2024年2月3日发(作者:)

The proper fixFirst, you’ll need to visit the URL with your web browser in order to grab the CA certificate. Then, (in Firefox) open up the security details for the site bydouble-clicking on the padlock icon in the lower right corner:Then click on “View Certificate”:Bring up the “Details” tab of the cerficates page, and select the certificate at the top of the hierarchy. This is the CA click “Export”, and save the CA certificate to your selected location, making sure to select the X.509 Certificate (PEM) as the save type/format.

Now we need to modify the cURL setup to use this CA certificate, with

CURLOPT_CAINFO set to point to where we saved the CA certificate file _setopt($ch, CURLOPT_SSL_VERIFYPEER, true);

curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);

curl_setopt($ch, CURLOPT_CAINFO, getcwd() . "/CAcerts/");The other option I’ve included,

CURLOPT_SSL_VERIFYHOST can be set to the following integer values:0: Don’t check the common name (CN) attribute1: Check that the common name attribute at least exists2: Check that the common name exists and that it matches the host name of the serverIf you have

CURLOPT_SSL_VERIFYPEER set to false, then from a security perspective, it doesn’t really matter what you’ve set

CURLOPT_SSL_VERIFYHOST to,since without peer certificate verification, the server could use any certificate, including a self-signed one that was guaranteed to have a CN that matchedthe server’s host name. So this setting is really only relevant if you’ve enabled certificate ensures that not just any server certificate will be trusted by your cURL session. For example, if an attacker were to somehow redirect traffic to their own server, the cURL session here would not properly initialize, since the attacker would not have access to a server would not have the private key) trusted by the CA we added. These steps effectively export the trusted CA from the web browser to the informationIf you have the CA certificate, but it is not in the PEM format (i.e. it is in a binary or DER format that isn’t Base64-encoded), you’ll need to use somethinglike OpenSSL to convert it to the PEM format. The exact command differs depending on whether you’re converting from PKCS12 or DER is a

CURLOPT_CAPATH option that allows you to specify a directory that holds multiple CA certificates to trust. But it’s not as simple as dumping everysingle CA certificate in this directory. Instead, they CA certificates must be named properly, and the to properly setup this directory for use by cURL.