Linux上perl-IO-Socket-SSL这个软件安装后certs文件夹下.pem文件是否有用? 20C

fedora的perl-IO-Socket-SSL软件包在安装之后会在doc目录下安装certs文件夹,这个文件夹下.pem等文件是否有用?

rpm -ql perl-IO-Socket-SSL:
/usr/share/doc/perl-IO-Socket-SSL-1.94/certs
/usr/share/doc/perl-IO-Socket-SSL-1.94/certs/client-cert.pem
/usr/share/doc/perl-IO-Socket-SSL-1.94/certs/client-key.enc
/usr/share/doc/perl-IO-Socket-SSL-1.94/certs/client-key.pem
/usr/share/doc/perl-IO-Socket-SSL-1.94/certs/my-ca.pem
/usr/share/doc/perl-IO-Socket-SSL-1.94/certs/proxyca.pem
/usr/share/doc/perl-IO-Socket-SSL-1.94/certs/server-cert.pem
/usr/share/doc/perl-IO-Socket-SSL-1.94/certs/server-key.enc
/usr/share/doc/perl-IO-Socket-SSL-1.94/certs/server-key.pem
/usr/share/doc/perl-IO-Socket-SSL-1.94/certs/server-rsa384-dh.pem
/usr/share/doc/perl-IO-Socket-SSL-1.94/certs/server-wildcard.pem
/usr/share/doc/perl-IO-Socket-SSL-1.94/certs/test-ca.pem

这些文件有用吗,包括.pem,可以删除吗?

我的理解是不是给用户参考用的,并没有实际功能作用?

1个回答

qq_40268952
qq_40268952 这个网页我看过,就这一个作用吗,我想知道为什么把certs文件打包出来
9 个月之前 回复
Csdn user default icon
上传中...
上传图片
插入图片
抄袭、复制答案,以达到刷声望分或其他目的的行为,在CSDN问答是严格禁止的,一经发现立刻封号。是时候展现真正的技术了!
其他相关推荐
perl-IO-Socket-SSL tar包certs文件夹里面.pem文件的作用

Fedora把IO-Socket-SSL源码包里面的certs文件夹打包的目的是什么? 尝试过删除,好像也没问题

卷曲错误77:错误设置证书验证位置:CAfile:/etc/ssl/certs/ca-certificates.crt

<div class="post-text" itemprop="text"> <p>We have laravel 5.5 running with PHP 7.2. We're getting above error on one of the Prod Server. The strange thing is that we're getting this error at random time. Most of the times, it's working. </p> <p>However, when it stopped working, we have to run <strong>php artisan cache:clear</strong> in order to make it work again. </p> <p>It does not look like SSL cert issue as most of the times, it's working. </p> <p>Appreciate any help. Thanks in advance.</p> </div>

io.emit工作正常,socket.emit在socket.io和node.js聊天应用程序中不起作用

<div class="post-text" itemprop="text"> <p>I've setup a very simple chat application using node.js and socket.io. Everything works fine when the server broadcasts via io.emit (clients receiving data), but when switching to socket.emit, the originating client does not receive any data. I'm using CodeIgniter for the framework and using the form to post data to a MySQL DB, which works fine as well. The only problem is the socket.emit not working as expected. Below is my code:</p> <p>I've already tried with all possible emit functions provided by the socket.io documentation and went through all the related pages on SO, but nothing works. I've also re-installed socket.io on my ubuntu server, but nothing changes</p> <pre><code>//Server.js code: var fs = require('fs'); var app = require('express')(); var options = {key: fs.readFileSync('/etc/ssl/private/private.pem'), cert: fs.readFileSync('/etc/ssl/certs/public.pem')}; var server = require('https').Server(options, app); var io = require('socket.io').listen(server); server.listen(3000, function () { console.log("service running on port 3000"); }); io.sockets.on('connect', function (socket) { console.log('client id '+socket.id+' connected'); socket.on('join', function (data) { var room_no = 'room'+data.room; socket.join(room_no); console.log('joined room no.:', data.room); }); socket.on('disconnect', function(){ console.log("client "+socket.id+" disconnected"); }); socket.on('send message', function(post) { socket.emit('privatemsg', post); console.log('sending message "'+post.message+'" to:'+socket.id); }); socket.on('error', function (err) { console.log(err); }); }); //Client code (codeigniter): &lt;?php $this-&gt;load-&gt;view('templates/headers/main_header', $title); ?&gt; &lt;div class="container"&gt; &lt;div class="row"&gt; &lt;div class="pull-left"&gt; &lt;h3&gt;&lt;?php echo $page-&gt;title; ?&gt;&lt;/h3&gt; &lt;/div&gt; &lt;/div&gt; &lt;?php echo form_open('user/sendmsg', array ('name'=&gt;'message','method'=&gt;'post')); ?&gt; &lt;div class="container"&gt; &lt;div class="col-md-3"&gt; &lt;p&gt; &lt;input type="text" placeholder="Type Here..." class="form-control" size="20px" id="message" name="message" /&gt; &lt;/p&gt; &lt;input type="hidden" id="conversation_id" name="conversation_id" value="1" /&gt; &lt;/div&gt; &lt;div class="col-md-3"&gt; &lt;input type="button"class="btn btn- primary"id="send"name="send"value="Send"/&gt; &lt;/div&gt; &lt;div class="col-md-3"&gt;&lt;/div&gt; &lt;div class="col-md-3"&gt;&lt;/div&gt; &lt;table class="table"&gt; &lt;thead&gt; &lt;tr&gt; &lt;th&gt;Date&lt;/th&gt; &lt;th&gt;From&lt;/th&gt; &lt;th&gt;Message&lt;/th&gt; &lt;/tr&gt; &lt;/thead&gt; &lt;tbody id="message-tbody"&gt; &lt;?php foreach($allMsgs as $row) { ?&gt; &lt;tr&gt;&lt;td&gt;&lt;?php echo $row['msgtime']; ?&gt;&lt;/td&gt;&lt;td&gt;&lt;?php echo $row ['user2']; ?&gt;&lt;/td&gt;&lt;td&gt;&lt;?php echo $row['message']; ?&gt;&lt;/td&gt;&lt;/tr&gt; &lt;?php } ?&gt; &lt;/tbody&gt; &lt;/table&gt; &lt;/div&gt; &lt;?php echo form_close();?&gt; &lt;script src="&lt;?php echo base_url('js/jquery-3.3.1.min.js');?&gt;"&gt;&lt;/script&gt; &lt;script src="&lt;?php echo base_url('chatjs/node_modules/socket.io- client/dist/socket.io.js');?&gt;"&gt;&lt;/script&gt; &lt;script&gt; $(document).ready(function(){ $(document).on("click","#send",function() { var dataString = { message : $("#message").val(), conversation_id:$("#conversation_id").val() }; $.ajax({ type: "POST", url: "&lt;?php echo base_url('user/sendmsg');?&gt;", data: dataString, dataType: "json", cache : false, success: function(data){ if(data.success ==true){ console.log("data:"+JSON.stringify(data)); var socket = io.connect ( 'https://'+window.location.hostname+':3000' ); socket.emit('send message', { message: data.message, date: data.date, user2: data.user2 }); console.log("socket msg sent") } } ,error: function(xhr, status, error) { console.log(error); }, }); }); }); var socket = io.connect( 'https://'+window.location.hostname+':3000', {secure: true}); socket.on('connect', function(socket) { console.log('client connected'); }); socket.on('error', function (err) { console.log(err); }); socket.on('privatemsg', function(msg) { console.log("data received:"+JSON.stringify(msg)); $("#message-tbody").prepend ('&lt;tr&gt;&lt;td&gt;'+msg.date+'&lt;/td&gt;&lt;td&gt;'+msg.user2+'&lt;/td&gt;&lt;td&gt;'+msg.message+'&lt;/td&gt;&lt;/tr &gt;'); }); &lt;/script&gt; &lt;/div&gt; &lt;?php $this-&gt;load-&gt;view('templates/footers/main_footer'); ?&gt; //node.js console.log: // root@localhost:/var/www/html/chatjs# node server.js // service running on port 3000 // client id nK5BmZwg0mQQWzv6AAAA connected // client id qpKyI2WTRXL60EoqAAAB connected // sending message "test444" to:qpKyI2WTRXL60EoqAAAB$ //Client (Chrome) console.log: // ial.js:3219 registerEventsMessage called // ial.js:4459 ready: before call parse for last time &gt; Object // client connected // uchat:240 msg:{"message":"test444","conversation_id":"1"} // uchat:250 data: {"message":"test444","conversation_id":"1","date":"2019-06-05 10:10:10","user1":2,"user2":3,"status":1,"success":true} // uchat:257 socket msg sent </code></pre> </div>

