HTTPS 验证访问略记

背景

互联网刚刚兴起的时候，网络安全并没有被很好的重视。HTTP 是明文传输的，这为意图谋不道德之事者提供了诸多的便利。当越来越多的人利益受到侵害的时候，开始重视网络传输的安全问题了。

HTTPS 加密过程

1. 加密算法

   1）对称加密算法： 加密和解密都是使用同一个密钥进行的。

   2）非对称加密算法：加密和解密使用的是两个不同的密钥。

2. HTTPS 通信过程的加密关键在于密钥的保密性，因为通信过程被监听之后，所有的信息都有可能是被伪造的，所以这也包括密钥也可能被截持，伪造。为了能够鉴别服务器或者客户端的真实身份，需要一个第三方来做担保人。当然，担保人也有可能是不可靠的，这是后话。在第三方可靠的情况之下，看看 HTTPS 的通信过程：

   

3. 证书类型

   1. .DER

   The DER extension is used for binary DER encoded certificates. These files may also bear the CER or the CRT extension.   Proper English usage would be “I have a DER encoded certificate” not “I have a DER certificate”.
   

   2. .PEM

   The PEM extension is used for different types of X.509v3 files which contain ASCII (Base64) armored data prefixed with a “—– BEGIN …” line.
   

   3. .CRT

    The CRT extension is used for certificates. The certificates may be encoded as binary DER or as ASCII PEM. The CER and CRT extensions are nearly synonymous.  Most common among *nix systems
   

   4. .CER

   alternate form of .crt (Microsoft Convention) You can use MS to convert .crt to .cer (.both DER encoded .cer, or base64[PEM] encoded .cer)  The .cer file extension is also recognized by IE as a command to run a MS cryptoAPI command (specifically rundll32.exe cryptext.dll,CryptExtOpenCER) which displays a dialogue for importing and/or viewing certificate contents.
   

   5. .KEY

   The KEY extension is used both for public and private PKCS#8 keys. The keys may be encoded as binary DER or as ASCII PEM.
   

4. 证书的来源

   有些证书的颁发机构是不被信任的。如果颁发证书的机构不能被信任，那么证书的存在就没有意义了。在我们使用的浏览器里面，内置有一些被信任Ca颁发机构，通过这些信息，可以验证服务器证书的是否可以被信任。

PHP 代码

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT,6);
curl_setopt($ch, CURLOPT_TIMEOUT, 10);
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_HTTPHEADER, ["X-API-KEY:$api_key", "Content-Type: application/json; charset=utf-8"]);
curl_setopt($ch, CURLOPT_POSTFIELDS,json_encode(['user_token' => $token]));

curl_setopt($ch,CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($ch,CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($ch,CURLOPT_SSLCERTTYPE,'PEM');
curl_setopt($ch,CURLOPT_SSLKEYTYPE,'PEM');
curl_setopt($ch,CURLOPT_SSLCERT, __DIR__ .'/wog.cer');
curl_setopt($ch,CURLOPT_SSLKEY, __DIR__ .'/wog.key');
curl_setopt($ch, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_1);
$result = curl_exec($ch);
curl_exec($ch);

请见资料

1. HTTPS的加密过程
2. 证书类型