duansan9435
2010-09-04 15:01
浏览 50
已采纳

没有黑客攻击CurlException:60(cURL SSL证书验证)

The error that alot of people get with Facebook authentication is:

CurlException: 60: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

And the only information I can find about it suggest to add the following lines of code to curl:

$opts[CURLOPT_SSL_VERIFYPEER] = false;
$opts[CURLOPT_SSL_VERIFYHOST] = 2;

I know this works, but what is going on here? Isn't there any server settings/configuraton that can be changed instead of hacking up facebook.php.

图片转代码服务由CSDN问答提供 功能建议

很多人通过Facebook身份验证获得的错误是:

 <  code> CurlException:60:SSL证书问题,验证CA证书是否正常。 详细信息:错误:14090086:SSL例程:SSL3_GET_SERVER_CERTIFICATE:证书验证失败
   
 
 

我能找到的唯一信息建议添加以下代码行来卷曲 :

  $ opts [CURLOPT_SSL_VERIFYPEER] = false; 
 $ opts [CURLOPT_SSL_VERIFYHOST] = 2; 
   
 
 

我知道这有效,但是这里发生了什么? 没有任何服务器设置/配置可以更改而不是黑客攻击facebook.php。

  • 写回答
  • 好问题 提建议
  • 关注问题
  • 收藏
  • 邀请回答

3条回答 默认 最新

  • dongxian0421 2010-09-04 15:03
    已采纳

    What It Does & Meaning:

    The following code tells the cURL to NOT verify that security certificates are correct. Hence, the error disappears.

      $opts[CURLOPT_SSL_VERIFYPEER] = false;
      $opts[CURLOPT_SSL_VERIFYHOST] = 2;
    

    When you connect to a remote server with SSL, their certificate might be invalid, expired, or not signed by a recognized CA. The cURL normally checks it.

    CURLOPT_SSL_VERIFYHOST:

    • 1: to check the existence of a common name in the SSL peer certificate.
    • 2: to check the existence of a common name and also verify that it matches the hostname provided.

    CURLOPT_SSL_VERIFYPEER: FALSE to stop CURL from verifying the peer's certificate. Alternate certificates to verify against can be specified with the CURLOPT_CAINFO option or a certificate directory can be specified with the CURLOPT_CAPATH option. CURLOPT_SSL_VERIFYHOST may also need to be TRUE or FALSE if CURLOPT_SSL_VERIFYPEER is disabled (it defaults to 2).


    How to Enable & Verify Correctly:

    To verify correctly, we need to to verify the certificate being presented to us is good for real. We do this by comparing it against a certificate we reasonable* trust.

    If the remote resource is protected by a certificate issued by one of the main CA's like Verisign, GeoTrust et al, you can safely compare against Mozilla's CA certificate bundle which you can get from http://curl.haxx.se/docs/caextract.html

    Save the file cacert.pem somewhere in your server and set the following options in your script.

    curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, TRUE); 
    curl_setopt ($ch, CURLOPT_CAINFO, "pathto/cacert.pem");
    

    If you are connecting to a resource protected by a self-signed certificate, all you need to do is obtain a copy of the certificate in PEM format and append it to the cacert.pem of the above paragraph.

    已采纳该答案
    评论
    解决 无用
    打赏 举报
  • douwang4374 2012-11-28 09:30

    In my case, I could not use curl_setopt, because I could not edit Facebook API classes ( conditions of project I was working in ).

    I solved the problem by adding path to cacert.pem downloaded from http://curl.haxx.se/docs/caextract.html to my php.ini

    [curl]
    curl.cainfo = "c:\wamp\cacert.pem"
    
    评论
    解决 无用
    打赏 举报
  • dsaff82024 2013-04-17 08:39

    I just had the same problem, and disabling peer verification is not acceptable in my case. I updated the fa_ca_chain_bundle.crt file (from facebook's gitbub) and it works now.

    Regards, Marek

    评论
    解决 无用
    打赏 举报

相关推荐 更多相似问题