Configure HTTPS, TLS certificate validation, and custom CA certificates for the Alibaba Cloud SDK V1.0 for PHP to secure your API calls and manage connections in specific network environments.
Understand the V1.0 SDK defaults
The legacy V1.0 SDK has different default behaviors than V2.0 SDKs:
-
Default protocol is HTTP: Unlike V2.0 SDKs, the V1.0 SDK defaults to HTTP. You must explicitly enable HTTPS for each request.
-
Certificate validation is on by default: When you enable HTTPS, the SDK automatically validates the server's TLS certificate.
Set the request protocol
The SDK defaults to HTTP, so you must enable HTTPS on each request to encrypt data in transit.
Generic RPC request (Recommended)
$result = AlibabaCloud::rpc()
->product('Ecs')
->version('2014-05-26')
->action('DescribeRegions')
->regionId('cn-hangzhou')
->scheme('https')
->verify(true)
->request();
Specialized request
This style uses product-specific generated classes.
use AlibabaCloud\Ecs\Ecs;
$request = Ecs::v20140526()->describeRegions();
$result = $request
->scheme('https')
->verify(true)
->version('2014-05-26')
->product('Ecs')
->action('DescribeRegions')
->regionId('cn-hangzhou')
->request();
Generic ROA request
$result = AlibabaCloud::roa()
->product('CS')
->version('2015-12-15')
->action('DescribeClustersV1')
->pathPattern('/api/v1/clusters')
->regionId('cn-hangzhou')
->options([
'query' => [
],
])
->scheme('https')
->verify(true)
->request();
Use the system's CA bundle (Recommended)
Set the request scheme to https and set verify to true. This is the recommended secure configuration.
$result = AlibabaCloud::rpc()
->scheme('https') // Enable HTTPS
->verify(true) // Enable certificate verification using the system's CA bundle
// ... other request parameters
->request();
Use a custom CA certificate
If your network uses a proxy with its own certificate, provide a custom Certificate Authority (CA) bundle. You can configure this at the request level or the client level.
Request-level configuration
Apply the setting to a single request. This is useful for endpoints that require a different CA.
<?php
use AlibabaCloud\Client\AlibabaCloud;
$request = AlibabaCloud::rpc()
->product('Sts')
->version('2015-04-01')
->action('GenerateSessionAccessKey')
->host('sts.ap-northeast-1.aliyuncs.com');
// Use a custom CA certificate file
$request->verify(['verify' => '/path/to/cert.pem']);
// Use a custom CA certificate file that is password-protected
$request->verify(['verify' => ['/path/to/cert.pem','password']]);
Client-level configuration
Apply the setting to the default client so that all subsequent requests use the custom CA bundle.
<?php
use AlibabaCloud\Client\AlibabaCloud;
// Use a custom CA certificate file
AlibabaCloud::getDefaultClient()
->verify(['verify' => '/path/to/cert.pem'])
->asDefaultClient();
// Use a custom CA certificate file that is password-protected
AlibabaCloud::getDefaultClient()
->verify(['/path/to/cert.pem','password'])
->asDefaultClient();
Disable TLS certificate validation
Disabling certificate validation is a security risk. Only use this option for testing in trusted environments. Never disable certificate validation in production code.
To skip certificate validation, set the verify parameter to False.
$result = AlibabaCloud::rpc()
->scheme('https')
// This option skips certificate validation for a single API call.
->verify(false)
// ... other request parameters
->request();
References
Guzzle Request Options: verify: The underlying HTTP client documentation for certificate verification.