[英]PayPal cURL options (CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST) issue
I've got a piece of code from the PayPal site: 我从PayPal网站获得了一段代码:
// turning off the server and peer verification(TrustManager Concept).
// really paypal??? why not just include a recent cert???
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
As you can see in my comment I'm wondering why on earth paypal would disable those options. 正如你在我的评论中所看到的,我想知道为什么在地球上贝宝会禁用这些选项。
I know (from previous headaches :) ) that on Windows cURL uses an outdated certs file. 我知道(从以前的头痛:))在Windows上,cURL使用过时的证书文件。
But I have a newer certs file on my server which I could just use: 但是我的服务器上有一个更新的certs文件,我可以使用它:
curl_setopt($ch, CURLOPT_CAINFO, 'E:\path\to\curl-ca-bundle.crt');
So why would PayPal 'recommend' disabling it if all it takes is use another (newer) certs file. 那么为什么PayPal会“推荐”禁用它,如果只需要使用另一个(更新的)证书文件。
Wouldn't that be safer? 那不是更安全吗?
Or am I missing something (I'm pretty sure PayPal has enough money for a valid certificate :p )? 或者我错过了一些东西(我很确定PayPal有足够的钱购买有效证书:p)?
Yes, it would be much safer to make sure clients use an updated CA cert bundle. 是的,确保客户端使用更新的CA证书捆绑包会更安全。 (Which this question is about, they already have a certificate.)
(这个问题是关于,他们已经有了证书。)
One reason could be that it prevents support headaches, with people running the script on their $1 / year shared hosting boxes, running into issues, etc. 一个原因可能是它可以防止支持头痛,人们在1美元/年的共享主机盒上运行脚本,遇到问题等。
Best practice? 最佳实践? No. But someone with a bit more knowledge beside ctrl+c ctrl+v will be able to set it up properly.
没有。但是除了ctrl + c ctrl + v之外有更多知识的人将能够正确设置它。
edit: our current sample code forces VERIFYPEER and VERIFYHOST. 编辑:我们当前的示例代码强制VERIFYPEER和VERIFYHOST。 Keep this in mind if you run into any SSL handshake errors, as you may need to point to a root cert file copy.
如果遇到任何SSL握手错误,请记住这一点,因为您可能需要指向根证书文件副本。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.