问题
I am using the auth.net XML class written by John Conde, http://www.johnconde.net/blog/tutorial-integrate-authorize-net-xml-api-universal-php-class/,. In it it has two lines.
curl_setopt($this->ch, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($this->ch, CURLOPT_CAINFO, dirname(__FILE__) . '/ssl/cert.pem');
Can I replace this with
curl_easy_setopt(curl,CURLOPT_SSL_VERIFYPEER, 0);
curl_easy_setopt(curl,CURLOPT_CAINFO, NULL);
curl_easy_setopt(curl,CURLOPT_CAPATH, NULL);
I might not be able to get the .pem file, or info I need to create it. Would this alternative be just as secure?
回答1:
Would this alternative be just as secure?
No, disabling CURLOPT_SSL_VERIFYHOST or CURLOPT_SSL_VERIFYPEER would allow for possible MITM attacks (see this answer).
I might not be able to get the .pem file, or info I need to create it
The info you need to create it is ultimately a judgement call from you, choosing which CAs you want to trust. Browsers and OSes tend to make a pre-selection for you. Curl comes with a convenient script and CA bundle using the Firefox CA selection (this selection is updated once in a while). Some Linux distributions also provide a default CA bundle file that you may be able to use.
来源:https://stackoverflow.com/questions/15046678/alternative-for-using-curlopt-ssl-verifyhost-2