Fatal编程技术网
  • php/
  • Php 如何修复curl:(35)无法与对等方安全通信:没有通用加密算法

Php 如何修复curl:(35)无法与对等方安全通信:没有通用加密算法

php ssl curl https

Php 如何修复curl:(35)无法与对等方安全通信:没有通用加密算法,php,ssl,curl,https,curl-multi,Php,Ssl,Curl,Https,Curl Multi,我正在尝试从https://torrage.com使用php curl。 但是什么也没发生,curl\u error($ch)给出 $ch = curl_init ('https://torrage.com/torrent/640FE84C613C17F663551D218689A64E8AEBEABE.torrent'); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_USERAGENT, '

我正在尝试从
https://torrage.com
使用
php curl
。 但是什么也没发生,
curl\u error($ch)
给出

$ch = curl_init ('https://torrage.com/torrent/640FE84C613C17F663551D218689A64E8AEBEABE.torrent');
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0');
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_VERBOSE,true);
$data = curl_exec($ch);
$error = curl_error($ch);
curl_close ($ch);
echo $error;
这给了我们更多的机会

Cannot communicate securely with peer: no common encryption algorithm(s).
如果我像这样从贝壳里尝试

[root@prod1 yum.repos.d]# curl -I https://torrage.com
curl: (35) Cannot communicate securely with peer: no common encryption algorithm(s).
在详细模式下

[root@prod1 yum.repos.d]# curl -v https://torrage.com
* Rebuilt URL to: https://torrage.com/
*   Trying 81.17.30.48...
* Connected to torrage.com (81.17.30.48) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS error -12286 (SSL_ERROR_NO_CYPHER_OVERLAP)
* Cannot communicate securely with peer: no common encryption algorithm(s).
* Closing connection 0
curl: (35) Cannot communicate securely with peer: no common encryption algorithm(s).
系统信息centos 7。x86_64

[root@prod1 yum.repos.d]# uname -a
Linux prod1.localdomain 3.10.0-229.4.2.el7.x86_64 #1 SMP Wed May 13 10:06:09 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
卷曲版本

[root@prod1 yum.repos.d]# curl -V
curl 7.29.0 (x86_64-redhat-linux-gnu)
openssl,已修补。

[root@prod1 yum.repos.d]# openssl version -a
OpenSSL 1.0.1e-fips 11 Feb 2013
built on: Mon Jun 15 18:39:20 UTC 2015
platform: linux-x86_64
options:  bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches   -m64 -mtune=generic -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/etc/pki/tls"
engines:  dynamic

[root@prod1 yum.repos.d]# rpm -q --changelog openssl | grep CVE-2014-0224
- fix CVE-2014-0224 fix that broke EAP-FAST session resumption support
- fix CVE-2014-0224 - SSL/TLS MITM vulnerability

[root@prod1 yum.repos.d]# curl -I http://torrage.com
HTTP/1.1 301 Moved Permanently
Server: nginx/1.9.0
Date: Mon, 29 Jun 2015 04:13:17 GMT
Content-Type: text/html
Content-Length: 184
Connection: keep-alive
Location: https://torrage.com/
验证是否已修补openssl。

[root@prod1 yum.repos.d]# openssl version -a
OpenSSL 1.0.1e-fips 11 Feb 2013
built on: Mon Jun 15 18:39:20 UTC 2015
platform: linux-x86_64
options:  bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches   -m64 -mtune=generic -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/etc/pki/tls"
engines:  dynamic

[root@prod1 yum.repos.d]# rpm -q --changelog openssl | grep CVE-2014-0224
- fix CVE-2014-0224 fix that broke EAP-FAST session resumption support
- fix CVE-2014-0224 - SSL/TLS MITM vulnerability

[root@prod1 yum.repos.d]# curl -I http://torrage.com
HTTP/1.1 301 Moved Permanently
Server: nginx/1.9.0
Date: Mon, 29 Jun 2015 04:13:17 GMT
Content-Type: text/html
Content-Length: 184
Connection: keep-alive
Location: https://torrage.com/
我尝试过的:

1)我尝试使用HTTP代替HTTPS,但网站强制使用HTTPS。 e、 g.

