2019-04-18 20:56
浏览 171

如何使用php curl进行相互/双向身份验证?

The website is saying "You are not authenticated with digital certificate, or possibly the connection time expired. Authenticate again with your digital certificate.".

I have gotten this message every time, so rather than connection time expiring, I think that my attempt of authenticating is just not working.

The way I am doing this is I start with just a pfx file, and a passphrase to open it. I make the pem certificate with openssl and the pfx.


$pfx_path = 'me.pfx';
$pfx_pass = 'foopass123';
$pfx_values = [];
openssl_pkcs12_read(file_get_contents($pfx_path), $pfx_values, $pfx_pass);
$cert_path = 'me.pem';
file_put_contents($cert_path, $pfx_values['cert'] . "
" . $pfx_values['pkey']);
$postfields = 'field1=val1&field2=val2&field3=val3';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL           , 'https://www.example.com');
curl_setopt($ch, CURLOPT_POST          , true);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POSTFIELDS    , $postfields);
curl_setopt($ch, CURLOPT_SSLCERT       , $cert_path);
curl_setopt($ch, CURLOPT_VERBOSE, 1);
$curl_result = curl_exec($ch);
$curl_info = curl_getinfo($ch);

Result of executing the code (showing just a quote of the HTML of $curl_result):

You are not authenticated with digital certificate, or possibly the connection time expired. Authenticate again with digital certificate.

By the way, $curl_info['ssl_verify_result'] is 0, which I guess means that at least the server was correctly authenticated.

EDIT: removed CURLOPT_SSLCERTPASSWD because it's not necessary, the pfx file was already open with the password, and its private and public key were put naked into $cert_path.

  • 写回答
  • 关注问题
  • 收藏
  • 邀请回答

1条回答 默认 最新

  • duankousong9637 2019-04-18 22:27

    A header was necessary to achieve successful authentication on that specific site. The missing header was Cookie: ..., that contained specific fields, like for example a session ID (which you can get by logging in the website with cURL or simply as a user through a browser, you can copy and paste the cookie generated by the server).

    You can specify the Cookie header with:

    curl_setopt($ch, CURLOPT_COOKIE,
        . ' bar=456;'
        . ' SESSIONID=789;'

    And alternatively you can specify it with:

    curl_setopt($ch, CURLOPT_HTTPHEADER, array(
        'Cookie: foo=123;'
        . ' bar=456;'
        . ' SESSIONID=789;'

    To look at this in a general way, and not as a problem limited to a specific site, notice that different sites will require different headers and cookies, as well as they may require none.

    So if you want to do mutual authentication in a given site like a user does, make sure that you are using the correct headers and cookies in case it's needed.

    Now, how to get a session ID with cURL, that depends on each site, and it's outside the scope of the question, but in general it's a matter of imitating with PHP the same operation that the user does in a browser, and it's probably done in a particular URL within the site, and not all site broad.

    打赏 评论

相关推荐 更多相似问题