如何在Linux上使用Go指定自定义SSL根

<div class="post-text" itemprop="text"> <p>Suppose I'm using a third party network library that I don't want to modify. It uses the standard <code>http.Request</code> interface to make some HTTPS requests.</p> <p>I'm running it on an embedded Linux instance that doesn't have a certificate roots installed, and the only directory I can access is <code>/data</code>. This means you get the error:</p> <pre><code>Get https://example.com/: x509: failed to load system roots and no roots provided </code></pre> <p>Is there any way to actually <em>provide</em> roots? As far as I can tell <a href="https://golang.org/src/crypto/x509/root_linux.go" rel="nofollow">Go looks in these directories for X509 certificate roots</a> (<a href="https://golang.org/src/crypto/x509/root_unix.go" rel="nofollow">see also</a>):</p> <pre><code>var certFiles = []string{ "/etc/ssl/certs/ca-certificates.crt", // Debian/Ubuntu/Gentoo etc. "/etc/pki/tls/certs/ca-bundle.crt", // Fedora/RHEL "/etc/ssl/ca-bundle.pem", // OpenSUSE "/etc/pki/tls/cacert.pem", // OpenELEC } var certDirectories = []string{ "/system/etc/security/cacerts", // Android } </code></pre> <p>As I said, I don't have access to those, and the <a href="https://golang.org/src/crypto/x509/root.go" rel="nofollow">root pool seems to be private</a> so you can't append to it:</p> <pre><code>var ( once sync.Once systemRoots *CertPool ) func systemRootsPool() *CertPool { once.Do(initSystemRoots) return systemRoots } </code></pre> <p>Is this just impossible with Go?</p> </div>

Godaddy ssl证书已通过链问题的A级认证-包含锚点

<div class="post-text" itemprop="text"> <p>:)</p> <p>I'm using GoLang to start an https server.</p> <p>according to <a href="https://www.ssllabs.com/ssltest" rel="nofollow noreferrer">https://www.ssllabs.com/ssltest</a> my certificate configuration is Grade A with the warning <code>Chain issues - Contains anchor</code>.</p> <p>In my previous post (<a href="https://stackoverflow.com/questions/38170775/golang-with-http-ssl-godaddys-certificate-this-servers-certificate-chain-is">GoLang with http ssl GoDaddy's certificate - This server's certificate chain is incomplete.</a>), @VonC helped me for the second time and also alerted me of that warning. </p> <p>I tried everything I could think of and couldn't resolve the issue. GoDaddy as a repository of certs and I tried to download gdroot-g2.crt and configure it as <code>RootCAs</code>, I tried download the intermindate certificate named gdig2.crt and configured it as <code>ClientCAs</code>, but the results are the same.</p> <p>what am I missing ?</p> <p>for full code please view my previous stack overflow post at <a href="https://stackoverflow.com/questions/38170775/golang-with-http-ssl-godaddys-certificate-this-servers-certificate-chain-is">GoLang with http ssl GoDaddy's certificate - This server's certificate chain is incomplete.</a>.</p> </div>

PHP stream_socket_client():无法连接到https

<div class="post-text" itemprop="text"> <p>I've just noticed the new vulnerability discovered in Wordpress and I'm trying to fix it with the following code (but with any success</p> <pre><code>&lt;?php $url = 'https://mywebip/wp-login.php?action=lostpassword'; $data = 'user_login=admin&amp;redirect_to=&amp;wp-submit=Get+New+Password'; // use key 'http' even if you send the request to https://... $options = array( 'http' =&gt; array( 'header' =&gt; "Host: mailserver Content-Type: application/x-www-form-urlencoded Content-Length: ". strlen($data) ." ", 'method' =&gt; 'POST', 'content' =&gt; $data, 'ssl'=&gt;array('verify_peer'=&gt;true, 'capath'=&gt;'/etc/ssl/certs') ) ); $context = stream_context_create($options); //$result = file_get_contents($url, false, $context); $fp = stream_socket_client($url, $errno, $errstr, 30); //stream_socket_enable_crypto($fp, true, STREAM_CRYPTO_METHOD_SSLv23_CLIENT); $fp = fopen($url, 'r', false, $context); if ($fp === FALSE) { /* Handle error */ } var_dump($result); ?&gt; </code></pre> <p>The error log I got is just like this:</p> <pre><code>PHP Warning: stream_socket_client(): unable to connect to https://mywebip/wp-login.php?action=lostpassword (Unable to find the socket transport "https" - did you forget to enable it when you configured PHP?) in /home/jorge/Escritorio/joomla.php on line 18 PHP Warning: fopen(): Peer certificate CN=`website` did not match expected CN=`mywebip' in /home/jorge/Escritorio/joomla.php on line 21 PHP Warning: fopen(): Failed to enable crypto in /home/jorge/Escritorio/joomla.php on line 21 PHP Warning: fopen(https://mywebip/wp-login.php?action=lostpassword): failed to open stream: operation failed in /home/jorge/Escritorio/joomla.php on line 21 </code></pre> <p>Where <code>mywebip</code> represents the actual ip that hosts my website and <code>website</code> and <code>mailserver</code> the DNS directions of the services.</p> <p>Thank you.</p> </div>

Cakephp 3 - 通过SSL连接MySQL

<div class="post-text" itemprop="text"> <p>i have a question about connecting to a mySQL-Server via SSL with CakePHP 3. I know that's maybe more a PHP question but I just write here the framework which I use. </p> <p>So I setup a remote mysql server and wanted to connect CakePHP with it. Unfortunately I got the MySQL-error:</p> <pre><code>SQLSTATE[HY000] [3159] Connections using insecure transport are prohibited while --require_secure_transport=ON. </code></pre> <p>Cause I configure the server only allow secure connection. After that I searched through the Cakephp documentation about secure connection and found the ssl certificate. Here's my setup:</p> <p><strong>config.php</strong></p> <pre><code>'Datasources' =&gt; [ 'default' =&gt; [ 'className' =&gt; 'Cake\Database\Connection', 'driver' =&gt; 'Cake\Database\Driver\Mysql', 'persistent' =&gt; false, 'host' =&gt; 'remote-ip', /** * CakePHP will use the default DB port based on the driver selected * MySQL on MAMP uses port 8889, MAMP users will want to uncomment * the following line and set the port accordingly */ //'port' =&gt; 'non_standard_port_number', 'username' =&gt; 'my_user', 'password' =&gt; 'my_password', 'database' =&gt; 'my_database', 'encoding' =&gt; 'utf8', 'timezone' =&gt; 'UTC', 'flags' =&gt; [], 'cacheMetadata' =&gt; true, 'ssl_key' =&gt; '/home/my-user/client-ssl/client-key.pem', 'ssl_cert' =&gt; '/home/my-user/client-ssl/client-cert.pem', 'ssl_ca' =&gt; '/home/my-user/client-ssl/ca.pem', 'log' =&gt; false, </code></pre> <p>Unfortunately I just got the following error:</p> <pre><code>SQLSTATE[HY000] [2002] </code></pre> <p>As far as I know everything should be setup correctly with the certificate cause I can use the terminal and sequel to login with the certs like so:</p> <pre><code>mysql -u my_user -h remote_ip -p --ssl-ca=~/client-ssl/ca.pem --ssl-cert=~/client-ssl/client-cert.pem --ssl-key=~/client-ssl/client-key.pem </code></pre> <p>If I try some raw php like this (of course with my informations):</p> <pre><code>&lt;?php ini_set ('error_reporting', E_ALL); ini_set ('display_errors', '1'); error_reporting (E_ALL|E_STRICT); $db = mysqli_init(); mysqli_options ($db, MYSQLI_OPT_SSL_VERIFY_SERVER_CERT, true); $db-&gt;ssl_set('/etc/mysql/ssl/client-key.pem', '/etc/mysql/ssl/client-cert.pem', '/etc/mysql/ssl/ca-cert.pem', NULL, NULL); $link = mysqli_real_connect ($db, 'ip', 'user', 'pass', 'db', 3306, NULL, MYSQLI_CLIENT_SSL); if (!$link) { die ('Connect error (' . mysqli_connect_errno() . '): ' . mysqli_connect_error() . " "); } else { $res = $db-&gt;query('SHOW TABLES;'); print_r ($res); $db-&gt;close(); } ?&gt; </code></pre> <p>I got:</p> <blockquote> <p>PHP Warning: mysqli_real_connect(): Peer certificate CN=<code>MySQL_Server_5.7.20_Auto_Generated_Server_Certificate' did not match expected CN=</code>remote_ip'</p> </blockquote> <p>So my question is now. Does someone has similiar problems or can help me with the certificate? (I use ubuntu 16, php 7) Or is there another way to solve the "Connections using insecure transport ..."-error?</p> </div>

curl的SSL写入错误

<div class="post-text" itemprop="text"> <p>I tried to connect with curl using php-curl and curl in command line but I receive following errors:</p> <p>PHP Script:</p> <pre><code>$ch = curl_init(); curl_setopt($ch, CURLOPT_URL, 'https://example.com/'); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST,2); $page = curl_exec($ch); echo 'Curl error: ' . curl_error($ch); curl_close($ch); </code></pre> <p>ERROR:</p> <pre><code>Curl error: SSL read: errno -5938 </code></pre> <p>Command Line:</p> <pre><code>curl -v https://example.com * About to connect() to example.com port 443 (#0) * Trying IP_ADDRESS... connected * Connected to example.com (IP_ADDRESS) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * NSS error -12286 * Error in TLS handshake, trying SSLv3... * SSL write: error -5938 * Failed sending HTTP request * Connection #0 to host example.com left intact curl: (55) SSL write: error -5938 * Closing connection #0 </code></pre> <p>couldn't find any explanation of those errors anywhere. </p> <pre><code>curl --version curl 7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2 Protocols: tftp ftp telnet dict ldap ldaps http file https ftps scp sftp Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz openssl version -a OpenSSL 1.0.1e-fips 11 Feb 2013 built on: Mon Jun 15 18:29:40 UTC 2015 platform: linux-x86_64 options: bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx) compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM OPENSSLDIR: "/etc/pki/tls" engines: rdrand dynamic </code></pre> </div>

运行PHP的单个EC2 Linux实例上的SSL:“连接被拒绝”错误

<div class="post-text" itemprop="text"> <p>I'm trying to enable SSL on a single EC2 Linux instance running PHP but I get a "connection refused" error.</p> <p>I followed these instructions to enable SSL: <a href="http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/SSL.SingleInstance.html" rel="nofollow">http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/SSL.SingleInstance.html</a></p> <p>And in step 4, I completed the steps to create a .config file (I made sure indentation was correct) and place it inside the .ebextensions folder: <a href="http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/ssl-singleinstance-php.html" rel="nofollow">http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/ssl-singleinstance-php.html</a></p> <p>Also, I created a new Security Group for HTTPS (Inbound HTTPS | TCP | 443 | 0.0.0.0/0).</p> <p>After committing the change, I went ahead and deployed using aws.push. The deployment was successful (no errors). However, I see a "refused connection" error when trying to load my instance both on http and https.</p> <p>In order to see if I could revert this situation, I removed the .config file and redeployed, but I still see the error, the site is not accessible at the moment.</p> <p>Any ideas of what I may be doing wrong? I read the answers that were given in similar questions, but I can't find a solution to this issue. I'm also wondering how I can revert the configuration to bring the site back.</p> <p>Here's my config file:</p> <pre><code>Resources: sslSecurityGroupIngress: Type: AWS::EC2::SecurityGroupIngress Properties: GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]} IpProtocol: tcp ToPort: 443 FromPort: 443 CidrIp: 0.0.0.0/0 packages: yum: mod24_ssl : [] files: /etc/httpd/conf.d/ssl.conf: mode: "000644" owner: root group: root content: | LoadModule ssl_module modules/mod_ssl.so Listen 443 &lt;VirtualHost *:443&gt; &lt;Proxy *&gt; Order deny,allow Allow from all &lt;/Proxy&gt; SSLEngine on SSLCertificateFile "/etc/pki/tls/certs/server.crt" SSLCertificateKeyFile "/etc/pki/tls/certs/server.key" SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH SSLProtocol All -SSLv2 -SSLv3 SSLHonorCipherOrder On SSLSessionTickets Off Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" Header always set X-Frame-Options DENY Header always set X-Content-Type-Options nosniff ProxyPass / http://localhost:80/ retry=0 ProxyPassReverse / http://localhost:80/ ProxyPreserveHost on RequestHeader set X-Forwarded-Proto "https" early LogFormat "%h (%{X-Forwarded-For}i) %l %u %t \"%r\" %&gt;s %b \"%{Referer}i\" \"%{User-Agent}i\"" ErrorLog /var/log/httpd/elasticbeanstalk-error_log TransferLog /var/log/httpd/elasticbeanstalk-access_log &lt;/VirtualHost&gt; /etc/pki/tls/certs/server.crt: mode: "000400" owner: root group: root content: | -----BEGIN CERTIFICATE----- mycertificateheremycertificateheremycertificateheremycertificate mycertificateheremycertificateheremycertificateheremycertificate mycertificateheremycertificateheremycertificateheremycertificate mycertificateheremycertificateheremycertificateheremycertificate mycertificateheremycertificateheremycertificateheremycertificate mycertificateheremycertificateheremycertificateheremycertificate mycertificateheremycertificateheremycertificateheremycertificate mycertificateheremycertificateheremycertificateheremycertificate mycertificateheremycertificateheremycertificateheremycertificate mycertificateheremycertificateheremycertificateheremycertificate mycertificateheremycertificateheremycertificateheremycertificate mycertificateheremycertificateheremycertificateheremycertificate mycertificateheremycertificateheremycertificateheremycertificate mycertificateheremycertificateheremycertificateheremycertificate mycertificateheremycertificateheremycertificateheremycertificate mycertificateheremycertificateheremycertificateheremycertificate mycertificateheremycertificateheremycertificateheremycertificate mycertificateheremycertificateheremycertificateheremycertificate mycertificateheremycertificateheremycertificateheremycertificate -----END CERTIFICATE----- /etc/pki/tls/certs/server.key: mode: "000400" owner: root group: root content: | -----BEGIN RSA PRIVATE KEY----- myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr -----END RSA PRIVATE KEY----- </code></pre> </div>

PHP / Swoole Http Server - 如何动态加载ssl?

<div class="post-text" itemprop="text"> <p>I need load different ssl certificates on the fly, on process request. I try do it like in code below, but server still loading cert1 certificate on handling request, not cert2 as I trying to do in code.</p> <p>How can I dynamically reload different certificates on the fly? Is it possible?</p> <p>Code example: </p> <p></p><div class="snippet" data-lang="js" data-hide="false" data-console="true" data-babel="false"> <div class="snippet-code"> <pre class="snippet-code-js lang-js prettyprint-override"><code>&lt;?php require 'vendor/autoload.php'; $server = new swoole_http_server("192.168.10.10", 443, SWOOLE_BASE, SWOOLE_SOCK_TCP | SWOOLE_SSL); // setup the location of ssl cert files and key files $ssl_dir = __DIR__.'/ssl_certs'; $server-&gt;set([ 'max_conn' =&gt; 500, 'daemonize' =&gt; false, 'dispatch_mode' =&gt; 2, 'buffer_output_size' =&gt; 2 * 1024 * 1024, 'ssl_cert_file' =&gt; $ssl_dir . '/cert1.local.crt', 'ssl_key_file' =&gt; $ssl_dir . '/cert1.local.key', 'open_http2_protocol' =&gt; true, // Enable HTTP2 protocol ]); $server-&gt;on('request', function ($request, $response) use ($server) { $server-&gt;set([ 'ssl_cert_file' =&gt; $ssl_dir . '/cert2.local.crt', 'ssl_key_file' =&gt; $ssl_dir . '/cert2.local.key', ]); $response-&gt;end("&lt;h1&gt;Hello World. #".rand(1000, 9999)."&lt;/h1&gt;"); }); $server-&gt;start();</code></pre> </div> </div> </div>

