的配置

curl_setopt($ch,CURLOPT_SSL_VERIFYPEER,true); ;
   curl_setopt($ch,CURLOPT_CAINFO,dirname(__FILE__).'/cacert.pem');

大功告成

(本人验证未通过。。。报错信息为:SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed)

如果对此感兴趣的话可以参看国外一大神文章。http://unitstep.net/blog/2009/05/05/using-curl-in-php-to-access-https-ssltls-protected-sites/

为了防止某天该文章被Q今复制过来。内容如下:

Using cURL in PHP to access HTTPS (SSL/TLS) protected sites

From PHP, you can access the useful cURL Library (libcurl) to make requests to URLs using a variety of protocols such as HTTP, FTP, LDAP and evenGopher. (If you’ve spent time on the *nix command line, most environments also have the curl command available that uses the libcurl library)

In practice, however, the most commonly-used protocol tends to be HTTP, especially when usingPHP for server-to-server communication. Typically this involves accessing another web server as part of a web service call, using some method such asXML-RPC or REST to query a resource. For example, Delicious offers a HTTP-based API to manipulate and read a user’s posts. However, when trying to access a HTTPS resource (such as the delicious API), there’s a little more configuration you have to do before you can get cURL working right in PHP.

The problem

If you simply try to access a HTTPS (SSL or TLS-protected resource) in PHP using cURL, you’re likely to run into some difficulty. Say you have the following code: (Error handling omitted for brevity)

// Initialize session and set URL. $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); // Set so curl_exec returns the result instead of outputting it. curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); // Get the response and close the channel. $response = curl_exec($ch); curl_close($ch);

If $url points toward an HTTPS resource, you’re likely to encounter an error like the one below:

Failed: Error Number: 60. Reason: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

The problem is that cURL has not been configured to trust the server’s HTTPS certificate. The concepts of certificates and PKI revolves around the trust of Certificate Authorities (CAs), and by default, cURL is setup to not trust any CAs, thus it won’t trust any web server’s certificate. So why don’t you have problems visiting HTTPs sites through your web browser? As it happens, the browser developers were nice enough to include a list of default CAs to trust, covering most situations, so as long as the website operator purchased a certificate from one of these CAs.

The quick fix

There are two ways to solve this problem. Firstly, we can simply configure cURL to accept any server(peer) certificate. This isn’t optimal from a security point of view, but if you’re not passing sensitive information back and forth, this is probably alright. Simply add the following line before calling curl_exec():

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

This basically causes cURL to blindly accept any server certificate, without doing any verification as to which CA signed it, and whether or not that CA is trusted. If you’re at all concerned about the data you’re passing to or receiving from the server, you’ll want to enable this peer verification properly. Doing so is a bit more complicated.

The proper fix

The proper fix involves setting the CURLOPT_CAINFO parameter. This is used to point towards a CA certificate that cURL should trust. Thus, any server/peer certificates issued by this CA will also be trusted. In order to do this, we first need to get the CA certificate. In this example, I’ll be using the https://api.del.icio.us/ server as a reference.

First, you’ll need to visit the URL with your web browser in order to grab the CA certificate. Then, (in Firefox) open up the security details for the site by double-clicking on the padlock icon in the lower right corner:

Then click on “View Certificate”:

Bring up the “Details” tab of the cerficates page, and select the certificate at the top of the hierarchy. This is the CA certificate.

Then click “Export”, and save the CA certificate to your selected location, making sure to select the X.509 Certificate (PEM) as the save type/format.

Now we need to modify the cURL setup to use this CA certificate, with CURLOPT_CAINFO set to point to where we saved the CA certificate file to.

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2); curl_setopt($ch, CURLOPT_CAINFO, getcwd() . "/CAcerts/BuiltinObjectToken-EquifaxSecureCA.crt");

The other option I’ve included, CURLOPT_SSL_VERIFYHOST can be set to the following integer values:

If you have CURLOPT_SSL_VERIFYPEER set to false, then from a security perspective, it doesn’t really matter what you’ve set CURLOPT_SSL_VERIFYHOST to, since without peer certificate verification, the server could use any certificate, including a self-signed one that was guaranteed to have a CN that matched the server’s host name. So this setting is really only relevant if you’ve enabled certificate verification.

This ensures that not just any server certificate will be trusted by your cURL session. For example, if an attacker were to somehow redirect traffic from api.delicious.com to their own server, the cURL session here would not properly initialize, since the attacker would not have access to a server certificate (i.e. would not have the private key) trusted by the CA we added. These steps effectively export the trusted CA from the web browser to the cURL configuration.

More information

If you have the CA certificate, but it is not in the PEM format (i.e. it is in a binary or DER format that isn’t Base64-encoded), you’ll need to use something like OpenSSL to convert it to the PEM format. The exact command differs depending on whether you’re converting from PKCS12 or DER format.

There is a CURLOPT_CAPATH option that allows you to specify a directory that holds multiple CA certificates to trust. But it’s not as simple as dumping every single CA certificate in this directory. Instead, they CA certificates must be named properly, and the OpenSSL c_rehashutility can be used to properly setup this directory for use by cURL.

