Error when loading external xml file with php via https : SSL3_GET_SERVER_CERTIFICATE

前端 未结 2 1380
遇见更好的自我
遇见更好的自我 2021-01-14 02:35

I can\'t get a xml file to load.

This code works great:

$url = \'http://www.w3schools.com/xml/note.xml\';
$xml = simplexml_load_file($url);
print_r($         


        
2条回答
  •  栀梦
    栀梦 (楼主)
    2021-01-14 03:18

    short cookbook answer:

    1. Download https://raw.githubusercontent.com/bagder/ca-bundle/master/ca-bundle.crt and place that file on your server.
    2. Add

      $context = stream_context_create(array('ssl'=>array(
          'verify_peer' => true,
          'cafile' => '/path/to/ca-bundle.crt'
      )));
      libxml_set_streams_context($context);

    to your script so it gets executed before simplexml_load_file().
    Or - instead of the code above - set openssl.cafile=/path/to/ca-bundle.crt in your php.ini.

    Very short explaination:
    Your php version uses openssl to handle the https transport. openssl tries to verify whether the server really is who it claims to be. It does that by checking whether its certificate is trusted. A X.509 certificate contains some data about the owner and is signed by an issuer (itself having a certificate that is again signed and so on and on until a certificate where owner and issuer are identical -> self-signed/root certificate). A certificate is considered "trusted" if in that chain of certificates there is (at least) one certificate on which openssl "says": "ok, I have been instructed to trust this one". This instruction takes the form of (or can take the form of) "here's a file containing certificates that you're supposed to trust" (cafile).
    The above code tells the libxml-wrapper of php to tell openssl where that cafile is when simplexml_load_file uses the https/openssl-wrapper.
    And openssl.cafile=/path/to/ca-bundle.crt just sets it as default; unless instructed otherwise all openssl operations will use that file - including libxml/simple_xml_loadfile.

    The ca-bundle.crt I've linked to is from a project that "claims" to provide the extracted root certificates as shipped with mozilla firefox. Regarding "claims": I have no reason to doubt that this really is the untampered root cert list; but you never know: You're putting your trust a) in this project and b) mozilla doing a good job and only putting trustworthy certificates in that list....

    for more explaination see http://phpsecurity.readthedocs.org/en/latest/Transport-Layer-Security-%28HTTPS-SSL-and-TLS%29.html#php-streams

提交回复
热议问题