Mac上的Docker背后的代理更改了SSL证书

<div class="post-text" itemprop="text"> <p><strong>My eventual workaround for the issue below was to convince our IT guys not to man-in-the-middle the dockerhub registry. I was not able to get anything else to work, alas.</strong></p> <p>I am running into a problem with my initial attempt to get Docker running on my Mac at work, which is running 10.8.5. It appears that my company's certificate-rewriting proxy seems to be getting in the way of fetching images:</p> <pre><code>orflongpmacx8:docker pohl_longsine$ docker run hello-world Unable to find image 'hello-world:latest' locally Pulling repository hello-world FATA[0001] Get https://index.docker.io/v1/repositories/library/hello-world/images: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "bcauth") </code></pre> <p>(Indeed, when I log onto the guest wireless – which does not have the meddlesome proxy – I can get past this step. However, I need to figure out how to make this work through the proxy since using the guest wireless is untenable as a long-term solution.)</p> <p>My issue, on the surface, appears to be very much like the one answered in <a href="https://stackoverflow.com/questions/20267339/docker-behind-proxy-that-changes-ssl-certificate">this question</a>. However, the accepted answer in that question does not work for me, since the <a href="http://golang.org/src/pkg/crypto/x509/root_unix.go" rel="nofollow noreferrer">root_unix.go</a> file they discuss does not get invoked on a Mac. (From browsing around, I would guess that <a href="http://golang.org/src/crypto/x509/root_cgo_darwin.go" rel="nofollow noreferrer">root_cgo_darwin.go</a> and/or <a href="http://golang.org/src/crypto/x509/root_darwin.go" rel="nofollow noreferrer">root_darwin.go</a> would be involved instead.)</p> <p>That doesn't really tell me how, operationally, I need to do the equivalent work of installing some sort of trusted certificate. I managed to get my hands on a <code>*.cer</code> file that I believe to be the one that I need, but I'm at a loss as to what to do with it.</p> <p>I'm hoping that someone can point me in the right direction.</p> <p><strong>Edit:</strong> I thought that maybe I needed to to something akin to what <a href="https://derflounder.wordpress.com/2011/03/13/adding-new-trusted-root-certificates-to-system-keychain/" rel="nofollow noreferrer">this page suggests</a>, to add the certificate. Alas, my attempt at following those instructions failed in the following way:</p> <pre><code>orflongpmacx8:docker pohl_longsine$ sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "~/Desktop/Certs/redacted.cer" Password: ***Error reading file ~/Desktop/Certs/redacted.cer*** Error reading file ~/Desktop/Certs/redacted.cer </code></pre> <p>Edit 2: I may have come one step closer to solving this. I should have known better to use a path with a tilde inside quotation marks. If I use an absolute path instead, I can successfully run the above command to add certs.</p> <p>Alas, this did not alleviate the ultimate symptom:</p> <pre><code>FATA[0001] Get https://index.docker.io/v1/repositories/library/hello-world/images: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "bcauth") </code></pre> </div>

[SMTP:无法连接套接字:fsockopen():无法连接到ssl://smtp.gmail.com:465(未知错误)(代码:-1,响应:)

<div class="post-text" itemprop="text"> <p>I have been troubleshooting this issue for the last two months and have gotten no results on how to fix this. I am using PHP 5.6.3 with PEAR 1.10.1, the emailing pages in question worked fine with our 3-party emailing software on our local server only designed to use port 25 for SMTP. Now the PHP pages do reference an XML template that contains all the host, password, and username information. I want to switch to using google email servers with SSL. I implemented the changes provided by my email administrator and change the MX records accordingly. It was functioning properly for two weeks. After that I was getting the following error </p> <p><strong><em>"Failed to connect to ssl://smtp.gmail.com:465 [SMTP: Failed to connect socket: fsockopen(): unable to connect to ssl://smtp.gmail.com:465 (Unknown error) (code: -1, response: )]"</em></strong>.</p> <p>I have changed the code several times, I removed the ssl://, I have changed the protocol type to TLS with the port number 587, etc. Nothing was working! I reached out to the contractor to construct a simple hard-coded page that just said hello world using the gmail server configuration. He refused and made myself make a simple php page, mind you I had zero background in PHP programming until now, so on a side note entirely happy that this was thrown my way, but regardless I did complete the task. I have a page that sends a simple message, using the smtp server with the account desired using the PHPMailer library. (See the code below)</p> <pre><code> &lt;?php require_once 'C:\Webpage\PHPMailer-5.2-stable/PHPMailerAutoload.php'; $mail = new PHPMailer(); $mail-&gt;isSMTP(); $mail-&gt;SMTPAuth = true; $mail-&gt;SMTPDebug = SMTP::DEBUG_SERVER; $mail-&gt;SMTPDebug = 4; // 2 to enable SMTP debug information $mail-&gt;Host = 'smtp.gmail.com'; $mail-&gt;Username = 'username@gmail.com'; $mail-&gt;Password = 'XXXXXXXXXXXXXXXXXXX'; $mail-&gt;SMTPSecure ='ssl'; $mail-&gt;Port = 465; /*$mail-&gt;SMTPOptions = array( 'ssl' =&gt; array( 'verify_peer' =&gt; false, 'verify_peer_name' =&gt; false, //'allow_self_signed' =&gt; true ) );*/ $mail-&gt;From = 'XXXXt@abc.com'; $mail-&gt;FromName = 'Example'; $mail-&gt;addReplyTo('testing@abc.com','Example'); $mail-&gt;AddAddress('user1@xyz.com', 'John Doe'); $mail-&gt;Subject = 'Hello World'; $mail-&gt;Body ='A test email!'; $mail-&gt;AltBody = 'A test email!'; if(!$mail-&gt;Send()) { echo "Mailer Error: " . $mail-&gt;ErrorInfo; } else { echo "Message has been sent"; } ?&gt; </code></pre> <p>Now I know this is not using PEAR, but from this I found out some interesting information that I think is related. The code only works if the line with </p> <pre><code> $mail-&gt;SMTPOptions = array( 'ssl' =&gt; array( 'verify_peer' =&gt; false, 'verify_peer_name' =&gt; false, //'allow_self_signed' =&gt; true ) ); </code></pre> <p>is not commented out it works, but when it is commented out, I receive an error regarding this. </p> <pre><code>Connection failed. Error #2: stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed [C:\Webpage\PHPMailer-5.2-stable\class.smtp.php line 299] </code></pre> <p>So I googled this error and was lead to the php.ini file to change the openssl.cafile and the openssl.capath values. I entered in the download CA certificates and entered the correct pathway for the values, but still it is not working. Am I placing these in the wrong area? Or is there an easier way to fix this issue using the PEAR library? Please any help on this subject will be appreciated!:) </p> <p>UPDATE(02/20/2018):</p> <p>I have downloaded the bundle and set the pathway to it's correct location,<code>curl.cainfo ="C:\OpenSSL-Win64\bin\PEM\cacert.pem"</code>,<code>openssl.cafile="C:\OpenSSL-Win64\bin\PEM\cacert.pem"</code>. I still am getting the error I ran the following check of the ssl locations to see if it was using the <code>php.ini</code> file and got the following.</p> <pre><code> &lt;?php error_reporting(E_ALL); print " If you've got this far without errors then problem is with your SSL config "; $calocns=openssl_get_cert_locations(); if (count($calocns)) { print "Check you've got your cacerts deployed in one of the following locations "; foreach ($calocns as $k=&gt;$v) print "$k = $v "; } else { print "You've not configured your openssl installation on this host "; } $calocns=openssl_get_cert_locations(); //var_dump(openssl_get_cert_locations()); ?&gt; </code></pre> <p>Result:</p> <pre><code> If you've got this far without errors then problem is with your SSL config Check you've got your cacerts deployed in one of the following locations default_cert_file = f: epo\winlibs_openssl_vc11_x86/cert.pem default_cert_file_env = SSL_CERT_FILE default_cert_dir = f: epo\winlibs_openssl_vc11_x86/certs default_cert_dir_env = SSL_CERT_DIR default_private_dir = f: epo\winlibs_openssl_vc11_x86/private default_default_cert_area = f: epo\winlibs_openssl_vc11_x86 ini_cafile = ini_capath = </code></pre> <p>I seem to be doing this wrong or need to know how to change the locations because those locations are not existent on my computer and I don't understand how it goes to those by default when I changed the pathway in the configuration file itself. Any thoughts?</p> </div>

MongoDB通过SSL连接:我做错了什么?

