php - Apache CURL 错误 SSL : CA certificate set, 但证书验证被禁用

Question

问题:我的开发环境在我提交使用 CURL 的登录表单的所有内容时都会产生此错误。 CURL 产生了这个错误，我认为它与为 SSL 连接生成的证书有关。

我的开发环境是:

• Mac OS X Capitan 10.11
• Apache 2.4/PHP 7.0.12

phpinfo() 声明:

• cURL:已启用/7.50.3/SSL:是/协议(protocol):dict、file、ftp、ftps、gopher、http、https、imap、imaps、ldap、ldaps、pop3、pop3s、rtsp、scp、sftp、smb , smbs, smtp, smtps, telnet, tftp/SSL 版本:SecureTransport/ZLib 版本:1.2.5/libSSH 版本:libssh2/1.4.3
• OpenSSL:已启用/库版本:OpenSSL 1.0.2h 2016 年 5 月 3 日/ header 版本:OpenSSL 1.0.2h 2016 年 5 月 3 日/openssl.cafile:(本地)/usr/local/php5/ssl/certs/cacert.pem和(主)/usr/local/php5/ssl/certs/cacert.pem

为了创建 SSL 设置，我遵循了这个 Enable SSL in Apache (OSX)文章到 T 恤，它消除了浏览器请求，并允许我对涉及 Twitter 等的项目提出请求，即使在开发环境中也需要 SSL 连接。

但是，PHP 5.6。我最初用于开发这个特定项目，最近我升级到 7，现在导致了这个错误。

在测试证书方面，在终端中显示如下错误:

echo | openssl s_client -connect localhost:443

上面的命令产生了:

