SSL 대신 TLS를 사용하도록 PHP 코드를 수정하십시오.

Question

PHP를 사용하여 구매자를 Barclays EPDQ로 보내 결제를하는 맞춤 결제 시스템이 있습니다. EPDQ는 더 이상 SSL을 지원하지 않으므로 TLS를 사용하도록 변환해야합니다.

페이지를 보면, 편집해야하는 작은 코드 블록이있는 것 같습니다. 나는 여기서 내 깊이에서 벗어났습니다. 누군가 내가 할 수있는 변화를 제안 할 수 있습니까? 아니면 내가 생각하는 것처럼 심플하지 않니?

여기에 내가 필요가 편집을 생각하는 비트는 다음과 같습니다

$ch = curl_init(); 
     curl_setopt($ch, CURLOPT_URL, "https://" . $requesthost . $requestdocument); 
     curl_setopt($ch, CURLOPT_POST, 1); 
     curl_setopt($ch, CURLOPT_POSTFIELDS, $requestbody); 
     curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2); 
     curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"); 
     curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); 
     curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE); 
     $responsedata = curl_exec($ch); 

Answer 1

시도가 PPHttpConfig.php에

CURLOPT_SSL_CIPHER_LIST => 'TLSv1의'를 추가 할 수 있습니다.

및

curl_setopt ($ curl_request, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1); 코드에서

당신은 당신의 코드에서 몇 가지 더 매개 변수를 필요 SSL error can not change to TLS 및 PHP Curl (with NSS) is probably using SSLv3 insted of TLS when connecting to https

Answer 2

에서 originaly.

'CURLOPT_SSL_VERIFYPEER'도 'true'로 설정해야합니다.

cacert.crt here에 대해 더 자세히 읽고 알아볼 수 있습니다. 이용 약관을 읽었는지 확인하십시오.

예. 최대한의 전달 보안을 위해 모든 옵션이 필요합니다.

TLS 보안 및 구현에 대한 자세한 내용은 here을 참조하십시오.

다음은 각 옵션의 역할에 대한 설명입니다.

/** 
* 
* Start Fix SSLv3/TLS connectivity problems 
* 
* CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER prevent MITM attacks 
* WARNING: Disabling this would prevent curl from detecting Man-in-the-middle (MITM) attack 
* 
*/ 

/** 
* @param CURLOPT_SSL_VERIFYPEER 
* 
* FALSE to stop CURL from verifying the peer's certificate. 
* Alternate certificates to verify against can be specified with the CURLOPT_CAINFO option or a certificate directory can be specified with the CURLOPT_CAPATH option. 
* CURLOPT_SSL_VERIFYHOST may also need to be TRUE or FALSE if CURLOPT_SSL_VERIFYPEER is disabled (it defaults to 2). 
* Setting CURLOPT_SSL_VERIFYHOST to 2 (This is the default value) will garantee that the certificate being presented to you have a 'common name' matching the URN you are using to access the remote resource. 
* This is a healthy check but it doesn't guarantee your program is not being decieved. 
* 
*/ 
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true); 

/** 
* 
* @param CURLOPT_SSL_VERIFYHOST 
* 
* Check the existence of a common name in the SSL peer certificate. 
* Check the existence of a common name and also verify that it matches the hostname provided. 
* 
* @value 1 to check the existence of a common name in the SSL peer certificate. 
* @value 2 to check the existence of a common name and also verify that it matches the hostname provided. 
* In production environments the value of this option should be kept at 2 (default value). 
* Support for value 1 removed in cURL 7.28.1 
*/ 
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2); 

/** 
* 
* Force use of TLS 
* 
*/ 

    /** 
    * 
    * Let's explain the magic of comparing your TLS certificate to the verified CA Authorities and how does that affect MITM attacks 
    * 
    * Man in the middle (MITM) 
    * Your program could be misleaded into talking to another server instead. This can be achieved through several mechanisms, like dns or arp poisoning. 
    * The intruder can also self-sign a certificate with the same 'comon name' your program is expecting. 
    * The communication would still be encrypted but you would be giving away your secrets to an impostor. 
    * This kind of attack is called 'man-in-the-middle' 
    * Defeating the 'man-in-the-middle' 
    * We need to to verify the certificate being presented to us is good for real. We do this by comparing it against a certificate we reasonable* trust. 
    * If the remote resource is protected by a certificate issued by one of the main CA's like Verisign, GeoTrust et al, you can safely compare against Mozilla's CA certificate bundle, 
    * which you can get from http://curl.haxx.se/docs/caextract.html 
    * 
    */ 
    //TODO: If TLSv1_1 found insecure and/or unreliable change to TLSv1_1 or TLS1_2 
    curl_setopt($ch, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2); // CURL_SSLVERSION_TLSv1_1; CURL_SSLVERSION_TLSv1_2 

    if (strtoupper(substr(PHP_OS, 0, 3)) == 'WIN') { 
     $crt = substr(__FILE__, 0, strrpos(__FILE__, '\\'))."\crt\cacert.crt"; // WIN 
    } 
    else { 
     $crt = str_replace('\\', '/', substr(__FILE__, 0, strrpos(__FILE__, '/')))."/crt/cacert.crt"; // *NIX 
    } 

    // The cert path is relative to this file 
    curl_setopt($ch, CURLOPT_CAINFO, $crt); // Set the location of the CA-bundle 

    /** 
    * Fix Error: 35 - Unknown SSL protocol error in connections 
    * 
    * Improve maximum forward secrecy 
    */ 
    // Please keep in mind that this list has been checked against the SSL Labs' WEAK ciphers list in 2014. 
    $arrayCiphers = array(
    'DHE-RSA-AES256-SHA', 
    'DHE-DSS-AES256-SHA', 
    'AES256-SHA', 
    'ADH-AES256-SHA', 
    'KRB5-DES-CBC3-SHA', 
    'EDH-RSA-DES-CBC3-SHA', 
    'EDH-DSS-DES-CBC3-SHA', 
    'DHE-RSA-AES128-SHA', 
    'DHE-DSS-AES128-SHA', 
    'ADH-AES128-SHA', 
    'AES128-SHA', 
    'KRB5-DES-CBC-SHA', 
    'EDH-RSA-DES-CBC-SHA', 
    'EDH-DSS-DES-CBC-SHA:DES-CBC-SHA', 
    'EXP-KRB5-DES-CBC-SHA', 
    'EXP-EDH-RSA-DES-CBC-SHA', 
    'EXP-EDH-DSS-DES-CBC-SHA', 
    'EXP-DES-CBC-SHA' 
    ); 

    curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, implode(':', $arrayCiphers)); 

기타 문의 사항이 있으면 알려주세요.