[root@prod1 yum.repos.d]# openssl version -a
OpenSSL 1.0.1e-fips 11 Feb 2013
built on: Mon Jun 15 18:39:20 UTC 2015
platform: linux-x86_64
options:  bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches   -m64 -mtune=generic -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/etc/pki/tls"
engines:  dynamic

[root@prod1 yum.repos.d]# rpm -q --changelog openssl | grep CVE-2014-0224
- fix CVE-2014-0224 fix that broke EAP-FAST session resumption support
- fix CVE-2014-0224 - SSL/TLS MITM vulnerability

[root@prod1 yum.repos.d]# curl -I http://torrage.com
HTTP/1.1 301 Moved Permanently
Server: nginx/1.9.0
Date: Mon, 29 Jun 2015 04:13:17 GMT
Content-Type: text/html
Content-Length: 184
Connection: keep-alive
Location: https://torrage.com/
2)更新ca bundle.crt

cp /etc/pki/tls/certs/ca-bundle.crt /root/backup/
curl http://curl.haxx.se/ca/cacert.pem -o /etc/pki/tls/certs/ca-bundle.crt

[root@prod1 randoadmin]# curl --ciphers ecdhe_rsa_aes_128_gcm_sha_256 -I https://torrage.com
HTTP/1.1 200 OK
Server: nginx/1.9.0
Date: Mon, 29 Jun 2015 05:54:17 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 29 Jun 2015 05:50:40 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding, Accept-Encoding
Strict-Transport-Security: max-age=31536000
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
3)将Curl更新至最新版本7.43.0

nano /etc/yum.repos.d/city-fan-for-curl.repo
有了这份回购协议

[CityFanforCurl]
name=City Fan Repo
baseurl=http://www.city-fan.org/ftp/contrib/yum-repo/rhel7/x86_64/
enabled=0
gpgcheck=0
然后做什么

yum update curl --enablerepo=CityFanforCurl
然后验证curl版本

[root@prod1 yum.repos.d]# curl -V
curl 7.43.0 (x86_64-redhat-linux-gnu) libcurl/7.43.0 NSS/3.18 Basic ECC zlib/1.2.7 libidn/1.28 libssh2/1.6.0
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz UnixSockets Metalink
4)我尝试了这个方法来检查我的卷发是否过时。

[root@prod1 yum.repos.d]# openssl version -a
OpenSSL 1.0.1e-fips 11 Feb 2013
built on: Mon Jun 15 18:39:20 UTC 2015
platform: linux-x86_64
options:  bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches   -m64 -mtune=generic -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/etc/pki/tls"
engines:  dynamic

[root@prod1 yum.repos.d]# rpm -q --changelog openssl | grep CVE-2014-0224
- fix CVE-2014-0224 fix that broke EAP-FAST session resumption support
- fix CVE-2014-0224 - SSL/TLS MITM vulnerability

[root@prod1 yum.repos.d]# curl -I http://torrage.com
HTTP/1.1 301 Moved Permanently
Server: nginx/1.9.0
Date: Mon, 29 Jun 2015 04:13:17 GMT
Content-Type: text/html
Content-Length: 184
Connection: keep-alive
Location: https://torrage.com/
参考:

我如何解决这个问题?并使用
PHP Curl
从Torrage.com下载文件

*我不能使用文件获取内容,因为我正在使用
curl\u multi
进行同步下载

更新1:

正如steffen ullrich所建议的那样

cp /etc/pki/tls/certs/ca-bundle.crt /root/backup/
curl http://curl.haxx.se/ca/cacert.pem -o /etc/pki/tls/certs/ca-bundle.crt

[root@prod1 randoadmin]# curl --ciphers ecdhe_rsa_aes_128_gcm_sha_256 -I https://torrage.com
HTTP/1.1 200 OK
Server: nginx/1.9.0
Date: Mon, 29 Jun 2015 05:54:17 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 29 Jun 2015 05:50:40 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding, Accept-Encoding
Strict-Transport-Security: max-age=31536000
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
但是这就是shell,我如何用
PHP curl
实现它呢

更新2:

