I just develop some softvare by php,use curllib to connect amazon,paypal,wechat,I want to verify cert and I find some params relate to this:
CURLOPT_SSL_VERIFYPEER : I think if you want to verify ssl cert,this param should set true;
but I am confused about CURLOPT_CAINFO and
curl_setopt($ch,CURLOPT_SSLCERTTYPE,'PEM');
curl_setopt($ch,CURLOPT_SSLCERT, $sslCertPath);
curl_setopt($ch,CURLOPT_SSLKEYTYPE,'PEM');
curl_setopt($ch,CURLOPT_SSLKEY, $sslKeyPath);
when should I set CURLOPT_CAINFO and when should i set follow 4 params?
I think CURLOPT_CAINFO is a param that to make sure amazon is the amazon,paypal is the paypal;
the follow 4 params is to confirm I am the real me,amazon can confirm by these 4 params.
Am I correct?
and I don't know how to get CURLOPT_CAINFO ca?because I think if I confirm amazon is the amazon ,I just verify the ca that amazon send me is enough,why shoul i send a ca to amazon?
Try it if you want to use CURLOPT_SSL_VERIFYPEER:
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($ch, CURLOPT_CAINFO, __DIR__ . '/cacert.pem');
Download cacert.pem here https://curl.haxx.se/docs/caextract.html
Usually, when you receive a certificate from a website - it contains the website own certificate plus the intermediate certificate (the one that signed/issued the website's certificate). In order to verify them both, you must have a list of root certificates (CA is abbreviated from Certificate Authority) which is called "CA bundle" and usually lives at /etc/ssl/certs/ca-bundle.crt. The intermediate certificate (there can be more than one intermediate certificate - each of them will/must be signed by the next one up in the chain) must be signed by a root certificate in order to be trusted.
So the purpose of CURLOPT_CAINFO is to allow you to specify the pathname of ca-bundle.crt if it can not be found automatically by cURL - or if you want to check against your custom root certificate(s).
The purpose of CURLOPT_SSLCERT and CURLOPT_SSLKEY is to present a client (as opposed to a server one) certificate so that the server can verify your identity (usually used for online banking so that you can sign your transactions) - most probably you do not need these in your use case.
The purpose of CURLOPT_SSL_VERIFYPEER is for you to be able to force cURL to skip verification of the server certificate - in case your CA bundle is not up to date or missing at all.
So after downloading this cacert.pem file into your project, in PHP you can now do this:
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, TRUE);
curl_setopt($ch, CURLOPT_CAINFO, "/path/to/cacert.pem");
Alternatively, this can be set globally by adding the following to your php.ini
curl.cainfo=/path/to/cacert.pem
Hope this helps you.
Related
I'm getting this error:
SSL problem: can't identify local issuer
once I call the function to save an image or retrieve user's Facebook image:
file_get_contents()
What I've done is:
I have my website running on Azure *.azurewebsites.com
I added my custom domain and ssl certificate which were both bought from GoDaddy
I created Certificate Signing Request (CSR) (which GoDaddy asked for) using OpenSSL on my Mac
Signed it with it and downloaded it to get .p7b file and .crt file
I added the .crt file to Azure and everything works fine, my custom domain now has the lock beside it
So after those steps, logging in with Facebook got that error also so I did a temporary fix:
curl_setopt($rest, CURLOPT_SSL_VERIFYPEER, false);
This is not recommended of course, but it allows me to test the rest of the site. The error still occurred but only when invoking file_get_contents(). I've tried these fixes from what I've seen scouring around:
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($ch, CURLOPT_CAINFO, getcwd() . "/cacert/cacert.pem");
But no dice. Can someone explain exactly what the error means and also to combat it? That'd be great. And also, this might be due to creating my Certificate Signing Request with OpenSSL... not sure. Please confirm.
curl_setopt flags works only with handler you're passing to those calls. file_get_contents has no idea about any of CURLOPT_SSL_VERIFYPEER or CURLOPT_SSL_VERIFYHOST flags.
Change file_get_contents to curl calls.
I try to send curl request with my correct APP_ID, APP_SECRET etc. to the
https://oauth.vk.com/access_token?client_id=APP_ID&client_secret=APP_SECRET&code=7a6fa4dff77a228eeda56603b8f53806c883f011c40b72630bb50df056f6479e52a&redirect_uri=REDIRECT_URI
I need to get access_token from it, but get a FALSE and curl_error() print next message otherwise:
60: SSL certificate problem: self signed certificate in certificate chain
My code is:
// create curl resource
$ch = curl_init();
// set url
curl_setopt($ch, CURLOPT_URL, $url);
//return the transfer as a string
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
// $output contains the output string
$output = curl_exec($ch);
if ( ! $output) {
print curl_errno($ch) .': '. curl_error($ch);
}
// close curl resource to free up system resources
curl_close($ch);
return $output;
When I move manually to the link above, I get access_token well. Why it doesn't work with curl? Help, please.
Answers suggesting to disable CURLOPT_SSL_VERIFYPEER should not be accepted. The question is "Why doesn't it work with cURL", and as correctly pointed out by Martijn Hols, it is dangerous.
The error is probably caused by not having an up-to-date bundle of CA root certificates. This is typically a text file with a bunch of cryptographic signatures that curl uses to verify a host’s SSL certificate.
You need to make sure that your installation of PHP has one of these files, and that it’s up to date (otherwise download one here: http://curl.haxx.se/docs/caextract.html).
Then set in php.ini:
curl.cainfo = <absolute_path_to> cacert.pem
If you are setting it at runtime, use (where $ch = curl_init();):
curl_setopt ($ch, CURLOPT_CAINFO, dirname(__FILE__)."/cacert.pem");
This workaround is dangerous and not recommended:
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
It's not a good idea to disable SSL peer verification. Doing so might expose your requests to MITM attackers.
In fact, you just need an up-to-date CA root certificate bundle. Installing an updated one is as easy as:
Downloading up-to-date cacert.pem file from cURL website and
Setting a path to it in your php.ini file, e.g. on Windows:
curl.cainfo=c:\php\cacert.pem
That's it!
Stay safe and secure.
If the SSL certificates are not properly installed in your system, you may get this error:
cURL error 60: SSL certificate problem: unable to get local issuer
certificate.
You can solve this issue as follows:
Download a file with the updated list of certificates from https://curl.haxx.se/ca/cacert.pem
Move the downloaded cacert.pem file to some safe location in your system
Update your php.ini file and configure the path to that file:
Important: This issue drove me crazy for a couple days and I couldn't figure out what was going on with my curl & openssl installations. I finally figured out that it was my intermediate certificate (in my case, GoDaddy) which was out of date. I went back to my godaddy SSL admin panel, downloaded the new intermediate certificate, and the issue disappeared.
I'm sure this is the issue for some of you.
Apparently, GoDaddy had changed their intermediate certificate at some point, due to scurity issues, as they now display this warning:
"Please be sure to use the new SHA-2 intermediate certificates included in your downloaded bundle."
Hope this helps some of you, because I was going nuts and this cleaned up the issue on ALL my servers.
To add a more specific answer, I ran into this when using Guzzle v7, the PHP HTTP request package. Guzzle allows you to bypass this like so:
use GuzzleHttp\Client;
$this->client = new Client([
'verify' => false,
]);
Original source comment: https://github.com/guzzle/guzzle/issues/1490#issuecomment-375667460
Error: SSL certificate problem: self signed certificate in certificate
chain
Solution:
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($ch, CURLOPT_FAILONERROR, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
I should have paid more attention to my classes that covered security. I'm quite confused about something. To start, here's the background of what I'm trying to accomplish.
I have a web service that I need to access. The web service is set up as HTTPS. The traffic between client and server is encrypted (this doesn't have to do with authentication).
I'm interacting with the web service via cURL and PHP. I've gotten an example to work locally over HTTP and I'm fairly confident I'm on the right track with regards to cURL/PHP side of things.
When using the HTTP version of the code to access a web service over HTTPS, I am getting an error code 60 "SSL certificate problem, verify that the CA cert is OK" (error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed)
From my reading, it seems that I need a PEM file and I need to set additional cURL options such as the following:
CURLOPT_CAINFO
CURLOPT_SSLCERT
CURLOPT_SSLKEYPASSWD
My question is how do I know where to get the PEM file or whether I can simply make it? This is probably going to be an obvious answer as I'm sure I'm missing something but I figure I just need to ask and get the background I'm missing.
Amendment: The web service is using a certificate signed by VeriSign. So it's not a self signed certificate. Also, the web service is owned and operated by an external organization.
Thanks.
Despite googling around prior to asking this, it seems I've stumbled upon the answer after a bit of back-n-fourth with 'thatidiotguy' (his user name, not my name for him. ;-) ).
cURL, out of the box, does not trust any CA (VeriSign or otherwise). This needs to be setup on your server. To "solve" the problem, you have two options. You can bypass the verification with the following command:
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
Note that this is not optimal with regards to security. Any certificate, signed by a CA or not, will be accepted as trusted.
The proper fix involves getting the original certificate (in my case this means the web service) and "exporting" the certificate as a X.509 Certificate (PEM). The certificate then needs to appropriately moved to the server and the following configurations set:
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2); //Check that the common name exists and that it matches the host name of the server
curl_setopt($ch, CURLOPT_CAINFO, getcwd() . "/path/to/cert/my-exported.crt"); //PEM file
Source: http://unitstep.net/blog/2009/05/05/using-curl-in-php-to-access-https-ssltls-protected-sites/
The answer is very simple. You need to download a certificate bundle, one that also ships with regular browsers.
Luckily that work is already done for you here:
http://curl.haxx.se/docs/caextract.html
Once downloaded you specify the path to this file with CURLOPT_CAINFO.
I'm wondering i export the certificate of a website will it get exported with some of my personal info?
Basically I'm working on a cURL script and other people are gonna use it too so the following would not be the best option:
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
So i came across a guide on how to verify the certificate and it says i need to export it and attach those lines to my code:
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($ch, CURLOPT_CAINFO, getcwd() . "/CAcerts/BuiltinObjectToken-EquifaxSecureCA.crt");
Now the problem is i don't really know how this thing works, is it safe to export a certificate and let others use the cURL with it or the certificate has some of my own info (Users/Password/Activity etc..) when exported thru my browser?
SOLVED: This is the guide i was using for those who will find this topic later: LINK and the Certificate i was talking about is from Facebook.
:)
That depends. Server HTTPS certificates are global, and so are CA certificates (which is what you seem to be after). These are used by the client to verify that it's talking to the correct server securely.
On the other hand, it is possible for the server to verify a client-side certificate, to verify "who is the user" (that does not seem to be the case here).
The error that alot of people get with Facebook authentication is:
CurlException: 60: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
And the only information I can find about it suggest to add the following lines of code to curl:
$opts[CURLOPT_SSL_VERIFYPEER] = false;
$opts[CURLOPT_SSL_VERIFYHOST] = 2;
I know this works, but what is going on here?
Isn't there any server settings/configuraton that can be changed instead of hacking up facebook.php.
What It Does & Meaning:
The following code tells the cURL to NOT verify that security certificates are correct. Hence, the error disappears.
$opts[CURLOPT_SSL_VERIFYPEER] = false;
$opts[CURLOPT_SSL_VERIFYHOST] = 2;
When you connect to a remote server with SSL, their certificate might be invalid, expired, or not signed by a recognized CA. The cURL normally checks it.
CURLOPT_SSL_VERIFYHOST:
1: to check the existence of a common name in the SSL peer certificate.
2: to check the existence of a common name and also verify that it matches the hostname provided.
CURLOPT_SSL_VERIFYPEER: FALSE to stop CURL from verifying the peer's certificate. Alternate certificates to verify against can be specified with the CURLOPT_CAINFO option or a certificate directory can be specified with the CURLOPT_CAPATH option. CURLOPT_SSL_VERIFYHOST may also need to be TRUE or FALSE if CURLOPT_SSL_VERIFYPEER is disabled (it defaults to 2).
How to Enable & Verify Correctly:
To verify correctly, we need to to verify the certificate being presented to us is good for real. We do this by comparing it against a certificate we reasonable* trust.
If the remote resource is protected by a certificate issued by one of the main CA's like Verisign, GeoTrust et al, you can safely compare against Mozilla's CA certificate bundle which you can get from http://curl.haxx.se/docs/caextract.html
Save the file cacert.pem somewhere in your server and set the following options in your script.
curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, TRUE);
curl_setopt ($ch, CURLOPT_CAINFO, "pathto/cacert.pem");
If you are connecting to a resource protected by a self-signed certificate, all you need to do is obtain a copy of the certificate in PEM format and append it to the cacert.pem of the above paragraph.
In my case, I could not use curl_setopt, because I could not edit Facebook API classes ( conditions of project I was working in ).
I solved the problem by adding path to cacert.pem downloaded from http://curl.haxx.se/docs/caextract.html to my php.ini
[curl]
curl.cainfo = "c:\wamp\cacert.pem"
I just had the same problem, and disabling peer verification is not acceptable in my case.
I updated the fa_ca_chain_bundle.crt file (from facebook's gitbub) and it works now.
Regards,
Marek