centos 6/7 支持 Paypal TLSv1.2 的更新方法

Paypal 要求TLSv1.2

paypal最近升级要求必须使用 TLSv1.2,按照官方的升级方法和测试,其实并不准确!

官方的升级教程:https://github.com/paypal/TLS-update#php
官方的检测工具:
https://github.com/paypal/TLS-update/blob/master/php/cacert.pem
https://github.com/paypal/TLS-update/blob/master/php/TlsCheck.php

php -f TlsCheck.php
On success:
PayPal_Connection_OK
On failure:
curl_error information

正确的检测

<?php $url = 'https://fancyssl.hboeck.de/'; $protocols = [ 'TLS1.0' => ['protocol' => CURL_SSLVERSION_TLSv1_0, 'sec' => false], 'TLS1.1' => ['protocol' => CURL_SSLVERSION_TLSv1_1, 'sec' => false], 'TLS1.2' => ['protocol' => CURL_SSLVERSION_TLSv1_2, 'sec' => true], 'TLS1.3' => ['protocol' => CURL_SSLVERSION_TLSv1_3, 'sec' => true], ]; foreach ($protocols as $name => $value) { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_SSLVERSION, $value['protocol']); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); $response = curl_exec($ch) !== false; if ($value['sec'] && !$response) { echo "Secure $name not supported =( \n"; } elseif ($value['sec'] && $response) { echo "Ok! Secure $name supported \n"; } elseif (!$value['sec'] && $response) { echo "Insecure $name supported =( \n"; } elseif (!$value['sec'] && !$response) { echo "Ok! Insecure $name not supported\n"; } }

代码来源:https://stackoverflow.com/questions/49186863/php-how-to-see-if-a-server-supports-tls-1-0

升级 PHP CURL扩展

发现 7.19.7 的版本依旧是不能,但是 7.29.0 的版本是可以的。
升级仓,新起一个文件 /etc/yum.repos.d/cityfan.repo

[city-fan.org]
name=city-fan.org repository for Red Hat Enterprise Linux (and clones) $releasever ($basearch)
baseurl=http://mirror.city-fan.org/ftp/contrib/yum-repo/rhel$releasever/$basearch

mirrorlist=http://mirror.city-fan.org/ftp/contrib/yum-repo/mirrorlist-rhel$releasever
enabled=1
gpgcheck=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-city-fan.org

执行yum install libcurl 升级完 php_curl 之后,不要忘了重启 php-fpm 以生效。
centos6 可以使用 service php-fpm restart ,centos7 可以用systemctl restart php-fpm
centos6 不标准安装的php-fpm 重启方式

killall php-fpm
/usr/sbin/php-fpm -y /etc/php-fpm.d/www.conf

最后打印一下配置:

[root@vs2 ~]# php -r 'echo json_encode(curl_version(), JSON_PRETTY_PRINT);'
{
    "version_number": 474112,
    "age": 4,
    "features": 3113885,
    "ssl_version_number": 0,
    "version": "7.60.0",
    "host": "x86_64-redhat-linux-gnu",
    "ssl_version": "OpenSSL\/1.0.1e",
    "libz_version": "1.2.3",
    "protocols": [
        "dict",
        "file",
        "ftp",
        "ftps",
        "gopher",
        "http",
        "https",
        "imap",
        "imaps",
        "ldap",
        "ldaps",
        "pop3",
        "pop3s",
        "rtsp",
        "scp",
        "sftp",
        "smb",
        "smbs",
        "smtp",
        "smtps",
        "telnet",
        "tftp"
    ]
[root@vs2 ~]# 
相关文章
相关标签/搜索