24

I understand that I can set the option on any specific instance, however what I would really like is to set something up php.ini or somewhere similar which will handle this across all projects and all instances.

Does anyone know a way for me to accomplish this?

EDIT: I am particularly interested in a solution which will allow for the certificates to be in different locations on different servers.

I am developing on a Windows machine which needs this but deploying to a Linux server which not only doesn't need it but doesn't even have the path indicated.

I understand that I can use conditions to check where the code is running but would prefer to just have it work out of the box. It seems to me that this is really an issue for curl and PHP to handle rather than my code and hence the settings for it belong there.

miken32
  • 42,008
  • 16
  • 111
  • 154
YonahW
  • 15,790
  • 8
  • 42
  • 46
  • 1
    That's exactly the problem I would like to resolve too. In my case I'm using a framework, which has all the curl calls encapsulated deep in it's class hierarchy, so that if I need to make it work I actually would need to patch the framework. While this is not that difficult it has obvious drawbacks and negatives. Therefore possibility of setting this option from the outside could be very helpful. – jayarjo Jul 11 '10 at 06:30

5 Answers5

43

I found the answer here (in the user notes): http://php.net/manual/en/function.curl-setopt.php

Just add this to you .ini (note: you cannot use ini_set, although I don't know why you would want to. Thanks @Carlton):

curl.cainfo=c:\php\cacert.pem

And get that file from: http://curl.haxx.se/docs/caextract.html

Works and you aren't opening yourself up for MITM attacks

Matt
  • 5,478
  • 9
  • 56
  • 95
  • For those who use HexChat, it also come with a certificate list (`Hexchat\cert.pem`). Advantage of using it is that it will auto-updated whenever you will update HexChat. –  Mar 13 '16 at 22:55
6
  1. download cacert.pem add to folder php
  2. copy url the place of file cacert.pem
  3. [curl] curl.cainfo="C:/xampp/php/cacert.pem"
Luca
  • 1,588
  • 2
  • 22
  • 26
Mohamed Fanane
  • 171
  • 2
  • 2
6

Here is a patch to 'emulate' what we can see on linux when a valid crt data has been found at build time (which is the case for almost all distros):

http://www.php.net/~pierre/patches/curl_cacert_default.txt

it adds a (system) ini settings to define the path to the cacert, curl.cainfo=c:\curl\ca.crt

cacert data can be fetched here: http://curl.haxx.se/docs/caextract.html

DLL for php 5.3 can be found here: http://www.php.net/~pierre/test/curl-5.3-vc9-x86-ts-nts-cainfodefault.zip DLL for php 5.2 can be found here: http://www.php.net/~pierre/test/curl-5.2-cainfodefault.zip

Please let me know how it works.

Pierre
  • 716
  • 4
  • 10
5

@Matt is right, but I would add that curl.cainfo is a PHP_INI_SYSTEM directive so you must set it in php.ini...using the ini_set function in a script will always return false as I found out after too many minutes of head banging

Carlton
  • 5,533
  • 4
  • 54
  • 73
-1

You could create a wrapper function which sets the option and use php.ini's auto_prepend_file to load the file it's defined in, but your code would have to be changed to use this wrapper function instead.

Example:

function my_curl_init($url=null) {
  $ch = curl_init($url);
  curl_setopt($ch, CURLOPT_CAINFO, getcwd().'/cert/ca.crt');
  return $ch;
}
protobuf
  • 604
  • 4
  • 6
  • I should clarify that I am looking for a solution that will allow me to develop locally on Windows where this is needed and deploy to another server where it is not needed. – YonahW Apr 23 '10 at 18:07