2014-05-29 11:31
浏览 75


I have a project on Azure Websites, hosting an API which should be accessible only using HTTPS, using my custom .com domain. A-Records were created to the .com domain, which is working properly. The SSL Certificate were bought, uploaded and the SSL bindings are set-up correctly in the management panel.

When I access a method of the API using IE/Chrome/FF, the proper certificate (issued for my .com domain) is displayed. When I access it using the following PHP code using curl, I get an error message as if the server responded with the default * certificate, which fails as the request was made to the .com domain.

$ch = curl_init('');
$cabundle = dirname(__FILE__).'/ca-bundle.crt';

curl_setopt( $ch, CURLOPT_POST, 1);
curl_setopt( $ch, CURLOPT_POSTFIELDS, $jsonRequest);
curl_setopt( $ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt( $ch, CURLOPT_HEADER, 0);
curl_setopt( $ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt( $ch, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt( $ch, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt( $ch, CURLOPT_CAINFO, $cabundle);

$content = curl_exec($ch);
$curlInfo = curl_getinfo($ch);

(as you can see, I'm already using the CA file required to validate the certs, if I run a file_exists passing the $cabundle variable as parameter, it returns true)

The error I get:

curl error 51: SSL: certificate subject name '*' does not match target host name '' content

As already told, if I access the same URL using a browser, the correct certificate for my .com domain is the one shown in the view certificate details screen.

What should I do either for curl requesting/validating the right certificate, or Azure respond with the correct certificate for the domain requested?

PS: setting CURLOPT_SSL_VERIFYPEER to false, or CURLOPT_SSL_VERIFYHOST to 0 or 1 are not options, security is essential to this project, and a MITM attack could be very harmful.

图片转代码服务由CSDN问答提供 功能建议

我在Azure网站上有一个项目,使用我的自定义.com托管一个只能使用HTTPS访问的API。 域。 A-Records创建于.com域,该域正常运行。 购买,上传SSL证书并在管理面板中正确设置SSL绑定。

当我使用IE / Chrome / FF访问API的方法时,正确的证书 (显示我的.com域名)。 当我使用curl使用以下PHP代码访问它时,我收到一条错误消息,好像服务器使用默认的* azurewebsites.com证书响应,该证书因向.com域的请求而失败。 <前> $ ch = curl_init(''); $ cabundle = dirname(__ FILE __)。'/ ca-bundle.crt'; \ n curl_setopt($ ch,CURLOPT_POST,1); curl_setopt($ ch,CURLOPT_POSTFIELDS,$ jsonRequest); curl_setopt($ ch,CURLOPT_FOLLOWLOCATION,1); curl_setopt($ ch,CURLOPT_HEADER,0); curl_setopt($ ch,CURLOPT_RETURNTRANSFER,1); curl_setopt($ ch,CURLOPT_SSL_VERIFYPEER,true); curl_setopt($ ch,CURLOPT_SSL_VERIFYHOST,2); curl_setopt($ ch,CURLOPT_CAINFO,$ cabundle); $ content = curl_exec( $ ch); $ curlInfo = curl_getinfo($ ch);

(如您所见,我已经在使用验证所需的CA文件 证书,如果我运行 file_exists 传递 $ cabundle 变量作为参数,则返回true)

错误I get:

  curl error 51:SSL:证书使用者名称'*'与目标主机名''内容不匹配



PS:设置 CURLOPT_SSL_VERIFYPEER < / code>到 false ,或 CURLOPT_SSL_VERIFYHOST 0 1 不是选项,安全性对这个项目至关重要 ,MITM攻击可能非常有害。

  • 写回答
  • 好问题 提建议
  • 关注问题
  • 收藏
  • 邀请回答

1条回答 默认 最新

  • dongmeiba6151 2014-05-29 13:03

    Probably there are several certificates behind the same IP and you need to use SNI (server name indication, e.g. the server name is sent within the SSL handshake). Not all versions of curl support SNI, please check Use cURL with SNI (Server Name Indication).

    解决 无用
    打赏 举报

相关推荐 更多相似问题