问题:
试图让PHP流与Thawte TLS RSA CA G1一起工作-内部错误
羊舌迪
echo OPENSSL_VERSION_TEXT;
require 'vendor/autoload.php';
$fetch = new \ParagonIE\Certainty\RemoteFetch('/tmp/');
$latestBundle = $fetch->getLatestBundle();
$context = stream_context_create(
[
'ssl' => array(
'cafile' => $latestBundle->getFilePath(),
'SNI_enabled' => true,
)
]
);
$url = 'https://example.com:8080/x/y';
echo file_get_contents($url . '?wsdl', false, $context);
我正在使用https://github.com/paragonie/dasturity获取最新的Cacerts。
我得到以下错误
OpenSSL 1.0.2g 1 Mar 2016
PHP Warning: file_get_contents():
SSL operation failed with code 1. OpenSSL Error messages:
error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert
internal error in /tmp/test/test.php on line 20
PHP Warning: file_get_contents(): Failed to enable crypto in
/tmp/test/test.php on line 20
PHP Warning: file_get_contents(https://example.com:8080/x/y?
wsdl): failed to open stream: operation failed in
/tmp/test/test.php on line 20
这里出什么问题了?
SCAN RESULTS FOR example.COM:8080 - >
------------------------------------------------------
* TLSV1_1 Cipher Suites:
Forward Secrecy OK - Supported
RC4 OK - Not Supported
Preferred:
TLS_DHE_RSA_WITH_AES_256_CBC_SHA 256 bits
Accepted:
TLS_RSA_WITH_AES_256_CBC_SHA 256 bits
TLS_DH_anon_WITH_AES_256_CBC_SHA ANONYMOUS
TLS_DHE_RSA_WITH_AES_256_CBC_SHA 256 bits
Undefined - An unexpected error happened:
TLS_DHE_DSS_WITH_AES_256_CBC_SHA OpenSSLError - error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
* TLSV1 Cipher Suites:
Forward Secrecy OK - Supported
RC4 OK - Not Supported
Preferred:
TLS_DHE_RSA_WITH_AES_256_CBC_SHA 256 bits
Accepted:
TLS_RSA_WITH_AES_256_CBC_SHA 256 bits
TLS_DH_anon_WITH_AES_256_CBC_SHA ANONYMOUS
TLS_DHE_RSA_WITH_AES_256_CBC_SHA 256 bits
Undefined - An unexpected error happened:
TLS_DHE_DSS_WITH_AES_256_CBC_SHA OpenSSLError - error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
* Deflate Compression:
OK - Compression disabled
* Certificate Information:
Content
SHA1 Fingerprint: c2b3ce5b0905caa2ec5998aacf074f99cffb0207
Common Name: example.com
Issuer: Thawte TLS RSA CA G1
Serial Number: 10361996092389695445524615643169842847
Not Before: 2018-12-05 00:00:00
Not After: 2020-12-04 12:00:00
Signature Algorithm: sha256
Public Key Algorithm: RSA
Key Size: 2048
Exponent: 65537 (0x10001)
DNS Subject Alternative Names: ['example.com']
Trust
Hostname Validation: OK - Certificate matches example.com
Android CA Store (9.0.0_r3): FAILED - Certificate is NOT Trusted: unable to get local issuer certificate
iOS CA Store (11): FAILED - Certificate is NOT Trusted: unable to get local issuer certificate
Java CA Store (jre-10.0.2): FAILED - Certificate is NOT Trusted: unable to get local issuer certificate
macOS CA Store (High Sierra): FAILED - Certificate is NOT Trusted: unable to get local issuer certificate
Mozilla CA Store (2018-08-23): FAILED - Certificate is NOT Trusted: unable to get local issuer certificate
Windows CA Store (2018-08-04): FAILED - Certificate is NOT Trusted: unable to get local issuer certificate
Symantec 2018 Deprecation: OK - Not a Symantec-issued certificate
Received Chain: example.com
Verified Chain: ERROR - Could not build verified chain (certificate untrusted?)
Received Chain Contains Anchor: ERROR - Could not build verified chain (certificate untrusted?)
Received Chain Order: OK - Order is valid
Verified Chain contains SHA1: ERROR - Could not build verified chain (certificate untrusted?)
