[英]Not hacking CurlException: 60 (cURL SSL Certificate Verification)
The error that alot of people get with Facebook authentication is: 许多人通过Facebook身份验证获得的错误是:
CurlException: 60: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
And the only information I can find about it suggest to add the following lines of code to curl: 我能找到的唯一信息建议添加以下代码行来卷曲:
$opts[CURLOPT_SSL_VERIFYPEER] = false;
$opts[CURLOPT_SSL_VERIFYHOST] = 2;
I know this works, but what is going on here? 我知道这有效,但这里发生了什么? Isn't there any server settings/configuraton that can be changed instead of hacking up facebook.php.
是不是可以更改任何服务器设置/配置而不是黑客攻击facebook.php。
The following code tells the cURL to NOT verify that security certificates are correct. 以下代码告诉cURL不验证安全证书是否正确。 Hence, the error disappears.
因此,错误消失了。
$opts[CURLOPT_SSL_VERIFYPEER] = false;
$opts[CURLOPT_SSL_VERIFYHOST] = 2;
When you connect to a remote server with SSL, their certificate might be invalid, expired, or not signed by a recognized CA. 使用SSL连接到远程服务器时,其证书可能无效,已过期或未经过认可的CA签名。 The cURL normally checks it.
cURL通常会检查它。
CURLOPT_SSL_VERIFYHOST: CURLOPT_SSL_VERIFYHOST:
CURLOPT_SSL_VERIFYPEER: FALSE to stop CURL from verifying the peer's certificate. CURLOPT_SSL_VERIFYPEER: FALSE停止CURL验证对等方的证书。 Alternate certificates to verify against can be specified with the CURLOPT_CAINFO option or a certificate directory can be specified with the
CURLOPT_CAPATH
option. 替代证书来验证对可与可与指定的CURLOPT_CAINFO选项或证书目录中指定
CURLOPT_CAPATH
选项。 CURLOPT_SSL_VERIFYHOST may also need to be TRUE or FALSE if CURLOPT_SSL_VERIFYPEER is disabled (it defaults to 2). 如果禁用CURLOPT_SSL_VERIFYPEER,则CURLOPT_SSL_VERIFYHOST也可能需要为TRUE或FALSE(默认为2)。
To verify correctly, we need to to verify the certificate being presented to us is good for real. 为了正确验证,我们需要验证提交给我们的证书是否真实。 We do this by comparing it against a certificate we reasonable* trust.
我们通过将它与我们合理*信任的证书进行比较来做到这一点。
If the remote resource is protected by a certificate issued by one of the main CA's like Verisign, GeoTrust et al, you can safely compare against Mozilla's CA certificate bundle which you can get from http://curl.haxx.se/docs/caextract.html 如果远程资源受到Verisign,GeoTrust等主要CA之一颁发的证书的保护,您可以安全地与Mozilla的CA证书包进行比较,您可以从http://curl.haxx.se/docs/caextract获取该证书包。 html的
Save the file cacert.pem somewhere in your server and set the following options in your script. 将文件cacert.pem保存在服务器中的某个位置,并在脚本中设置以下选项。
curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, TRUE);
curl_setopt ($ch, CURLOPT_CAINFO, "pathto/cacert.pem");
If you are connecting to a resource protected by a self-signed certificate, all you need to do is obtain a copy of the certificate in PEM format and append it to the cacert.pem of the above paragraph. 如果要连接到受自签名证书保护的资源,您只需获取PEM格式的证书副本,并将其附加到上一段的cacert.pem。
In my case, I could not use curl_setopt, because I could not edit Facebook API classes ( conditions of project I was working in ). 在我的情况下,我无法使用curl_setopt,因为我无法编辑Facebook API类(我正在处理的项目的条件)。
I solved the problem by adding path to cacert.pem downloaded from http://curl.haxx.se/docs/caextract.html to my php.ini 我通过将从http://curl.haxx.se/docs/caextract.html下载到cacert.pem的路径添加到我的php.ini来解决了这个问题
[curl]
curl.cainfo = "c:\wamp\cacert.pem"
I just had the same problem, and disabling peer verification is not acceptable in my case. 我遇到了同样的问题,在我的情况下禁用同行验证是不可接受的。 I updated the fa_ca_chain_bundle.crt file (from facebook's gitbub ) and it works now.
我更新了fa_ca_chain_bundle.crt文件(来自facebook的gitbub ),现在可以使用了。
Regards, Marek 此致,马雷克
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.