<div class="post-text" itemprop="text"> <p><strong>Overview:</strong> I have an application server running PHP 7, connecting to a separate database server running MongoDB 3.6.x using the MongoDB PHP userland library. I have firewall rules preventing access to the MongoDB server from all sources except the local and private interfaces (i.e. disallowing public IP access).</p> <p>Connections via PHP look something like this:</p> <pre><code>$context_information = array( "ssl" =&gt; array( "allow_self_signed" =&gt; false, "verify_peer" =&gt; true, "verify_peer_name" =&gt; true, "verify_expiry" =&gt; true, "cafile" =&gt; "/path/to/ca_bundle" )); $context = stream_context_create($context_information); $connection = new MongoDB\Client( $host, array('ssl'=&gt;true), array('context'=&gt; $context) ); </code></pre> <p>My MongoDB configuration looks something like this:</p> <pre><code>net: port: 27017 bindIp: 127.0.0.1,10.138.196.241 ssl: mode: requireSSL PEMKeyFile: /path/to/my_ca_signed_cert CAFile: /path/to/my_ca_bundle </code></pre> <p><code>my_ca_signed_cert</code> is a <code>.pem</code> file generated using my openssl-generated RSA private key, as well as the CA-provided <code>.crt</code> file, in the manner described in the MongoDB manual, e.g. <code>cat mongodb.key mongodb.crt &gt; mongodb.pem</code>. <code>my_ca_bundle</code> is the <code>.ca-bundle</code> provided to me by the CA.</p> <p>Additionally, the <code>ca_bundle</code> described in the PHP context is the same <code>.ca-bundle</code> file as in the MongoDB config.</p> <p><strong>Problem:</strong> I continue to receive the following error:</p> <blockquote> <p>[23-Jul-2018 16:33:33 America/Los_Angeles] PHP Fatal error: Uncaught MongoDB\Driver\Exception\ConnectionTimeoutException: No suitable servers found (<code>serverSelectionTryOnce</code> set): [TLS handshake failed: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed calling ismaster on. . .</p> </blockquote> <p>This issue persists even if I comment out the <code>CAFile</code> line for the MongoDB config. Also of note is that I can connect successfully when setting <code>allow_self_signed</code> to <code>true</code> if <code>CAFile</code> is commented out, but not when it's left uncommented.</p> <p>Finally, when attempting to connect via the MongoDB shell, I get the following error:</p> <blockquote> <p>2018-07-23T23:37:02.992+0000 E NETWORK [thread1] SSL peer certificate validation failed: unable to get issuer certificate</p> <p>2018-07-23T23:37:02.992+0000 E QUERY [thread1] Error: socket exception [CONNECT_ERROR] for SSL peer certificate validation failed: unable to get issuer certificate :</p> <p>connect@src/mongo/shell/mongo.js:251:13</p> <p>@(connect):1:6</p> <p>exception: connect failed</p> </blockquote> <p><strong>Expected Behavior:</strong> I don't want to use client certificate authentication for connecting to the database. All I want at present is for traffic to be encrypted. This means being able to connect to the database without allowing self-signed certificates.</p> <p><strong>Notes:</strong></p> <ol> <li><p>I have a cert set up successfully on the application server for HTTPS connectivity. Additionally, when testing the cert referenced in this question itself, I've successfully run verification on the files using <code>openssl verify -CAfile /path/to/my_ca_bundle /path/to/my_ca_signed_cert</code>.</p></li> <li><p>Everything in my application code works when SSL is disabled or when enabled while allowing self-signed certs.</p></li> </ol> <p>The documentation on all of this is incredibly vague on a number of points, so I'm not sure where my configuration is going wrong. What should I be looking into to resolve this problem?</p> </div>

无法使用Debian连接到SSL Postgres外部数据库(证书权限错误)

<div class="post-text" itemprop="text"> <h1>Problem</h1> <h3>Script Example</h3> <pre><code>&lt;?php // define constants define('DB_HOST', '1.1.1.1'); define('DB_USER', 'usr'); define('DB_PASS', 'pw'); define('DB_NAME', 'db'); define('DB_PORT', '5432'); // connection string with SSL certificate files $conn_str = 'host=' . DB_HOST . ' '; $conn_str .= 'port=' . DB_PORT . ' '; $conn_str .= 'dbname=' . DB_NAME . ' '; $conn_str .= 'user=' . DB_USER . ' '; $conn_str .= 'password=' . DB_PASS . ' '; $conn_str .= 'sslmode=verify-full '; $conn_str .= 'sslcert=etc/apache/ssl/postgresql.crt '; $conn_str .= 'sslkey=etc/apache/ssl/postgresql.key '; $conn_str .= 'sslrootcert=etc/apache/ssl/root.key '; // attempt connection $conn = pg_connect($conn_str) or die('Cannot connect to database.'); // set sql string $sql = 'SELECT * FROM locations;'; // query and iterate results if($result = pg_query($conn, $sql)) while($row=pg_fetch_row($result)) { var_dump($row); } // close it up pg_close(); ?&gt; </code></pre> <p>I am able to connect to an external SSL Postgres Database using xampp and PHP, but when I try it on my debian linux server, I am unable to establish a connection.</p> <p>I suspect it is a pathing issue or permissions. I placed my certs in /var/www/html and /etc/ssl but neither paths on my production server work. In xampp, I just specify c:/xampp/htdocs/certs.key/.crt and they work fine.</p> <p>What could be causing the issue on my production server? </p> <h1><strong>Solution</strong> (Partial)</h1> <p>Since pg_last_error() and pg_errormessage() do not return errors for connection attempts, I had to create a custom exception handler. I attached the custom exception handler and finally got the error: </p> <pre><code>"pg_connect(): Unable to connect to PostgreSQL server: private key file "/etc/apache2/ssl/postgresql.key" has group or world access; permissions should be u=rw (0600) or less" </code></pre> <p>Next I attempted to CHMOD the key/crt</p> <pre><code>sudo chmod 0600 /etc/apache2/ssl/postgresql.crt sudo chmod 0600 /etc/apache2/ssl/postgresql.key </code></pre> <p>This gave me the error </p> <pre><code>pg_connect(): Unable to connect to PostgreSQL server: could not read certificate file "/etc/apache2/ssl/postgresql.crt": Permission denied </code></pre> <p>I used the linux command 'ls -la', I noticed I was the owner, so I chown'd.</p> <pre><code>chown root:root /etc/apache2/ssl/postgresql.crt chown root:root /etc/apache2/ssl/postgresql.key </code></pre> <p>Ok that didn't work, I added in my PHP script</p> <pre><code>echo exec('whoami'); </code></pre> <p>That outputted 'www-data', OK so I entered</p> <pre><code>sudo chown -R www-data:www-data /etc/ssl/ chmod 700 /etc/ssl/ </code></pre> <p>Finally it worked! Not sure about the safety of this, but this is my temporary solution.</p> <h1>Final Script</h1> <pre><code>&lt;?php // Create a custom exception error handler for pg_connect function exception_error_handler($errno, $errstr, $errfile, $errline ) { throw new ErrorException($errstr, $errno, 0, $errfile, $errline); } // Set the error handler set_error_handler("exception_error_handler"); // Force output of all errors error_reporting(E_ALL); // Define constants define('DB_HOST', '1.1.1.1'); define('DB_USER', 'USR'); define('DB_PASS', 'PW'); define('DB_NAME', 'DB'); define('DB_PORT', '5432'); // Connection string with SSL certificate files $conn_str = 'host=' . DB_HOST . ' '; $conn_str .= 'port=' . DB_PORT . ' '; $conn_str .= 'dbname=' . DB_NAME . ' '; $conn_str .= 'user=' . DB_USER . ' '; $conn_str .= 'password=' . DB_PASS . ' '; $conn_str .= 'sslmode=require '; $conn_str .= 'sslcert=/etc/apache2/ssl/postgresql.crt '; $conn_str .= 'sslkey=/etc/apache2/ssl/postgresql.key '; // Try catch block grabbing stored exception try { echo "Attempting pg_connect: " . $conn_str . "&lt;br&gt;"; $conn=@pg_connect($conn_str); } catch (Exception $e) { echo $e-&gt;getMessage(); } // Attempt Connection $conn = pg_connect($conn_str) or die('Cannot connect to database.'); // Set SQL String $sql = 'SELECT * FROM locations'; // Attempt query and iterate results if(result = pg_query($conn, $sql)) while($row=pg_fetch_row($result)) { var_dump($row); } // Close it up pg_close(); ?&gt; </code></pre> </div>

pecl安装总是失败“无法连接到第183行的Proxy.php中的ssl://pecl.php.net:443(未知错误)”

