This article uses the mode and the N: 1 mode. For more information, see the new blog "SSL two-way authentication (high definition edition)".
----------------------------------------------------- I am a split line ---------------------------------------------------------
The title is too long to know how to get started. Simply list the keyword ~
WebService's WS-* was not completed after a day. It seems that PHP should have completely abandoned the SOAP protocol, and Google has not found any reliable solutions.
The partner is unwilling to implement the encryption, decryption, and signature on its own. There is no way to do it. Instead, he has to go through HTTPS and throw this part from the application layer to the lower layer.
However, data security in communication is divided into several parts:Confidentiality, non-tampering, and non-repudiation.
Traditional HTTPS calls only encrypt data, solve the problem of confidentiality and non-tampering, solve the problem of client authentication, or call it non-repudiation.
Therefore, two sets of SSL two-way authentication are required.
Nginx currently supports SSL two-way authentication, and the configuration is simple:
...... Listen 443; SERVER_NAME test.com; SSL on; ssl_certificate server. CRT; // server-side Public Key ssl_certificate_key server. key; // server Private Key ssl_client_certificate client. CRT; // client-side Public Key ssl_session_timeout 5 m; ssl_verify_client on; // enable client verification ......
In fact, the client-side Public Key setting and client verification are added based on the conventional HTTPS configuration. (For more configuration information, see nginx official documentation: http://wiki.nginx.org/HttpSslModule#ssl)
After the server is configured, the original WSDL address must be accessed through HTTPS. However, the client certificate is required for client access.
Test with cURL first. related parameters:
...... Curl_setopt ($ ch, curlopt_ssl_verifypeer, false); // trust any certificate curl_setopt ($ ch, expires, 0); // do not check the domain name curl_setopt ($ ch, curlopt_verbose, '1'); // development mode. The communication information is displayed as curl_setopt ($ ch, curlopt_sslcert, 'client. CRT '); // client crtcurl_setopt ($ ch, curlopt_sslcertpasswd, '20170101'); // client certificate password curl_setopt ($ ch, curlopt_sslkey, 'client. key'); // client keycurl_setopt ($ ch, curlopt_post, false); // post ......
I am using the WebService server implemented by nusoap (for details, see do you like soap? I don't like it anyway. "), The binding interface address in the WSDL is already port 443.
The following uses soap for calling. php's soapclient supports this function. You only need to set the following header:
...... $ Local_cert = "client. PEM "; // PEM $ header = array ('local _ cert' => $ local_cert, // client certificate information 'passphrase' => '000000' // password); $ client = new soapclient ($ WSDL, $ header );......
Note that the client. pem content must contain the certificate and private key information as follows:
-----BEGIN CERTIFICATE-----MIICdTCCAd4C……-----END CERTIFICATE----------BEGIN RSA PRIVATE KEY-----MIICXQIBAAKB……-----END RSA PRIVATE KEY-----
The following error message is still displayed:
SOAP-ERROR: Parsing WSDL: Couldn't load from 'https://test.com/soap_test.php?wsdl' : Premature end of data in tag html line 1
On Google, I encountered a similar encounter from a buddy. The result was the same as I expected: soapclient did not use certificate information when obtaining the WSDL in advance!
Use curl to capture and save the local files for calling. Everything is OK ~