php curl access https implementation code

/**
 * curl POST
 *
 * @param string url
 * @param array data
 * @param int request timeout
 * @param bool Whether to perform strict authentication during HTTPS
 * @return string
*/
function curlPost($url, $data = array(), $timeout = 30, $CA = true){
< ;p> $cacert = getcwd() . '/cacert.pem'; //CA root certificate
 $SSL = substr($url, 0, 8) == "https://" ? true : false; < /p>
 $ch = curl_init();
 curl_setopt($ch, CURLOPT_URL, $url);
 curl_setopt($ch, CURLOPT_TIMEOUT, $timeout);
 curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout- 2);
 if ($SSL && $CA) {
 curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true); // Only trust certificates issued by CA
 curl_setopt($ch, CURLOPT_CAINFO, $cacert); // CA root certificate ( Check whether the website certificate used to verify is issued by CA)
 curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2); // Check whether the domain name is set in the certificate and whether it matches the provided host name
 } else if ($SSL && !$CA ) {
 curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // Trust any certificate
 curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 1); // Check whether the domain name is set in the certificate
 }
 curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
 curl_setopt($ch, CURLOPT_HTTPHEADER, array('Expect:')); //Avoid the problem of too long data
 curl_setopt($ch, CURLOPT_POST, true);
 curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
 / /curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($data)); //data with URLEncode
 $ret = curl_exec($ch);
 //var_dump(curl_error($ch)) ; //View error message
 curl_close($ch);
 return $ret;
}

If the URL address starts with https , then use SSL, otherwise use ordinary HTTP protocol. Is it safe to use HTTPS? In fact, SSL also has different levels of verification. For example, do you need to verify the common name in the certificate? (BTW: Common Name generally means filling in the domain name (domain) or subdomain (sub domain) for which you are going to apply for an SSL certificate.) Need to verify hostname? Do you trust any certificate or only those issued by the CA? If the website's SSL certificate is purchased from a CA (usually more expensive), then you can use stricter authentication when accessing, that is:

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true); // Only trust certificates issued by CA
curl_setopt($ch, CURLOPT_CAINFO, $cacert); // CA root certificate (used to verify whether the website certificate is issued by CA)
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2); // Check whether the domain name is set in the certificate and whether it matches the provided host name

If the website’s certificate is generated by itself, or If you apply for it from a small online institution, if you use strict authentication when accessing, it will not pass and false will be returned directly. (By the way, when false is returned, you can print curl_error($ch) to view the specific error message.) At this time, you can reduce the verification level according to the situation to ensure normal access, for example:

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // Trust any certificate
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 1); // Check whether the domain name is set in the certificate (0 is okay, that is, the domain name exists Whether it is or not is not verified)

When you usually use a browser to access various https websites, you sometimes encounter a prompt that the certificate is not trusted. In fact, this is because the certificates of these websites are not issued by formal CA organizations. Various browsers on the market have built-in CA root certificate list information. When visiting websites with CA-issued certificates, the certificates of these websites will be verified based on the root certificate, so this prompt will not appear.

Regarding the CA root certificate file, it actually contains the public key certificates of each major CA organization, which is used to verify whether the website's certificate is issued by these organizations. This file comes from mozilla's source tree and is converted into a PEM format certificate file. (Download http://curl.haxx.se/ca/cacert.pem) Finally, let’s talk about something unrelated to SSL: curl_setopt($ch, CURLOPT_HTTPHEADER, array('Expect:')); Mainly to solve the problem of too long data during POST.