<div class="post-text" itemprop="text"> <pre><code>qiulangs-MacBook-Pro:extensions qiulang$ pecl -vvv install debug Warning: fsockopen(): SSL: Handshake timed out in Proxy.php on line 183 Warning: fsockopen(): Failed to enable crypto in Proxy.php on line 183 Warning: fsockopen(): unable to connect to ssl://pecl.php.net:443 (Unknown error) in Proxy.php on line 183 No releases available for package "pecl.php.net/debug" Cannot initialize 'channel://pecl.php.net/debug', invalid or missing package file Package "channel://pecl.php.net/debug" is not valid install failed </code></pre> <p>I used brew to install php 7.2 and 7.3 and tried both pecl with them, but I got the same error.</p> <p>While my colleague can use pecl (also using brew install php@7.2) without any problem. So it must be something wrong with my setting. </p> <pre><code>qiulangs-MacBook-Pro:sbin qiulang$ php -r "print_r(openssl_get_cert_locations());" Array ( [default_cert_file] =&gt; /usr/local/libressl-2.2/etc/ssl/cert.pem [default_cert_file_env] =&gt; SSL_CERT_FILE [default_cert_dir] =&gt; /usr/local/libressl-2.2/etc/ssl/certs [default_cert_dir_env] =&gt; SSL_CERT_DIR [default_private_dir] =&gt; /usr/local/libressl-2.2/etc/ssl/private [default_default_cert_area] =&gt; /usr/local/libressl-2.2/etc/ssl [ini_cafile] =&gt; [ini_capath] =&gt; ) </code></pre> </div>

gocql中的SSL选项

<div class="post-text" itemprop="text"> <p>In my Cassandra config I have enabled user authentication and connect with cqlsh over ssl. I'm having trouble implementing the same with gocql, following is my code:</p> <pre><code>cluster := gocql.NewCluster("127.0.0.1") cluster.Authenticator = gocql.PasswordAuthenticator{ Username: "myuser", Password: "mypassword", } cluster.SslOpts = &amp;gocql.SslOptions { CertPath: "/path/to/cert.pem", } </code></pre> <p>When I try to connect I get following error:</p> <pre><code> gocql: unable to create session: connectionpool: unable to load X509 key pair: open : no such file or directory </code></pre> <p>In python I can do this with something like:</p> <pre><code>from cassandra.cluster import Cluster from cassandra.auth import PlainTextAuthProvider USER = 'username' PASS = 'password' ssl_opts = {'ca_certs': '/path/to/cert.pem', 'ssl_version': PROTOCOL_TLSv1 } credentials = PlainTextAuthProvider(username = USER, password = PASS) # define host, port, cqlsh protocaol version cluster = Cluster(contact_points= HOST, protocol_version= CQLSH_PROTOCOL_VERSION, auth_provider = credentials, port = CASSANDRA_PORT) </code></pre> <p>I checked the gocql and TLS documentation <a href="https://godoc.org/github.com/gocql/gocql#SslOptions" rel="nofollow">here</a> and <a href="https://godoc.org/crypto/tls#Config" rel="nofollow">here</a> but I'm unsure about how to set ssl options.</p> </div>

如何在PHP中使用Doctrine2设置SSL加密的MySQL连接(不是Symfony,而不是Doctrine1)

<div class="post-text" itemprop="text"> <p>I am having a hard time finding documentation / examples of how to setup an SSL encrypted connection with Doctrine2 to MySQL. I'm not using Symfony, so looking for the pure PHP path.</p> <p>What I'm stuck on is basically how to convey the MYSQL_CLIENT_SSL (or MYSQLI_CLIENT_SSL) flag, and the path to the ca certificate. I can live with not verifying the certificate, but I can't live with not encrypting the connection for this task.</p> <p>On the command line this would be done similar to this:</p> <pre><code>mysql --ssl-verify-server-cert --ssl-ca=/mysql-ssl-certs/ca-cert.pem --ssl -h host [etc] </code></pre> <p>In pure php using the mysql extension I think it would look something like:</p> <pre><code>$conn = mysql_connect($host, $user, $pass, false, MYSQL_CLIENT_SSL); </code></pre> <p>With mysqli (i think) it would be something like this:</p> <pre><code>$db = mysqli_init(); $db-&gt;ssl_set(null, null, $cert, null, null); $db-&gt;real_connect($host, $user, $pass, $dbname); </code></pre> <p>The question is, how do I do this with Doctrine2? Is it even possible? How do I modify the initialization for Doctrine2 to do this?</p> <pre><code>$DOCTRINE2_DB = array( 'driver' =&gt; 'pdo_mysql', 'host' =&gt; $host, 'user' =&gt; $user, 'password' =&gt; $pass, 'dbname' =&gt; $dbname, 'unix_socket' =&gt; $sockpath, ); $DOCTRINE2_EM = \Doctrine\ORM\EntityManager::create($DOCTRINE2_DB, $DOCTRINE2_CONFIG); $EM =&amp; $DOCTRINE2_EM; // for brevity &amp; sanity </code></pre> </div>

