问题
Summary:
Is there a way to force the built in SoapClient-class in PHP to connect over HTTPS to a server with an invalid certificate?
Why would I want to do that?
I have deployed a new application on a server that has no DNS entry or certificate yet. I want to try connecting to it with a SoapClient before setting up the DNS entry and fixing the certificate, and the most reasonable way to do this seems to be to just make the client ignore the certificate during testing.
Don\'t I realise that this is a huge security risk?
This is only for testing. When the service goes into production, there will be a valid certificate in place, and the client will be forced to validate it.
回答1:
SoapClient takes a stream context in its parameters, which you can create yourself. That way you can control almost every aspect of the transport layer:
$context = stream_context_create([
'ssl' => [
// set some SSL/TLS specific options
'verify_peer' => false,
'verify_peer_name' => false,
'allow_self_signed' => true
]
]);
$client = new SoapClient(null, [
'location' => 'https://...',
'uri' => '...',
'stream_context' => $context
]);
Documentation:
- stream_context_create() Docs
- HTTP context options Docs
- SSL context options Docs
回答2:
The accepted answer works but only in the non-WSDL mode. If you try to use this in the WSDL mode (i. e. you pass a WSDL file url as the first argument) you will face the fact that the stream context is ignored when downloading WSDL files. So if the WSDL file is also located on a server with broken certificate, it will fail, most likely throwing the message failed to load external entity. See more here and here.
As suggested, the simplest way around is to download the WSDL file manually and pass the local copy to the SoapClient. You can download it for example with file_get_contents using the very same stream context from the accepted answer.
Note that you will also have to do this when creating a SoapServer.
回答3:
The correct list for PHP 5.6.8 is
'ssl' => array('verify_peer_name'=>false, 'allow_self_signed' => true),
来源:https://stackoverflow.com/questions/8443618/disable-certificate-verification-in-php-soapclient