Extensions
OCSP Must-Staple: NOT SUPPORTED - Extension not found
Certificate Transparency: OK - 3 SCTs included
OCSP Stapling
NOT SUPPORTED - Server did not send back an OCSP response
* OpenSSL CCS Injection:
OK - Not vulnerable to OpenSSL CCS injection
* SSLV3 Cipher Suites:
Server rejected all cipher suites.
* SSLV2 Cipher Suites:
Server rejected all cipher suites.
* Resumption Support:
With Session IDs: OK - Supported (5 successful, 0 failed, 0 errors, 5 total attempts).
With TLS Tickets: NOT SUPPORTED - TLS ticket not assigned.
* Downgrade Attacks:
TLS_FALLBACK_SCSV: VULNERABLE - Signaling cipher suite not supported
* TLSV1_3 Cipher Suites:
Server rejected all cipher suites.
* OpenSSL Heartbleed:
OK - Not vulnerable to Heartbleed
* TLSV1_2 Cipher Suites:
Forward Secrecy OK - Supported
RC4 OK - Not Supported
Preferred:
TLS_RSA_WITH_AES_256_CBC_SHA 256 bits
Accepted:
TLS_RSA_WITH_AES_256_CBC_SHA 256 bits
TLS_DH_anon_WITH_AES_256_CBC_SHA ANONYMOUS
TLS_DHE_RSA_WITH_AES_256_CBC_SHA 256 bits
Undefined - An unexpected error happened:
TLS_DHE_DSS_WITH_AES_256_CBC_SHA OpenSSLError - error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
* Session Renegotiation:
Client-initiated Renegotiation: VULNERABLE - Server honors client-initiated renegotiations
Secure Renegotiation: OK - Supported
* ROBOT Attack:
OK - Not vulnerable
SCAN COMPLETED IN 9.31 S
共有1个答案
聂宜
内部错误是这样解决的:
$context = stream_context_create(
[
'ssl' => array(
'cafile' => $latestBundle->getFilePath(),
'SNI_enabled' => true,
'ciphers' => 'HIGH:TLSv1.2:TLSv1.1:TLSv1.0:SSLv3:SSLv2',
'verify_peer' => false,
'verify_peer_name' => false,
'crypto_disable_compression' => true,
'method' => STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT,
'verify_depth' => 10,
)
]
);
但我仍然无法验证CA证书。
在Chrome中,它工作得很好。
类似资料:
-
因此,如果我不能重写字符串作为它的最终结果(因此阻止我重写它的compareTo()方法来调用compareToIgnoreCase()),那么还有其他方法可以实现吗? 任何帮助都是非常感谢的。
-
我已经成功地在我的Windows机器上安装了gnuradio,并尝试将随附的python环境(Python 2.7)与PyCharm v2018集成。我创建了一个新项目,并为包添加了一个用户定义的路径,以指向所有gnuradio库的位置(C:\Program Files\GNURadio-3.7\lib\site-包)。 在Pycharm可以毫无怨言地看到所有gnuradio包的意义上,一切似乎都
-
我想知道我是否能做这样的事情。假设我有一个数字流1-20。我想利用一个特性,比如drop 3(我想用Java术语来说是限制还是跳过?)并产生一个流,即数字流: 1-20、4-20、7-20等 然后可能平坦地将这些全部映射到一条溪流中。我尝试了使用Stream.iterate的各种组合,主要是从流生成流,但我一直收到一个IllegalStateExcema,说流已经操作或关闭。 例如,人们可能期望这
-
我已经成功地建立了TailwindCSS上Gridsome以下说明:https://gridsome.org/docs/assets-css/#tailwind 但是,这些说明并没有提到如何设置autoprefixer。因此,我自己尝试了一下,如下所示: npm安装自动刷新器 修改了文件(请参见下面的修改代码,其中包含我所更改内容的注释) 运行 将类添加到以查看是否添加了任何供应商前缀 结果。。。
-
我试图在一个我的组件中使用Tesseract来执行文件上的ocr。 .ts: .html 我遵循了这个,但是这个错误显示了 我应该怎么做才能让这个工作成功?
-
我只是很难让我的控制器单元测试正常工作,因为在我看来,如果使用OAuth,SpringDoc中的内容是不够的。在我的例子中,是Oauth2和JWT。 我尝试使用,,甚至使用和自定义定义我自己的注释,但在计算安全表达式时,总是在UserSecurityContext中获得匿名用户,无论我在工厂中设置测试上下文的是什么。。。 我提出了我刚刚想到的解决方案,但由于我不确定嘲笑令牌服务是最有效/干净的方法