pgjdbc数据库的ssl证书验证源码有几点不懂的地方

postgresql 数据库用证书验证,看了一下源码,但是ssl证书验证有几点不懂的地方. 下面是pgjdbc获取完数据库的连接后, 开始启用ssl证书验证的流程. 我的问题: 过程我都看明白了, 但是不知道为什么它要这么做, 还是说这是个标准, 有人可以帮我讲解一下,或者给点资料参考也行, 谢谢 为了保持代码的简洁性,代码有删减. ``` private PGStream enableSSL(PGStream pgStream, SslMode sslMode, Properties info, int connectTimeout) throws IOException, PSQLException { // 发送SSL请求包 pgStream.sendInteger4(8);//发送一个4字节的整数到后端。 pgStream.sendInteger2(1234);//发送一个2字节整数(短)到后端。 pgStream.sendInteger2(5679); pgStream.flush();//将任何挂起的输出刷新到后端。 // Now get the response from the backend, one of N, E, S. 现在从后端(N, E, S)中获取响应。 int beresp = pgStream.receiveChar();//从后端接收单个字符。 switch (beresp) { case 'S': // ssl 服务器支持ssl **org.herodbsql.ssl.MakeSSL.convert(pgStream, info);** return pgStream; } } ``` 上面可以看到,jdbc给数据库发了几个字节的整数, 然后获取响应,走不同的switch,但是不知道为什么这么做,接着进去看,convert方法 ``` public static void convert(PGStream stream, Properties info) throws PSQLException, IOException { LOGGER.log(Level.FINE, "converting regular socket connection to ssl"); **SSLSocketFactory factory = SocketFactoryFactory.getSslSocketFactory(info);** SSLSocket newConnection; // 将常规套接字连接转换为ssl newConnection = (SSLSocket) factory.createSocket(stream.getSocket(), stream.getHostSpec().getHost(), stream.getHostSpec().getPort(), true); // 我们必须手动调用,否则将隐藏异常 newConnection.setUseClientMode(true);// 设置使用客户端模式 newConnection.startHandshake();// 开始握手 stream.changeSocket(newConnection); } ``` 在看SocketFactoryFactory.getSslSocketFactory(info); ``` public static SSLSocketFactory getSslSocketFactory(Properties info) throws PSQLException {//获取Ssl套接字工厂 String classname = PGProperty.SSL_FACTORY.get(info);// 获取要使用的SSL工厂的类名 if (classname == null || "org.herodbsql.ssl.jdbc4.LibPQFactory".equals(classname) || "org.herodbsql.ssl.LibPQFactory".equals(classname)) { return new LibPQFactory(info); } } ``` 接着看 new LibPQFactory(info); 这个方法应该就是加载证书的地方 ``` public LibPQFactory(Properties info) throws PSQLException { try { SSLContext ctx = SSLContext.getInstance("TLS"); // or "SSL" ? // 确定默认文件位置 String pathsep = System.getProperty("file.separator");// 获取windows或者linux的文件夹分隔符 String defaultdir; boolean defaultfile = false; if (System.getProperty("os.name").toLowerCase().contains("windows")) { // It is Windows defaultdir = System.getenv("APPDATA") + pathsep + "herodbsql" + pathsep; // 获取指定环境变量的值。环境变量是一个依赖于系统的外部命名值。 } else { defaultdir = System.getProperty("user.home") + pathsep + ".herodbsql" + pathsep; } // Load the client's certificate and key 加载客户机的证书和密钥 String sslcertfile = PGProperty.SSL_CERT.get(info); if (sslcertfile == null) { // Fall back to default 退回到默认状态 defaultfile = true; sslcertfile = defaultdir + "herodbsql.crt"; } String sslkeyfile = PGProperty.SSL_KEY.get(info); if (sslkeyfile == null) { // Fall back to default defaultfile = true; sslkeyfile = defaultdir + "herodbsql.pk8"; } // Determine the callback handler 确定回调处理程序 CallbackHandler cbh; String sslpasswordcallback = PGProperty.SSL_PASSWORD_CALLBACK.get(info); if (sslpasswordcallback != null) { try { cbh = (CallbackHandler) ObjectFactory.instantiate(sslpasswordcallback, info, false, null); } catch (Exception e) { throw new PSQLException( GT.tr("The password callback class provided {0} could not be instantiated.", sslpasswordcallback), PSQLState.CONNECTION_FAILURE, e); } } else { cbh = new ConsoleCallbackHandler(PGProperty.SSL_PASSWORD.get(info));// 获取 sslkey的加密密码 } // If the properties are empty, give null to prevent client key selection 如果属性为空,则为null,以防止选择客户机密钥 km = new LazyKeyManager(("".equals(sslcertfile) ? null : sslcertfile), ("".equals(sslkeyfile) ? null : sslkeyfile), cbh, defaultfile);//创建lazykeymanagerduixinag TrustManager[] tm; SslMode sslMode = SslMode.of(info); if (!sslMode.verifyCertificate()) { // server validation is not required 不需要服务器验证 tm = new TrustManager[]{new NonValidatingTM()}; } else { // Load the server certificate 加载服务器证书 TrustManagerFactory tmf = TrustManagerFactory.getInstance("PKIX");// 创建证书信任管理器工厂 KeyStore ks; try { ks = KeyStore.getInstance("jks");// 读取秘钥是所需要用到的工具类 } catch (KeyStoreException e) { // this should never happen throw new NoSuchAlgorithmException("jks KeyStore not available"); } String sslrootcertfile = PGProperty.SSL_ROOT_CERT.get(info);//获取根证书 if (sslrootcertfile == null) { // Fall back to default sslrootcertfile = defaultdir + "root.crt"; } FileInputStream fis; try { fis = new FileInputStream(sslrootcertfile); // 获取根证书ca的文件流 } catch (FileNotFoundException ex) { throw new PSQLException( GT.tr("Could not open SSL root certificate file {0}.", sslrootcertfile), PSQLState.CONNECTION_FAILURE, ex); } try { CertificateFactory cf = CertificateFactory.getInstance("X.509");// // 获取X.509工厂实例 // Certificate[] certs = cf.generateCertificates(fis).toArray(new Certificate[]{}); //Does // not work in java 1.4 Object[] certs = cf.generateCertificates(fis).toArray(new Certificate[]{});//生成ca证书的数组视图 ks.load(null, null); for (int i = 0; i < certs.length; i++) { ks.setCertificateEntry("cert" + i, (Certificate) certs[i]);//设置证书条目 将给定的可信证书分配给给定的别名。 } tmf.init(ks); } catch (IOException ioex) { throw new PSQLException( GT.tr("Could not read SSL root certificate file {0}.", sslrootcertfile), PSQLState.CONNECTION_FAILURE, ioex); } catch (GeneralSecurityException gsex) { throw new PSQLException( GT.tr("Loading the SSL root certificate {0} into a TrustManager failed.", sslrootcertfile), PSQLState.CONNECTION_FAILURE, gsex); } finally { try { fis.close(); } catch (IOException e) { /* ignore */ } } tm = tmf.getTrustManagers(); } // finally we can initialize the context 最后,我们可以初始化上下文 try { ctx.init(new KeyManager[]{km}, tm, null); } catch (KeyManagementException ex) { throw new PSQLException(GT.tr("Could not initialize SSL context."), PSQLState.CONNECTION_FAILURE, ex); } factory = ctx.getSocketFactory(); } catch (NoSuchAlgorithmException ex) { throw new PSQLException(GT.tr("Could not find a java cryptographic algorithm: {0}.", ex.getMessage()), PSQLState.CONNECTION_FAILURE, ex); } } ```

openssl中的SSL_CTX_load_verify_locations该如何用

SSL_CTX_load_verify_locations要如何使用呢? 传入啥样的证书? 比如自签名的证书 客户端和服务端证书如何生成 SSL_CTX_load_verify_locations需要放啥样的证书 如何生成的

在中国程序员是青春饭吗?

今年,我也32了 ,为了不给大家误导,咨询了猎头、圈内好友,以及年过35岁的几位老程序员……舍了老脸去揭人家伤疤……希望能给大家以帮助,记得帮我点赞哦。 目录: 你以为的人生 一次又一次的伤害 猎头界的真相 如何应对互联网行业的「中年危机」 一、你以为的人生 刚入行时,拿着傲人的工资,想着好好干,以为我们的人生是这样的: 等真到了那一天,你会发现,你的人生很可能是这样的: ...

程序员请照顾好自己,周末病魔差点一套带走我。

程序员在一个周末的时间,得了重病,差点当场去世,还好及时挽救回来了。

和黑客斗争的 6 天!

互联网公司工作,很难避免不和黑客们打交道,我呆过的两家互联网公司,几乎每月每天每分钟都有黑客在公司网站上扫描。有的是寻找 Sql 注入的缺口,有的是寻找线上服务器可能存在的漏洞,大部分都...

点沙成金:英特尔芯片制造全过程揭密

“亚马逊丛林里的蝴蝶扇动几下翅膀就可能引起两周后美国德州的一次飓风……” 这句人人皆知的话最初用来描述非线性系统中微小参数的变化所引起的系统极大变化。 而在更长的时间尺度内,我们所生活的这个世界就是这样一个异常复杂的非线性系统…… 水泥、穹顶、透视——关于时间与技艺的蝴蝶效应 公元前3000年,古埃及人将尼罗河中挖出的泥浆与纳特龙盐湖中的矿物盐混合,再掺入煅烧石灰石制成的石灰,由此得来了人...

上班一个月,后悔当初着急入职的选择了

最近有个老铁,告诉我说,上班一个月,后悔当初着急入职现在公司了。他之前在美图做手机研发,今年美图那边今年也有一波组织优化调整,他是其中一个,在协商离职后,当时捉急找工作上班,因为有房贷供着,不能没有收入来源。所以匆忙选了一家公司,实际上是一个大型外包公司,主要派遣给其他手机厂商做外包项目。**当时承诺待遇还不错,所以就立马入职去上班了。但是后面入职后,发现薪酬待遇这块并不是HR所说那样,那个HR自...

女程序员,为什么比男程序员少???

昨天看到一档综艺节目,讨论了两个话题:(1)中国学生的数学成绩,平均下来看,会比国外好?为什么?(2)男生的数学成绩,平均下来看,会比女生好?为什么?同时,我又联想到了一个技术圈经常讨...

副业收入是我做程序媛的3倍,工作外的B面人生是怎样的?

提到“程序员”,多数人脑海里首先想到的大约是:为人木讷、薪水超高、工作枯燥…… 然而,当离开工作岗位,撕去层层标签,脱下“程序员”这身外套,有的人生动又有趣,马上展现出了完全不同的A/B面人生! 不论是简单的爱好,还是正经的副业,他们都干得同样出色。偶尔,还能和程序员的特质结合,产生奇妙的“化学反应”。 @Charlotte:平日素颜示人,周末美妆博主 大家都以为程序媛也个个不修边幅,但我们也许...

如果你是老板,你会不会踢了这样的员工?

有个好朋友ZS,是技术总监,昨天问我:“有一个老下属,跟了我很多年,做事勤勤恳恳,主动性也很好。但随着公司的发展,他的进步速度,跟不上团队的步伐了,有点...

