修改 PHP 代码以使用 TLS 而不是 SSL
Posted
技术标签:
【中文标题】修改 PHP 代码以使用 TLS 而不是 SSL【英文标题】:Amend PHP code to use TLS rather than SSL 【发布时间】:2014-12-31 10:43:08 【问题描述】:我有一个定制的支付系统,它使用 php 将买家发送到 Barclays EPDQ 进行支付。 EPDQ 不再支持 SSL,所以我必须将其转换为使用 TLS。
查看页面,在我看来只有一小段代码需要编辑 我在这里超出了我的深度,任何人都可以建议我应该做的改变吗?还是没有我想象的那么简单?
这是我认为需要修改的部分:
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "https://" . $requesthost . $requestdocument);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $requestbody);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
$responsedata = curl_exec($ch);
【问题讨论】:
TLS 本质上是 SSL 3.1,只是名称的改变。您是否有任何迹象表明您的代码实际上没有使用 TLS? 不,只是 EPDQ 的备注表,让我知道“我们将不再支持任何版本的 SSL 加密。” 有什么我可以查的吗? 我不知道,查看文档似乎没有用于检查此问题的 API。 SSL/TLS 是一种协商协议,双方将使用双方都可以使用的最新版本的协议。如果你有一个相当新的内置 curl 库版本,这不应该是一个问题。您可以在命令行上尝试curl -v https://google.com;尽管 PHP 的 curl 版本可能不同,但它表明您安装了哪个 curl 以及它将使用哪个 SSL/TLS 版本。
【参考方案1】:
尝试添加
CURLOPT_SSL_CIPHER_LIST => 'TLSv1' 到您的 PPHttpConfig.php。
和
curl_setopt($curl_request, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1);在你的代码中
来自SSL error can not change to TLS 和PHP Curl (with NSS) is probably using SSLv3 insted of TLS when connecting to https
【讨论】:
【参考方案2】:您的代码中需要更多参数。
您还必须将“CURLOPT_SSL_VERIFYPEER”设置为“true”。
您可以阅读有关cacert.crt here 的更多信息并获得一份。请务必阅读使用条款。
是的,您需要所有选项才能实现最大的前向保密。
您可以阅读有关 TLS 安全性和实施的更多信息here。
下面解释了每个选项的作用。
/**
*
* Start Fix SSLv3/TLS connectivity problems
*
* CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER prevent MITM attacks
* WARNING: Disabling this would prevent curl from detecting Man-in-the-middle (MITM) attack
*
*/
/**
* @param CURLOPT_SSL_VERIFYPEER
*
* FALSE to stop CURL from verifying the peer's certificate.
* Alternate certificates to verify against can be specified with the CURLOPT_CAINFO option or a certificate directory can be specified with the CURLOPT_CAPATH option.
* CURLOPT_SSL_VERIFYHOST may also need to be TRUE or FALSE if CURLOPT_SSL_VERIFYPEER is disabled (it defaults to 2).
* Setting CURLOPT_SSL_VERIFYHOST to 2 (This is the default value) will garantee that the certificate being presented to you have a 'common name' matching the URN you are using to access the remote resource.
* This is a healthy check but it doesn't guarantee your program is not being decieved.
*
*/
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
/**
*
* @param CURLOPT_SSL_VERIFYHOST
*
* Check the existence of a common name in the SSL peer certificate.
* Check the existence of a common name and also verify that it matches the hostname provided.
*
* @value 1 to check the existence of a common name in the SSL peer certificate.
* @value 2 to check the existence of a common name and also verify that it matches the hostname provided.
* In production environments the value of this option should be kept at 2 (default value).
* Support for value 1 removed in cURL 7.28.1
*/
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
/**
*
* Force use of TLS
*
*/
/**
*
* Let's explain the magic of comparing your TLS certificate to the verified CA Authorities and how does that affect MITM attacks
*
* Man in the middle (MITM)
* Your program could be misleaded into talking to another server instead. This can be achieved through several mechanisms, like dns or arp poisoning.
* The intruder can also self-sign a certificate with the same 'comon name' your program is expecting.
* The communication would still be encrypted but you would be giving away your secrets to an impostor.
* This kind of attack is called 'man-in-the-middle'
* Defeating the 'man-in-the-middle'
* We need to to verify the certificate being presented to us is good for real. We do this by comparing it against a certificate we reasonable* trust.
* If the remote resource is protected by a certificate issued by one of the main CA's like Verisign, GeoTrust et al, you can safely compare against Mozilla's CA certificate bundle,
* which you can get from http://curl.haxx.se/docs/caextract.html
*
*/
//TODO: If TLSv1_1 found insecure and/or unreliable change to TLSv1_1 or TLS1_2
curl_setopt($ch, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2); // CURL_SSLVERSION_TLSv1_1; CURL_SSLVERSION_TLSv1_2
if (strtoupper(substr(PHP_OS, 0, 3)) == 'WIN')
$crt = substr(__FILE__, 0, strrpos( __FILE__, '\\'))."\crt\cacert.crt"; // WIN
else
$crt = str_replace('\\', '/', substr(__FILE__, 0, strrpos( __FILE__, '/')))."/crt/cacert.crt"; // *NIX
// The cert path is relative to this file
curl_setopt($ch, CURLOPT_CAINFO, $crt); // Set the location of the CA-bundle
/**
* Fix Error: 35 - Unknown SSL protocol error in connections
*
* Improve maximum forward secrecy
*/
// Please keep in mind that this list has been checked against the SSL Labs' WEAK ciphers list in 2014.
$arrayCiphers = array(
'DHE-RSA-AES256-SHA',
'DHE-DSS-AES256-SHA',
'AES256-SHA',
'ADH-AES256-SHA',
'KRB5-DES-CBC3-SHA',
'EDH-RSA-DES-CBC3-SHA',
'EDH-DSS-DES-CBC3-SHA',
'DHE-RSA-AES128-SHA',
'DHE-DSS-AES128-SHA',
'ADH-AES128-SHA',
'AES128-SHA',
'KRB5-DES-CBC-SHA',
'EDH-RSA-DES-CBC-SHA',
'EDH-DSS-DES-CBC-SHA:DES-CBC-SHA',
'EXP-KRB5-DES-CBC-SHA',
'EXP-EDH-RSA-DES-CBC-SHA',
'EXP-EDH-DSS-DES-CBC-SHA',
'EXP-DES-CBC-SHA'
);
curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, implode(':', $arrayCiphers));
请告诉我,如果您有任何其他问题,我会尽力回答。
【讨论】:
以上是关于修改 PHP 代码以使用 TLS 而不是 SSL的主要内容,如果未能解决你的问题,请参考以下文章
在 wamp 服务器上使用 openssl 修改 ssl 版本