PHP uses Socket to obtain the SSL certificate and public key of the website sample code

socket (Computer terminology)

Two programs on the network exchange data through a two-way communication connection. One end of this connection is called a socket.

At least a pair of port numbers (socket) is required to establish a network communication connection. The essence of socket is a programming interface (API), which encapsulates TCP/IP. TCP/IP also provides an interface that programmers can use for network development. This is the Socket programming interface. ; HTTP is the car, providing a specific form of encapsulating or displaying data; Socket is the engine, providing the ability to communicate over the network.

The original English meaning of Socket is "hole" or "socket". As the process communication mechanism of BSD UNIX, the latter meaning is taken. Also commonly called "socket", it is used to describe an IP address and port. It is a handle to a communication chain and can be used to implement communication between different virtual machines or different computers. Hosts on the Internet generally run multiple service software and provide several services at the same time. Each service opens a Socket and is bound to a port. Different ports correspond to different services. Socket is just like its original meaning in English, like a multi-hole socket. A host is like a room filled with various sockets. Each socket has a number. Some sockets provide 220 volt AC power, some provide 110 volt AC power, and some provide cable TV programs. The client software plugs the plugs into sockets with different numbers to get different services.

This article mainly introduces you to the relevant information about PHP using Socket to obtain the SSL certificate and public key of the website. The article provides detailed sample code for your reference and study, which has certain reference and learning value for everyone. , friends who need it can come and take a look below.

Requesting the web page through php curl cannot obtain the certificate information. In this case, you need to use ssl socket to obtain the certificate content. Let’s take a look at the detailed introduction:

Sample code:

// 创建 stream context
$context = stream_context_create([
 'ssl' => [
  'capture_peer_cert' => true,
  'capture_peer_cert_chain' => true,
 ],
]);
 
$resource = stream_socket_client("ssl://$domain:$port", $errno, $errstr, 30, STREAM_CLIENT_CONNECT, $context);
$cert = stream_context_get_params($resource);
 
$ssl = $cert['options']['ssl'];
$resource = $ssl['peer_certificate'];
 
// 网站证书中只有公钥，通过 openssl_pkey_get_details 导出公钥
 
$ret = [
 'crt' => '',
 'pub' => '',
];
 
$pkey = openssl_pkey_get_public($resource);
$ret['pub'] = openssl_pkey_get_details($pkey)['key'];
 
openssl_x509_export($resource, $pem);
$ret['crt'] = $pem;
 
foreach ($ssl['peer_certificate_chain'] as $resource)
{
 openssl_x509_export($resource, $pem);
 $ret['crt'] .= "\n" . $pem;
}
 
// 保存 $ret['crt'] 为 domain.crt
// 保存 $ret['pub'] 为 domain.pub
 
return $ret;

Verify whether the public key A in the certificate is correct, and export the public key through the private key Key B, compare the two and find they are consistent.

$domain = 'blog.zhengxianjun.com';
$port = '443';
// ...
$pub_a = $ret['pub'];
 
$private_key_path = '/conf/ssl/blog.zhengxianjun.com.key';
 
// 证书没有设置密码，$passphrase 为空字符串
$pkey = openssl_pkey_get_private(file_get_content($private_key_path), $passphrase = '');
$pub_b = openssl_pkey_get_details($pkey)['key'];
 
// 两者一致
var_dump($pub_a === $pub_b);

Function Another use of stream_socket_client is to obtain the domain name that the server may be able to use when the server IP is known.

$resource = stream_socket_client("ssl://$ip:$port", $errno, $errstr, 30, STREAM_CLIENT_CONNECT, $context);
$cert = stream_context_get_params($resource);
 
// 解析 X.509 格式证书
$info = openssl_x509_parse($cert['options']['ssl']['peer_certificate']);
 
// 获取证书中的可信域名列表
$domain = str_replace('DNS:', '', $info['extensions']['subjectAltName']);

As you can see above, obtaining the website certificate does not allow you to obtain the private key.

In some sites that use CDN, if you use HTTPS and want to use your own domain name, do you need to provide your private key to the CDN vendor? In fact, the certificate path and the user name (domain name that supports https) do not need to be consistent.

That is, when using your own domain name and performing CDN acceleration, you do not need to use your own SSL certificate. You only need to add your own CDN domain name to the domain name list of the manufacturer's certificate.

The above is the detailed content of PHP uses Socket to obtain the SSL certificate and public key of the website sample code. For more information, please follow other related articles on the PHP Chinese website!