This guide describes how to configure HTTPS, TLS certificate validation, and custom CA certificates for the Alibaba Cloud SDK V1.0 for PHP. Use these settings to secure your API calls and manage connections in specific network environments.
Understand the V1.0 SDK defaults
The legacy V1.0 SDK has different default behaviors than V2.0 SDKs:
Default protocol is HTTP: Unlike V2.0 SDKs, the V1.0 SDK defaults to using the insecure HTTP protocol. You must explicitly enable HTTPS for each request.
Certificate validation is on by default: When you enable HTTPS, the SDK automatically validates the server's TLS certificate.
Set the request protocol
Because the SDK defaults to HTTP, you must enable HTTPS on a per-request basis to ensure your data is encrypted in transit.
Generic RPC request (Recommended)
$result = AlibabaCloud::rpc()
->product('Ecs')
->version('2014-05-26')
->action('DescribeRegions')
->regionId('cn-hangzhou')
->scheme('https')
->verify(true)
->request();Specialized request
This style uses product-specific generated classes.
use AlibabaCloud\Ecs\Ecs;
$request = Ecs::v20140526()->describeRegions();
$result = $request
->scheme('https')
->verify(true)
->version('2014-05-26')
->product('Ecs')
->action('DescribeRegions')
->regionId('cn-hangzhou')
->request();Generic ROA request
$result = AlibabaCloud::roa()
->product('CS')
->version('2015-12-15')
->action('DescribeClustersV1')
->pathPattern('/api/v1/clusters')
->regionId('cn-hangzhou')
->options([
'query' => [
],
])
->scheme('https')
->verify(true)
->request();Use the system's CA bundle (Recommended)
Set the request scheme to https and set verify to true. This is the most common and recommended secure configuration.
$result = AlibabaCloud::rpc()
->scheme('https') // Enable HTTPS
->verify(true) // Enable certificate verification using the system's CA bundle
// ... other request parameters
->request();Use a custom CA certificate
If you are in a corporate network that uses a proxy with its own certificate, you may need to provide a custom Certificate Authority (CA) bundle. You can configure this at the request level or the client level.
Request-level configuration
Apply the setting to a single request object. This is useful for requests to specific endpoints that require a special CA.
<?php
use AlibabaCloud\Client\AlibabaCloud;
$request = AlibabaCloud::rpc()
->product('Sts')
->version('2015-04-01')
->action('GenerateSessionAccessKey')
->host('sts.ap-northeast-1.aliyuncs.com');
// Use a custom CA certificate file
$request->verify(['verify' => '/path/to/cert.pem']);
// Use a custom CA certificate file that is password-protected
$request->verify(['verify' => ['/path/to/cert.pem','password']]);Client-level configuration
Apply the setting to the default client to make it apply to all subsequent requests that use that client.
<?php
use AlibabaCloud\Client\AlibabaCloud;
// Use a custom CA certificate file
AlibabaCloud::getDefaultClient()
->verify(['verify' => '/path/to/cert.pem'])
->asDefaultClient();
// Use a custom CA certificate file that is password-protected
AlibabaCloud::getDefaultClient()
->verify(['/path/to/cert.pem','password'])
->asDefaultClient();Disable TLS certificate validation
Disabling certificate validation is a security risk. Only use this option for testing in trusted environments. Never disable certificate validation in production code.
You can disable certificate validation at the client level by setting the verify parameter to False during initialization.
$result = AlibabaCloud::rpc()
->scheme('https')
// This option skips certificate validation for a single API call.
->verify(false)
// ... other request parameters
->request();References
Guzzle Request Options: verify: The underlying HTTP client documentation for certificate verification.