에서 originaly.
'CURLOPT_SSL_VERIFYPEER'도 'true'로 설정해야합니다.
cacert.crt here에 대해 더 자세히 읽고 알아볼 수 있습니다. 이용 약관을 읽었는지 확인하십시오.
예. 최대한의 전달 보안을 위해 모든 옵션이 필요합니다.
TLS 보안 및 구현에 대한 자세한 내용은 here을 참조하십시오.
다음은 각 옵션의 역할에 대한 설명입니다.
/**
*
* Start Fix SSLv3/TLS connectivity problems
*
* CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER prevent MITM attacks
* WARNING: Disabling this would prevent curl from detecting Man-in-the-middle (MITM) attack
*
*/
/**
* @param CURLOPT_SSL_VERIFYPEER
*
* FALSE to stop CURL from verifying the peer's certificate.
* Alternate certificates to verify against can be specified with the CURLOPT_CAINFO option or a certificate directory can be specified with the CURLOPT_CAPATH option.
* CURLOPT_SSL_VERIFYHOST may also need to be TRUE or FALSE if CURLOPT_SSL_VERIFYPEER is disabled (it defaults to 2).
* Setting CURLOPT_SSL_VERIFYHOST to 2 (This is the default value) will garantee that the certificate being presented to you have a 'common name' matching the URN you are using to access the remote resource.
* This is a healthy check but it doesn't guarantee your program is not being decieved.
*
*/
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
/**
*
* @param CURLOPT_SSL_VERIFYHOST
*
* Check the existence of a common name in the SSL peer certificate.
* Check the existence of a common name and also verify that it matches the hostname provided.
*
* @value 1 to check the existence of a common name in the SSL peer certificate.
* @value 2 to check the existence of a common name and also verify that it matches the hostname provided.
* In production environments the value of this option should be kept at 2 (default value).
* Support for value 1 removed in cURL 7.28.1
*/
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
/**
*
* Force use of TLS
*
*/
/**
*
* Let's explain the magic of comparing your TLS certificate to the verified CA Authorities and how does that affect MITM attacks
*
* Man in the middle (MITM)
* Your program could be misleaded into talking to another server instead. This can be achieved through several mechanisms, like dns or arp poisoning.
* The intruder can also self-sign a certificate with the same 'comon name' your program is expecting.
* The communication would still be encrypted but you would be giving away your secrets to an impostor.
* This kind of attack is called 'man-in-the-middle'
* Defeating the 'man-in-the-middle'
* We need to to verify the certificate being presented to us is good for real. We do this by comparing it against a certificate we reasonable* trust.
* If the remote resource is protected by a certificate issued by one of the main CA's like Verisign, GeoTrust et al, you can safely compare against Mozilla's CA certificate bundle,
* which you can get from http://curl.haxx.se/docs/caextract.html
*
*/
//TODO: If TLSv1_1 found insecure and/or unreliable change to TLSv1_1 or TLS1_2
curl_setopt($ch, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2); // CURL_SSLVERSION_TLSv1_1; CURL_SSLVERSION_TLSv1_2
if (strtoupper(substr(PHP_OS, 0, 3)) == 'WIN') {
$crt = substr(__FILE__, 0, strrpos(__FILE__, '\\'))."\crt\cacert.crt"; // WIN
}
else {
$crt = str_replace('\\', '/', substr(__FILE__, 0, strrpos(__FILE__, '/')))."/crt/cacert.crt"; // *NIX
}
// The cert path is relative to this file
curl_setopt($ch, CURLOPT_CAINFO, $crt); // Set the location of the CA-bundle
/**
* Fix Error: 35 - Unknown SSL protocol error in connections
*
* Improve maximum forward secrecy
*/
// Please keep in mind that this list has been checked against the SSL Labs' WEAK ciphers list in 2014.
$arrayCiphers = array(
'DHE-RSA-AES256-SHA',
'DHE-DSS-AES256-SHA',
'AES256-SHA',
'ADH-AES256-SHA',
'KRB5-DES-CBC3-SHA',
'EDH-RSA-DES-CBC3-SHA',
'EDH-DSS-DES-CBC3-SHA',
'DHE-RSA-AES128-SHA',
'DHE-DSS-AES128-SHA',
'ADH-AES128-SHA',
'AES128-SHA',
'KRB5-DES-CBC-SHA',
'EDH-RSA-DES-CBC-SHA',
'EDH-DSS-DES-CBC-SHA:DES-CBC-SHA',
'EXP-KRB5-DES-CBC-SHA',
'EXP-EDH-RSA-DES-CBC-SHA',
'EXP-EDH-DSS-DES-CBC-SHA',
'EXP-DES-CBC-SHA'
);
curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, implode(':', $arrayCiphers));
기타 문의 사항이 있으면 알려주세요.
TLS는 본질적으로 SSL 3.1입니다. 이름 변경 일뿐입니다. TLS를 사용하는 코드가 아니라는 사실을 나타내는 지표가 있습니까? – deceze
아니요, 그냥 메모 양식 EPDQ로 알려 드리겠습니다. "더 이상 SSL 암호화를 지원하지 않습니다." – davecheet
어쨌든 확인할 수 있습니까? – davecheet