PHP uses Socket to obtain the SSL certificate and public key description of the website

This article mainly introduces you to the relevant information about PHP using Socket to obtain the SSL certificate and public key of the website. The article provides detailed sample code for your reference and study. It has certain reference and learning value for everyone. It is needed Friends, let’s take a look together.

Requesting the web page through php curl cannot obtain the certificate information. In this case, you need to use ssl socket to obtain the certificate content. Let’s take a look at the detailed introduction:

Sample code:

// 创建 stream context
$context = stream_context_create([
 'ssl' => [
  'capture_peer_cert' => true,
  'capture_peer_cert_chain' => true,
 ],
]);
 
$resource = stream_socket_client("ssl://$domain:$port", $errno, $errstr, 30, STREAM_CLIENT_CONNECT, $context);
$cert = stream_context_get_params($resource);
 
$ssl = $cert['options']['ssl'];
$resource = $ssl['peer_certificate'];
 
// 网站证书中只有公钥，通过 openssl_pkey_get_details 导出公钥
 
$ret = [
 'crt' => '',
 'pub' => '',
];
 
$pkey = openssl_pkey_get_public($resource);
$ret['pub'] = openssl_pkey_get_details($pkey)['key'];
 
openssl_x509_export($resource, $pem);
$ret['crt'] = $pem;
 
foreach ($ssl['peer_certificate_chain'] as $resource)
{
 openssl_x509_export($resource, $pem);
 $ret['crt'] .= "\n" . $pem;
}
 
// 保存 $ret['crt'] 为 domain.crt
// 保存 $ret['pub'] 为 domain.pub
 
return $ret;

Verify whether the public key A in the certificate is correct, and export the public key through the private key Key B, compare the two and find they are consistent.

$domain = 'blog.zhengxianjun.com';
$port = '443';
// ...
$pub_a = $ret['pub'];
 
$private_key_path = '/conf/ssl/blog.zhengxianjun.com.key';
 
// 证书没有设置密码，$passphrase 为空字符串
$pkey = openssl_pkey_get_private(file_get_content($private_key_path), $passphrase = '');
$pub_b = openssl_pkey_get_details($pkey)['key'];
 
// 两者一致
var_dump($pub_a === $pub_b);

Function Another use of stream_socket_client is to obtain the domain name that the server may be able to use when the server IP is known.

$resource = stream_socket_client("ssl://$ip:$port", $errno, $errstr, 30, STREAM_CLIENT_CONNECT, $context);
$cert = stream_context_get_params($resource);
 
// 解析 X.509 格式证书
$info = openssl_x509_parse($cert['options']['ssl']['peer_certificate']);
 
// 获取证书中的可信域名列表
$domain = str_replace('DNS:', '', $info['extensions']['subjectAltName']);

As you can see above, obtaining the website certificate does not allow you to obtain the private key.

In some sites that use CDN, if you use HTTPS and want to use your own domain name, do you need to provide your private key to the CDN vendor? In fact, the certificate path and the user name (domain name that supports https) do not need to be consistent.

That is, when using your own domain name and performing CDN acceleration, you do not need to use your own SSL certificate. You only need to add your own CDN domain name to the domain name list of the manufacturer's certificate.

The above is the detailed content of PHP uses Socket to obtain the SSL certificate and public key description of the website. For more information, please follow other related articles on the PHP Chinese website!