文章转自 : http://www.cnblogs.com/ainiaa/archive/2011/11/08/2241385.html

转载于:https://www.cnblogs.com/languis/p/4262413.html

转:验证curl_init() 返回 false时..相关推荐

  1. rawquery 没扎到返回什么_当mysql_query返回false时

    Aside from writing the wrong query and not having permissions to access a table, when mysql_query re ...

  2. ajax 阻止默认提交,jQuery验证插件:在对ajax调用servlet时,submitHandler不会阻止默认提交-返回false无效...

    我有一个使用jquery和servlet的简单表单.jQuery对Servlet进行Ajax调用,然后Servlet进行一些服务器端计算,然后通过jQuery在同一页面上显示结果.我不希望表单进行默认 ...

  3. validationGroup和Page_ClientValidate()配合使用解决前端click事件返回为false时验证失效问题

    一.问题出现场景 场景:我在做项目的时候在同一页面两块区域分别由自己要验证的东西,其中有一块区域的button有OnClientClick和OnClick两个事件,需要通过OnClientClick进 ...

  4. onsubmit=“return check() 给form加onsubmit 验证所有表单后再提交,可以用返回false 来阻止submit提交

    onsubmit="return check() 给form加onsubmit 验证所有表单后再提交,可以用返回false 来阻止submit提交<form class="f ...

  5. 单值二叉树:如果二叉树每个节点都具有相同的值,那么该二叉树就是单值二叉树。 只有给定的树是单值二叉树时,才返回 true;否则返回 false。

    前言: 二叉树刷题是有固定思维的,请移步 README]二叉树刷题框架 单值二叉树 题目 点击跳转:LeetCode 根据框架描述,我只需判断一个结点,如果这个节点是null就返回true,不是的话, ...

  6. numpy中两个array数值比较,在IDE中显示完全相同,但是bool判断两个array是否相等却返回False

    numpy踩坑:两个array中数值分别比较,在IDE显示相同,但是bool判断两个array是否相等值却是False 在numpy数据比较时,在IDE显示完全相同但是比较是否相等却有时候返回Fals ...

  7. 解决问题:import torch失败和torch.cuda.is_available()返回false

    安装过程比较曲折,阅读了很多dl的博客,并不是每一种都能顺利解决我自己的问题,但好在费尽周折之后安装成功了,于是将遇到的一些问题记录在这里,表述有问题的地方还请各位指出. 零.几点说明 1,本文默认已 ...

  8. Pytorch安装教程 及 解决 torch.cuda.is_available() 返回 False 的问题

    Pytorch安装教程 及 解决 torch.cuda.is_available() 返回 False 的问题 有NVIDIA显卡的可以先去看CUDA安装教程,pytorch可以搭配CUDA10.0~ ...

  9. java List集合中contains方法总是返回false

    ArrayList的contains方法 java 今天在用ArrayList类的caontains方法是遇到了问题,我写了一个存放User类的ArrayList 但在调用list.contains( ...

最新文章

  1. NASA投资有远景技术,有望改变未来人类和机器人的勘探任务
  2. sqlserver 安装_安装sqlserver
  3. Windows 编程
  4. 【Linux】一步一步学Linux——init命令(138)
  5. 迷宫算法——验证迷宫的可通性
  6. leetcode 43. Multiply Strings | 43. 字符串相乘(Java)
  7. 关于深度学习,我们写了一本1400页的全栈手册
  8. ElasticSearch 核心概念介绍_02
  9. linux CentOS7最小化安装环境静默安装Oracle11GR2数据库(安装常用工具_02)
  10. mysql中文注入_SQL注入之Mysql报错注入
  11. 我从机器人先生那里了解到了有关InfoSec的全部信息
  12. 使用 Laravel sharedLock 与 lockForUpdate 进行数据表行锁
  13. 并查集——村村通(洛谷 P1536)
  14. 利用分析函数改写范围判断自关联查询
  15. android studio grandle错误,flutter android studio构建失败
  16. WCF技术剖析之三:如何进行基于非HTTP的IIS服务寄宿
  17. 页面缓存 OutputCache
  18. ligerui+json_002_Grid用法、属性总结
  19. qt qtableview 刷新列表_qt中Qtableview的用法
  20. 清华大学计算机科学系王瑀屏,清华大学材料科学与工程系

热门文章

  1. redis远程链接(NOAUTH Authentication required)
  2. 接口协作--apipost接口协作工具
  3. 如何使用JMeter自身代理录制APP测试脚本
  4. JMETER SLAVE和MASTER 分布式启动压测
  5. python平稳性检验_Python中非平稳时间序列的处理
  6. java ftp 损坏_java ftp上传时断网,文件损坏
  7. 前窗玻璃膜贴了一周还有气泡_汽车玻璃膜贴全部好还是贴局部好?
  8. html登录之后注销,注销.html · NFUNM032/APP_CMS - Gitee.com
  9. java利用redis实现排行榜_Java简单使用redis-zset实现排行榜
  10. C语言学习笔记---数据拷贝函数memcpy()和memmove()函数