为PHP 5.4.4 SoapClient启用SSLv3支持
[英]Enabling SSLv3 support for PHP 5.4.4 SoapClient
问题描述
With this code: 
使用此代码:
$soap = new SoapClient('https://test-api.geotrust.com/webtrust/query.jws?WSDL');
I am seeing this error: 我看到此错误:
PHP Fatal error: SOAP-ERROR: Parsing WSDL: Couldn't load from ' https://test-api.geotrust.com/webtrust/query.jws?WSDL ' : failed to load external entity " https://test-api.geotrust.com/webtrust/query.jws?WSDL "
If you have PHP 5.5, you can do this: 如果您有PHP 5.5,则可以执行以下操作:
$soap = new SoapClient($url),
array (
"ssl_method" => "SOAP_SSL_METHOD_SSLv23"
)
Any such solution for PHP 5.4.4? PHP 5.4.4是否有此类解决方案? I cannot upgrade PHP at this time. 我目前无法升级PHP。
I've already tried the sslv3:// suggestion I found online, but it doesn't work on Debian. 我已经尝试过在网上找到的sslv3://建议,但是在Debian上不起作用。
Thanks. 谢谢。
1 个解决方案
解决方案1
0 2014-07-03 04:57:08
SoapClient::SoapClient(): SSL operation failed with code 1. OpenSSL Error messages: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
It sounds like you don't have an SSL/TLS server listening. 听起来您没有监听SSL / TLS服务器。 You can reproduce it with the following. 您可以使用以下方法重现它。 Note the use of port 80 rather than 443. 请注意使用端口80而不是443。
$ openssl s_client -connect stackoverflow.com:80
CONNECTED(00000003)
140735323054556:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:787:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 320 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
If you do have an SSL/TLS server listening, then you can try to connect to it using a single protocol: 如果确实有SSL / TLS服务器正在侦听,则可以尝试使用单个协议连接到它:
SSL v3 : SSL v3 :
openssl s_client -ssl3 -connect example.com:443
TLS 1.0 : TLS 1.0 :
openssl s_client -tls1 -connect example.com:443 -servername example.com
TLS 1.1 : TLS 1.1 :
openssl s_client -tls1_1 -connect example.com:443 -servername example.com
TLS 1.2 : TLS 1.2 :
openssl s_client -tls1_2 -connect example.com:443 -servername example.com
array ( "ssl_method" => "SOAP_SSL_METHOD_SSLv23" )
Just bike shedding, but in C we usually use the 2/3 method and then disable useless protocols and options. 只是自行车脱落,但是在C语言中,我们通常使用2/3方法,然后禁用无用的协议和选项。 For example: 例如:
const SSL_METHOD* method = SSLv23_method();
if(method == NULL) handleFailure();
SSL_CTX* ctx = SSL_CTX_new(method);
if(ctx == NULL) handleFailure();
/* Cannot fail ??? */
const long flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION;
SSL_CTX_set_options(ctx, flags);
In the code above, we use the 2/3 method, and then we disable SSLv2 (broken), SSLv3 (weak/wounded) and Compression (broken, leaks information). 在上面的代码中,我们使用2/3方法,然后禁用SSLv2(损坏),SSLv3(弱/受伤)和压缩(损坏,泄漏信息)。 That means we use TLS 1.0 and above for the connection. 这意味着我们使用TLS 1.0及更高版本进行连接。 If TLS 1.2 is available, then its used; 如果TLS 1.2可用,则使用TLS 1.2。 else if TLS 1.1 is available, then its used; 否则,如果TLS 1.1可用,则使用它; else TLS 1.0 is used. 否则使用TLS 1.0。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.