我入职阿里后,才知道原来简历这么写

私下里,有不少读者问我:“二哥,如何才能写出一份专业的技术简历呢?我总感觉自己写的简历太烂了,所以投了无数份,都石沉大海了。”说实话,我自己好多年没有写过简历了,但我认识的一个同行,他在阿里,给我说了一些他当年写简历的方法论,我感觉太牛逼了,实在是忍不住,就分享了出来,希望能够帮助到你。 01、简历的本质 作为简历的撰写者,你必须要搞清楚一点,简历的本质是什么,它就是为了来销售你的价值主张的。往深...

外包程序员的幸福生活

今天给你们讲述一个外包程序员的幸福生活。男主是Z哥,不是在外包公司上班的那种,是一名自由职业者,接外包项目自己干。接下来讲的都是真人真事。 先给大家介绍一下男主,Z哥,老程序员,是我十多年前的老同事,技术大牛,当过CTO,也创过业。因为我俩都爱好喝酒、踢球,再加上住的距离不算远,所以一直也断断续续的联系着,我对Z哥的状况也有大概了解。 Z哥几年前创业失败,后来他开始干起了外包,利用自己的技术能...

C++11:一些微小的变化(新的数据类型、template表达式内的空格、nullptr、std::nullptr_t)

本文介绍一些C++的两个新特性,它们虽然微小,但对你的编程十分重要 一、Template表达式内的空格 C++11标准之前建议在“在两个template表达式的闭符之间放一个空格”的要求已经过时了 例如: vector&lt;list&lt;int&gt; &gt;; //C++11之前 vector&lt;list&lt;int&gt;&gt;; //C++11 二、nullptr ...

优雅的替换if-else语句

场景 日常开发,if-else语句写的不少吧??当逻辑分支非常多的时候,if-else套了一层又一层,虽然业务功能倒是实现了,但是看起来是真的很不优雅,尤其是对于我这种有强迫症的程序"猿",看到这么多if-else,脑袋瓜子就嗡嗡的,总想着解锁新姿势:干掉过多的if-else!!!本文将介绍三板斧手段: 优先判断条件,条件不满足的,逻辑及时中断返回; 采用策略模式+工厂模式; 结合注解,锦...

深入剖析Springboot启动原理的底层源码,再也不怕面试官问了!

大家现在应该都对Springboot很熟悉,但是你对他的启动原理了解吗?

离职半年了,老东家又发 offer,回不回?

有小伙伴问松哥这个问题,他在上海某公司,在离职了几个月后,前公司的领导联系到他,希望他能够返聘回去,他很纠结要不要回去? 俗话说好马不吃回头草,但是这个小伙伴既然感到纠结了,我觉得至少说明了两个问题:1.曾经的公司还不错;2.现在的日子也不是很如意。否则应该就不会纠结了。 老实说,松哥之前也有过类似的经历,今天就来和小伙伴们聊聊回头草到底吃不吃。 首先一个基本观点,就是离职了也没必要和老东家弄的苦...

为什么你不想学习?只想玩?人是如何一步一步废掉的

不知道是不是只有我这样子,还是你们也有过类似的经历。 上学的时候总有很多光辉历史,学年名列前茅,或者单科目大佬,但是虽然慢慢地长大了,你开始懈怠了,开始废掉了。。。 什么?你说不知道具体的情况是怎么样的? 我来告诉你: 你常常潜意识里或者心理觉得,自己真正的生活或者奋斗还没有开始。总是幻想着自己还拥有大把时间,还有无限的可能,自己还能逆风翻盘,只不是自己还没开始罢了,自己以后肯定会变得特别厉害...

为什么程序员做外包会被瞧不起?

二哥,有个事想询问下您的意见,您觉得应届生值得去外包吗?公司虽然挺大的,中xx,但待遇感觉挺低,马上要报到,挺纠结的。

当HR压你价,说你只值7K,你该怎么回答?

当HR压你价,说你只值7K时,你可以流畅地回答,记住,是流畅,不能犹豫。 礼貌地说:“7K是吗?了解了。嗯~其实我对贵司的面试官印象很好。只不过,现在我的手头上已经有一份11K的offer。来面试,主要也是自己对贵司挺有兴趣的,所以过来看看……”(未完) 这段话主要是陪HR互诈的同时,从公司兴趣,公司职员印象上,都给予对方正面的肯定,既能提升HR的好感度,又能让谈判气氛融洽,为后面的发挥留足空间。...

面试:第十六章:Java中级开发(16k)

HashMap底层实现原理,红黑树,B+树,B树的结构原理 Spring的AOP和IOC是什么?它们常见的使用场景有哪些?Spring事务,事务的属性,传播行为,数据库隔离级别 Spring和SpringMVC,MyBatis以及SpringBoot的注解分别有哪些?SpringMVC的工作原理,SpringBoot框架的优点,MyBatis框架的优点 SpringCould组件有哪些,他们...

面试阿里p7,被按在地上摩擦,鬼知道我经历了什么?

面试阿里p7被问到的问题(当时我只知道第一个):@Conditional是做什么的?@Conditional多个条件是什么逻辑关系?条件判断在什么时候执...

面试了一个 31 岁程序员,让我有所触动,30岁以上的程序员该何去何从?

最近面试了一个31岁8年经验的程序猿,让我有点感慨,大龄程序猿该何去何从。

【阿里P6面经】二本,curd两年,疯狂复习,拿下阿里offer

二本的读者,在老东家不断学习,最后逆袭

大三实习生,字节跳动面经分享,已拿Offer

说实话,自己的算法,我一个不会,太难了吧

程序员垃圾简历长什么样?

已经连续五年参加大厂校招、社招的技术面试工作,简历看的不下于万份 这篇文章会用实例告诉你,什么是差的程序员简历! 疫情快要结束了,各个公司也都开始春招了,作为即将红遍大江南北的新晋UP主,那当然要为小伙伴们做点事(手动狗头)。 就在公众号里公开征简历,义务帮大家看,并一一点评。《启舰:春招在即,义务帮大家看看简历吧》 一石激起千层浪,三天收到两百多封简历。 花光了两个星期的所有空闲时...

《经典算法案例》01-08:如何使用质数设计扫雷(Minesweeper)游戏

我们都玩过Windows操作系统中的经典游戏扫雷(Minesweeper),如果把质数当作一颗雷,那么,表格中红色的数字哪些是雷(质数)?您能找出多少个呢?文中用列表的方式罗列了10000以内的自然数、质数(素数),6的倍数等,方便大家观察质数的分布规律及特性,以便对算法求解有指导意义。另外,判断质数是初学算法,理解算法重要性的一个非常好的案例。

《Oracle Java SE编程自学与面试指南》最佳学习路线图(2020最新版)

正确选择比瞎努力更重要!

面试官:你连SSO都不懂,就别来面试了

大厂竟然要考我SSO,卧槽。

微软为一人收购一公司?破解索尼程序、写黑客小说,看他彪悍的程序人生!...

作者 | 伍杏玲出品 | CSDN(ID:CSDNnews)格子衬衫、常掉发、双肩包、修电脑、加班多……这些似乎成了大众给程序员的固定标签。近几年流行的“跨界风”开始刷新人们对程序员的...

终于,月薪过5万了!

来看几个问题想不想月薪超过5万?想不想进入公司架构组?想不想成为项目组的负责人?想不想成为spring的高手,超越99%的对手?那么本文内容是你必须要掌握的。本文主要详解bean的生命...

我说我懂多线程,面试官立马给我发了offer

不小心拿了几个offer,有点烦

自从喜欢上了B站这12个UP主,我越来越觉得自己是个废柴了!

不怕告诉你,我自从喜欢上了这12个UP主,哔哩哔哩成为了我手机上最耗电的软件,几乎每天都会看,可是吧,看的越多,我就越觉得自己是个废柴,唉,老天不公啊,不信你看看…… 间接性踌躇满志,持续性混吃等死,都是因为你们……但是,自己的学习力在慢慢变强,这是不容忽视的,推荐给你们! 都说B站是个宝,可是有人不会挖啊,没事,今天咱挖好的送你一箩筐,首先啊,我在B站上最喜欢看这个家伙的视频了,为啥 ,咱撇...

立即提问
相关内容推荐