PHP のfopen()関数を使用して HTTPS Web サイトからデータを取得する場合、それは安全な HTTPS 接続と呼ばれるものです。つまり、中間者攻撃や盗聴攻撃に対する保護を提供しますか?
1 に答える
5
Not by default, no.
It will always provide some form of protection against simple eavesdropping attacks as the data will always be encrypted (as long as the SSL server you are connecting to allows at least one encrypted cipher to be used - yes, null-encryption ciphers are allowed in HTTPS connections :roll-eyes:) However, by default, it will not protect against man-in-the-middle as it doesn't validate the server's certificates, therefore you cannot have any confidence that you have connected to the intended server.
Certificate validation can be switched on. To do so, you will need to provide a root certificate bundle and use the fourth argument to fopen that allows you to specify a stream context. The stream context allows you to modify the behaviour of the stream. The example below switches causes certificates to be validated against the root certificates in the specified bundle file.
$context = stream_context_create( array(
'ssl' => array(
'cafile' => 'ca_bundle.crt',
'verify_peer' => true
)
));
$file = fopen( $url, 'r', false, $context );
于 2012-05-24T08:59:19.123 に答える