我修改了代码并定义了密码,以便在这样使用curl时使用

$ch = curl_init ('https://torrage.com/torrent/640FE84C613C17F663551D218689A64E8AEBEABE.torrent');
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0');
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, 'ecdhe_rsa_aes_128_gcm_sha_256');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_VERBOSE,true);
$data = curl_exec($ch);
$error = curl_error($ch);
curl_close ($ch);
echo $error;
echo $data ;
它工作得很好。问题的解决多亏了steffen ullrich

服务器只支持ECC密码(ECDHE-*)。curl的版本是在Redhat/CentOS上使用NSS库构建的。有一个bug报告称Redhat/CentOS会覆盖curl设置和。由于客户端不提供ECC密码,但服务器只支持ECC密码,因此连接将失败

您可以尝试显式地给出密码,即

curl --ciphers ecdhe_rsa_aes_128_gcm_sha_256 ...
请注意,升级OpenSSL不会有帮助,因为curl不是用OpenSSL后端构建的。此外,禁用证书验证(无论如何都不是好主意)或更改根CA也没有帮助,因为问题根本与证书验证无关

尝试使用
--ciphers ecdhe_ecdsa_aes_128_sha
显式给出密码,因为解决问题的密码方向正确,但在这种情况下没有帮助,因为这不是服务器支持的密码之一。服务器仅支持各种ECDHE-RSA-*密码,但不支持ECDHE-ECDSA-*密码。有关详细信息,请参阅。

如果您在CentOS 7上,并且在使用yum时遇到这些错误,则更新nss-nss-util-nss-sysinit-nss-tools将修复这些错误。

以上两种方法都不适用于我。我怀疑这和卷曲版本有关<代码>Curl_version()返回7.29,而我在服务器上安装了7.49.1,这可能修复了这些SSL问题

突然我想起了Cloudflare,并禁用了CDN以防万一。Curl开始工作了。然后我切换到PHP7,Curl甚至在Cloudflare CDN开启的情况下也开始工作<代码>Curl_version()开始返回7.49.1

我不知道这是怎么回事,也不知道到底发生了什么,但在不知疲倦地寻找解决方案几个小时后,我发现了这一点。

也有可能进行检查

在unix上(也希望赢):

注意:将“”替换为具有协议的域

将输出定向到test.html,这样我们就只能在屏幕上看到想要的信息

结果:

* Rebuilt URL to: https://www.youtube.com/
* Hostname was NOT found in DNS cache
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 2404:6800:4005:80d::200e...
*   Trying 216.58.221.238...
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Connected to www.youtube.com (2404:6800:4005:80d::200e) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs/
* SSLv3, TLS Unknown, Unknown (22):
} [data not shown]
* SSLv3, TLS handshake, Client hello (1):
} [data not shown]
* SSLv2, Unknown (22):
{ [data not shown]
* SSLv3, TLS handshake, Server hello (2):
{ [data not shown]
* SSLv2, Unknown (22):
{ [data not shown]
* SSLv3, TLS handshake, CERT (11):
{ [data not shown]
* SSLv2, Unknown (22):
{ [data not shown]
* SSLv3, TLS handshake, Server key exchange (12):
{ [data not shown]
* SSLv2, Unknown (22):
{ [data not shown]
* SSLv3, TLS handshake, Server finished (14):
{ [data not shown]
* SSLv2, Unknown (22):
} [data not shown]
* SSLv3, TLS handshake, Client key exchange (16):
} [data not shown]
* SSLv2, Unknown (20):
} [data not shown]
* SSLv3, TLS change cipher, Client hello (1):
} [data not shown]
* SSLv2, Unknown (22):
} [data not shown]
* SSLv3, TLS handshake, Finished (20):
} [data not shown]
* SSLv2, Unknown (20):
{ [data not shown]
* SSLv3, TLS change cipher, Client hello (1):
{ [data not shown]
* SSLv2, Unknown (22):
{ [data not shown]
* SSLv3, TLS handshake, Finished (20):
{ [data not shown]
* SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256
* Server certificate:
*        subject: C=US; ST=California; L=Mountain View; O=Google Inc; CN=*.google.com
*        start date: 2017-11-29 09:44:32 GMT
*        expire date: 2018-02-21 09:37:00 GMT
*        subjectAltName: www.youtube.com matched
*        issuer: C=US; O=Google Inc; CN=Google Internet Authority G2
*        SSL certificate verify ok.
* SSLv2, Unknown (23):
} [data not shown]
> GET / HTTP/1.1
> User-Agent: curl/7.37.0
> Host: www.youtube.com
> Accept: */*
> 
* SSLv2, Unknown (23):
{ [data not shown]
< HTTP/1.1 200 OK
< Content-Type: text/html; charset=utf-8
< X-XSS-Protection: 1; mode=block; report=https://www.google.com/appserve/security-bugs/log/youtube
< X-Content-Type-Options: nosniff
< X-Frame-Options: SAMEORIGIN
< Expires: Tue, 27 Apr 1971 19:44:06 EST
< Strict-Transport-Security: max-age=31536000
< P3P: CP="This is not a P3P policy! See http://support.google.com/accounts/answer/151657?hl=uk for more info."
< Cache-Control: no-cache
< Date: Tue, 26 Dec 2017 12:26:21 GMT
* Server YouTube Frontend Proxy is not blacklisted
< Server: YouTube Frontend Proxy
< Set-Cookie: YSC=lkUUrudTNJM; path=/; domain=.youtube.com; httponly
< Set-Cookie: PREF=f1=50000000; path=/; domain=.youtube.com; expires=Mon, 27-Aug-2018 00:19:21 GMT
< Set-Cookie: VISITOR_INFO1_LIVE=Qo2rlICrfJM; path=/; domain=.youtube.com; expires=Mon, 27-Aug-2018 00:19:21 GMT; httponly
< Alt-Svc: hq=":443"; ma=2592000; quic=51303431; quic=51303339; quic=51303338; quic=51303337; quic=51303335,quic=":443"; ma=2592000; v="41,39,38,37,35"
< Accept-Ranges: none
< Vary: Accept-Encoding
< Transfer-Encoding: chunked
< 
{ [data not shown]
100   152    0   152    0     0    114      0 --:--:--  0:00:01 --:--:--   114* SSLv2, Unknown (23):
{ [data not shown]
* SSLv2, Unknown (23):
{ [data not shown]
* SSLv2, Unknown (23):
{ [data not shown]
* SSLv2, Unknown (23):

.......... many-other-same-not-interesting-rows .........

{ [data not shown]
* SSLv2, Unknown (23):
{ [data not shown]
100  425k    0  425k    0     0   113k      0 --:--:--  0:00:03 --:--:--  113k
* Connection #0 to host www.youtube.com left intact
在Centos 7或更高版本上,将curl升级到最新版本,即7.29。*为我解决了这个问题。

您是否也升级了openssl软件包?@Ja͢ck没有,我正在尝试。Thanks@Ja͢是的,它已经修好了。刚刚检查过,ref:谢谢你的输入,对我来说理解密码非常重要,但是我正在学习,到目前为止它是在shell上工作的,但是我如何在php curl请求中定义密码呢?thanks@AMB:如果您使用处的文档,您将发现CURLOPT_SSL_CIPHER_列表设置。谢谢,修复了代码及其工作方式。我真的很感激,对我来说,curl_setopt($ch,CURLOPT_SSL_CIPHER_LIST,'ecdhe_rsa_aes_128_gcm_sha_256');这是一个不同的torrent站点,经过大约2个小时的调试,在我的php页面中为curl设置了多个选项,你救了我。非常感谢。如果您在VPS上,并且curl命令行调用给出
curl:(35)无法与对等方安全通信
错误,请尝试上面的yum update,应该会有所帮助。命令是:
yum update nss nss util nss sysinit nss tools
虽然这可能是有价值的信息,但它不是一个答案。答案是:当上述任何操作都不起作用时,请检查Curl version并更新它。如果前天这些有价值的信息出现在这里,它将拯救我两天的生命。在尝试了上述密码和nss更新建议后,它对我起到了作用。这是一个很好的建议,但一般来说,目标网站可能不支持您的测试网站(youtube.com)使用的密码。