Using Curl in PHP to access HTTPS

This article is mainly to share with you the use of PHP in curl access to HTTPS, mainly in the code of methods and share with you, hope to help everyone.

For the convenience of explanation, first on the code bar ~ This is today a re-encapsulation of a function

/** * Curl POST * * @paramstring URL * @paramarray data * @paramint Request time-out * Strict authentication @parambool HTTPS * @returnst Ring */function curlpost ($url, $data = Array (), $timeout = $, $CA = True) {$cacert = GETCWD (). '/cacert.pem '; CA Root Certificate $SSL = substr ($url, 0, 8) = = "https://"?        True:false;    $ch = Curl_init (); curl_setopt ($ch, Curlopt_url, $url), curl_setopt ($ch, Curlopt_timeout, $timeout); curl_setopt ($ch, Curlopt_    ConnectTimeout, $timeout-2);   if ($SSL && $CA) {curl_setopt ($ch, Curlopt_ssl_verifypeer, true); Trust only CA Issued certificate curl_setopt ($ch, Curlopt_cainfo, $cacert); CA root certificate (used to verify whether the website certificate was issued by CA) curl_setopt ($ch, Curlopt_ssl_verifyhost, 2);  Check whether the domain name is set in the certificate and matches the host name provided} else if ($SSL &&! $CA) {curl_setopt ($ch, Curlopt_ssl_verifypeer, false); Trust any certificate curl_setopt ($ch, Curlopt_ssl_verifyhost, 1);    Check whether the domain name is set in the certificate} curl_setopt ($ch, Curlopt_returntransfer, true); curl_setopt ($ch, Curlopt_httpheader, array(' Expect: '));    Avoid Long data curl_setopt ($ch, Curlopt_post, true);    curl_setopt ($ch, Curlopt_postfields, $data); curl_setopt ($ch, Curlopt_postfields, Http_build_query ($data));    Data with UrlEncode $ret = curl_exec ($ch);  Var_dump (Curl_error ($ch));    View error message Curl_close ($ch);  return $ret; }

If the URL address is the beginning of HTTPS, then go to SSL, or go to the normal HTTP protocol.

Is it safe to take the HTTPS? In fact, SSL also has a different degree of authentication.

For example, do you need to verify the common name in the certificate? (BTW: The common name (Common name) is generally filled in with the domain name (domain) or subdomain (sub domain) that you will be applying for the SSL certificate. )

Do you need to verify the host name?

Are any certificates trusted or are they only trusted by the CA?

(I wipe, the battery is almost out of order, only to pick up the key to say--| | | ）

If the website SSL certificate buys a CA (usually more expensive), then access can use more stringent authentication, namely:

        curl_setopt ($ch, Curlopt_ssl_verifypeer, true);   Trust only the CA-issued certificate        curl_setopt ($ch, Curlopt_cainfo, $cacert);//CA Root certificate (used to verify whether the website certificate was issued by the CA)        curl_setopt ($ch, curlopt _ssl_verifyhost, 2); Checks whether the domain name is set in the certificate and matches the host name provided

If the website's certificate is generated by itself, or if it is requested by a small organization on the internet, then if strict authentication is used, it will not pass and return false directly. (By the return false, you can print Curl_error ($ch) to see the specific error message. At this point, you can ensure normal access by reducing the level of validation, for example:

        curl_setopt ($ch, Curlopt_ssl_verifypeer, false); Trust any certificate        curl_setopt ($ch, Curlopt_ssl_verifyhost, 1);//Check whether the domain name is set in the certificate (0 also can be, even if the domain name exists or not verified)

Usually when we use a browser to access each HTTPS website, sometimes we will encounter the certificate is not trusted, in fact, because the certificate of these sites is not a regular CA authority promulgated.

The list of CA root certificates is built into various browsers on the market, and when you visit a website that has a CA-issued certificate, the certificates for those sites are validated against the root certificate, so there is no such hint.

The CA root certificate file, in fact, contains the public key certificates for each of the major CA agencies to verify that the site's certificate was issued by these agencies.

This file is derived from Mozilla's source tree and converted to a PEM format certificate file. (You can download the ready-made HTTP://CURL.HAXX.SE/CA/CACERT.PEM here)

Finally, an SSL-independent thing:

curl_setopt ($ch, Curlopt_httpheader, Array (' Expect: '));