CONNECTED(00000003)
depth=0 C = AU, ST = New South Wales, L = Sydney, O = localhost, CN = localhost
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = AU, ST = New South Wales, L = Sydney, O = localhost, CN = localhost
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=AU/ST=New South Wales/L=Sydney/O=localhost/CN=localhost
   i:/C=AU/ST=New South Wales/L=Sydney/O=localhost/CN=localhost
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDgDCCAmigAwIBAgIJAIqaBKmBWQOqMA0GCSqGSIb3DQEBCwUAMGAxCzAJBgNV
BAYTAkFVMRgwFgYDVQQIDA9OZXcgU291dGggV2FsZXMxDzANBgNVBAcMBlN5ZG5l
eTESMBAGA1UECgwJbG9jYWxob3N0MRIwEAYDVQQDDAlsb2NhbGhvc3QwHhcNMTYx
MTAyMjEzODQ3WhcNMTcxMTAyMjEzODQ3WjBgMQswCQYDVQQGEwJBVTEYMBYGA1UE
CAwPTmV3IFNvdXRoIFdhbGVzMQ8wDQYDVQQHDAZTeWRuZXkxEjAQBgNVBAoMCWxv
Y2FsaG9zdDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAmD67Hq/iOUL+b+cjgeO/xwfjmkAu2QI4ZbOV4w/pH66T+U9a
KN3snz504u8xo1DUDKyUp+eX40q2jbWghzOoPVrhIRWwhY4woyX6FYILzvNDym59
Hqc9CzGZ6lkuApelsSAFyC2Q0K7VeOFwEepNZ6ou7WhqfoS9N/CPptut/+NkByxt
m8sEvFbLS4dtVKHB8QoPsVJ8w7f+4zKk3NjVLQPlw8xxzLMStzlwsOSLJYEaiU1a
fdzOoe/l0DroMpTZmDPth6/Fc9loCC3AcgIrzOG7q9eaR5ANNA1+Ca/4/3+qdQOU
CVYjFwwTsTZdcd73nHVjJCe/3bX30T3s9dTD/QIDAQABoz0wOzAJBgNVHRMEAjAA
MAsGA1UdDwQEAwIF4DAhBgNVHREEGjAYgglsb2NhbGhvc3SCCyoubG9jYWxob3N0
MA0GCSqGSIb3DQEBCwUAA4IBAQB9Z5cbIq6gGQ7xg22AxUUQ2GUQ+/u2heHogphP
S/k2OmPg2mmtZ6UPS2B8m8TRx6roHZhO6pWGuDh0BuwRMHC0kYMB7p+XFiOl9Xo+
EVpiM4oXHJ7f1JgF0k/77MGIcyWBHfkvEzNcmhdmabyV5cdyXJs4IaJqnnczwjgC
jh2kvPL4mYQ6Tq26j+vWU2BklFTeMEjr3MgEL+prBTCx6DJ+vKDW3h9USm2yHMGa
EWiP+tJ+6vXKzHdpAVjTNYsoR9stfduZylG9m5pZSISOlaZnDDEwyiQ33U15FAM4
ZnfDOJX1Tbb0MpdbjH36QS2uBhUebxEM361BVGXPZQUaCqp2
-----END CERTIFICATE-----
subject=/C=AU/ST=New South Wales/L=Sydney/O=localhost/CN=localhost
issuer=/C=AU/ST=New South Wales/L=Sydney/O=localhost/CN=localhost
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, B-571, 570 bits
---
SSL handshake has read 1666 bytes and written 513 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 8B39BE1C255BDD6ED6E42E85612AB24C9CD1CB2195676A2CAEA7E3FAE0E65D68
    Session-ID-ctx: 
    Master-Key: 86DCCE7468DE39C619A64AC7C08E6F3AA55B02DC025564D4E67C7BCDDE90415D518D780FB4EEB98A69DF785ED62FFB09
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - e0 da 63 c7 3d b0 eb 5c-0b 30 c8 0f 8f 43 b2 5e   ..c.=..\.0...C.^
    0010 - 93 49 cb 87 c5 f8 a5 f4-42 bf 19 e1 16 3d 24 73   .I......B....=$s
    0020 - ab 0a 76 b9 a7 84 1b 1b-ad 3f 4b 2d 60 c7 0c 8a   ..v......?K-`...
    0030 - 3d e8 0d b2 29 db 95 b0-a6 e6 49 f6 60 3c fe 1d   =...).....I.`<..
    0040 - c2 f5 51 8f 40 ae 93 ac-f2 eb b9 99 2c c5 f0 45   ..Q.@.......,..E
    0050 - bb d7 16 a7 0f a5 52 c7-c4 b8 e4 6a 05 ab a0 25   ......R....j...%
    0060 - 9c 44 dc 15 8c 0e cf 69-18 f8 dd 8d f1 ad 21 32   .D.....i......!2
    0070 - f5 f9 d6 54 37 87 46 6d-9e 4f d2 8a 3e 16 e2 1a   ...T7.Fm.O..>...
    0080 - 41 1a 26 27 31 83 f1 ad-31 26 ab 22 17 84 50 ae   A.&'1...1&."..P.
    0090 - 06 ef 51 9e f4 40 0f 48-8b a9 66 26 1f d8 32 88   ..Q..@.H..f&..2.
    00a0 - 46 19 a2 97 44 26 9c b1-b0 15 5c 0b 02 d7 23 ea   F...D&....\...#.
    00b0 - 07 b6 72 57 b7 47 ee 9a-85 fe 16 d4 59 8d b8 34   ..rW.G......Y..4

    Start Time: 1478128414
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
DONE

对于产生此错误的登录页面，我使用的是 Auth0.com 并且我拒绝更改 CURL 请求 verifypeer = false 以抑制此错误，因为该错误清楚地识别泄漏。作为开发人员，我们希望尽可能多地复制我们的开发环境，以确保在转移到生产环境时不遗余力。

谢谢，希望我已经涵盖了这里所有必要的内容。我不使用外部包，如 MAMP 或 XAMPP 等，只是将 PHP7 安装作为对 Capitan 附带的现有 PHP 5.5 的升级。

干杯!

Answer 1

找到一种方法来切换你的 curl 代码，这样如果你在开发 ($_SERVER['HTTP_HOST']=='localhost') 那么你设置 verifypeer = false 但这并没有得到设置并且在生产中保持为真。