cURL Login to HTTPS site

Question

I have been trying to post login credentials to an https site using cURL and PHP with no luck. Everything works fine for unsecured sites but I can't get it with https. I know the headers details that I am posting are correct (although I mocked them up for the sake of this example). Please help.

    <?php
    // Initialize cURL
    $ch = curl_init('https://secured-example.com/auth.asp');

    // Enable HTTP POST
    curl_setopt($ch, CURLOPT_POST, 1);

    // Use SSL 
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE); 
    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);

    // Set POST parameters
    curl_setopt($ch, CURLOPT_POSTFIELDS, 'username=myUser&password=myPass');

    // Imitate classic browser's behavior - handle cookies
    curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookie.txt');

    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

    // Execute 1st request
    $store = curl_exec($ch);

    // Set file to download
    curl_setopt($ch, CURLOPT_URL, 'https://secured-example.com/file.pdf');

    // Execute 2nd request (file download)
    $content = curl_exec($ch);

    curl_close($ch);

    ?>

Help with what? No code, no error messages, no nothing. I didn't pay the Psychic Hotline bill last month, so I can't read your mind right now... — Marc B, Nov 29 '11 at 21:36
@MarcB: the original code contained his actual password so he made a quick edit. — Tom van der Woerdt, Nov 29 '11 at 21:36
Yeah we need to at least know what `$content` or `$store` is when it fails. — drew010, Nov 29 '11 at 21:37
Try `if ($content === FALSE) { die (curl_error($ch)); }` after your curl_exec() calls, to see if there's something blowing up inside curl. — Marc B, Nov 29 '11 at 21:39

score 4 · Accepted Answer · answered Nov 29 '11 at 21:38

4

Export the certificate.
Upload it to where your script can see it.

Then add:

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($ch, CURLOPT_CAINFO, getcwd() . "/path/to/certificateCA.crt");

answered Nov 29 '11 at 21:38

djdy

6,779
6
38
62

What CA cert? Export it from where? – Marc B Nov 29 '11 at 21:40
Go to the site in the browser (FF in my example). Double click the "lock" icon > Security > View Certificate > Details > Export. Save as X.509. – djdy Nov 29 '11 at 21:43
In your example (using FF), which x.509 format would I use? (There are several options in the dropdown) – Jake Sankey Nov 29 '11 at 21:58
No. It's just a blank page like before. – Jake Sankey Nov 29 '11 at 22:02
Is error reporting on? Try throwing the following at the top: error_reporting(E_ALL); ini_set("display_errors", 1); – djdy Nov 29 '11 at 22:04
Ok, I put that in and its still just a white screen. – Jake Sankey Nov 29 '11 at 22:06

score 1 · Answer 2 · answered Nov 29 '11 at 21:45

1

I used this once to connect to a bank account, hope this helps:

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, HSBC_LINK1);
curl_setopt($ch, CURLOPT_HTTPHEADER, $header); 
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_ANY);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 1);

$post_data = array('post1' => 'value');

$fields_string = '';
foreach($post_data as $key=>$value) { $fields_string .= $key.'='.$value.'&'; } 
$fields_string = rtrim($fields_string,'&');
curl_setopt($ch, CURLOPT_POST, count($post_data)); 
curl_setopt($ch, CURLOPT_POSTFIELDS, $fields_string);

curl_setopt($ch, CURLINFO_HEADER_OUT, true);
$data1 = curl_exec($ch);

answered Nov 29 '11 at 21:45

Andrei

1,183
2
19
40

Downvote for `curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);` – djdy Nov 29 '11 at 21:53
Why, what does it do ? (I can connect using this to HSBC, Chase, and other banks) – Andrei Nov 29 '11 at 21:54
1

It will work, but it makes curl accept any server certificate. This means it does not check CA signatures, and whether they are trusted. – djdy Nov 29 '11 at 21:58

cURL Login to HTTPS site

2 Answers2

Linked