Of Stack

php uses curl to access the https sample share

  • 2020-12-10 00:38:53
  • OfStack

For the sake of illustration, let's code it first 


/** 
 * curl POST 
 * 
 * @param   string  url 
 * @param   array    data  
 * @param   int      Request timeout  
 * @param   bool    HTTPS Whether to carry out strict certification  
 * @return  string 
 */  
function curlPost($url, $data = array(), $timeout = 30, $CA = true){    

    $cacert = getcwd() . '/cacert.pem'; //CA Root certificate   
    $SSL = substr($url, 0, 8) == "https://" ? true : false;  

    $ch = curl_init();  
    curl_setopt($ch, CURLOPT_URL, $url);  
    curl_setopt($ch, CURLOPT_TIMEOUT, $timeout);  
    curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout-2);  
    if ($SSL && $CA) {  
        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);   //  Only trust CA Certificate issued   
        curl_setopt($ch, CURLOPT_CAINFO, $cacert); // CA Root certificate (used to verify whether the web site certificate is CA Issued)   
        curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2); //  Check that the domain name is set in the certificate and matches the hostname provided   
    } else if ($SSL && !$CA) {  
        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); //  Trust any certificate   
        curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 1); //  Check if the domain name is set in the certificate   
    }  
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);  
    curl_setopt($ch, CURLOPT_HTTPHEADER, array('Expect:')); // avoid data Data length problem   
    curl_setopt($ch, CURLOPT_POST, true);  
    curl_setopt($ch, CURLOPT_POSTFIELDS, $data);  
    //curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($data)); //data with URLEncode  

    $ret = curl_exec($ch);  
    //var_dump(curl_error($ch));  // View error messages   

    curl_close($ch);  
    return $ret;    
}   

If the URL address starts with https, use SSL; otherwise, use the regular HTTP protocol.

Is it safe to use HTTPS or not? In fact, SSL also has different levels of verification.

For example, do you need to verify the common name in the certificate? (BTW: Common name (Common Name)1 Generally means the domain (domain) or subdomain (sub domain) for which you are applying for an SSL certificate.)

Do I need to verify the host name?

Should any certificate be trusted or should CA be trusted only?

(I wipe, the battery is almost out of point, just pick up the key said -|||)

If the SSL certificate is purchased from CA (which is usually more expensive), you can use a more stringent authentication when visiting the site, that is: 


curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);   //  Only trust CA Certificate issued  
curl_setopt($ch, CURLOPT_CAINFO, $cacert); // CA Root certificate (used to verify whether the web site certificate is CA Issued)  
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2); //  Check that the domain name is set in the certificate and matches the hostname provided

If the certificate of the website is self-generated or applied by a small organization on the Internet, it will not pass if strict authentication is used when visiting the website. Go back to false directly. (Oh, when returning false, you can print curl_error($ch) to see the specific error message.) At this point, normal access can be guaranteed by reducing the degree of authentication according to the situation, such as: 


curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); //  Trust any certificate  
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 1); //  Check that the domain name (is) is set in the certificate 0 You can, but you can't even verify the existence of the domain name.)

Usually when we use the browser to visit various https websites, sometimes we will encounter the prompt that the certificate is not trusted, in fact, because the certificate of these websites is not issued by the formal CA organization.

Various browsers on the market have built-in CA root certificate list information. When visiting websites with CA issued certificates, the certificates of these websites will be verified against the root certificate, so there will be no such prompt.

The CA root certificate file is essentially a public key certificate containing the major CA institutions to verify that the web site's certificate is issued by those institutions.

This file is derived from the SOURCE tree of mozilla and converted to the CERTIFICATE file of PEM format. (here you can download the ready-made http: / / curl haxx. se ca/cacert. pem)

One last thing that has nothing to do with SSL: 


curl_setopt($ch, CURLOPT_HTTPHEADER, array('Expect:'));

This is mainly to solve the problem of excessively long data in POST

Related articles: