2

I have always turned off CURLOPT_SSL_VERIFYPEER in curl but I really want to upgrade wherever my php/centos/curl checks its certs at. I have CENTOS 4.7 i686, PHP 5.2.16.

I got a nice bundle from stripe.com: https://pastebin.com/raw.php?i=NZE2CuVJ

How do I "install" this to where I don't even need to use

curl_setopt($curl, CURLOPT_CAINFO, 'ca-certificates.crt');
MrPHP
  • 152
  • 3
  • 12
  • Similar http://stackoverflow.com/a/3014070/579706 but no instructions – MrPHP Apr 11 '12 at 08:32
  • Another nice bundle http://curl.haxx.se/ca/cacert.pem – MrPHP Apr 11 '12 at 10:09
  • 5
    You're now famous for your bad use of SSL. See [this security research paper](http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf) (bottom of page 9) where you are quoted. – dolmen Oct 25 '12 at 22:41
  • Hahaha well I was on here to fix my mistake BUT my stack sucks and WILL NOT take a new bundle. So instead of repeating me, tell me how to fix it. Maybe instead of reading a paper, I could have fixed it. I can't verify them until I get a new updated bundle installed. – MrPHP Oct 26 '12 at 02:13

1 Answers1

1

Save the bundle as "certificates.pem", and put it on your webserver. Then use 

curl_setopt($curl, CURLOPT_CAINFO, '/link/to/directory/certificates.pem');

to load the list of certificates. Also, make sure you're connecting to the right domain. www.domain.com might have a valid certificate, but domain.com might not.

More information: https://serverfault.com/questions/325120/curl-ssl-issue-with-rapidssl-certificates

Community
  • 1
  • 1
Destralak
  • 418
  • 2
  • 7
  • Thank you but I'm trying to avoid editing the class I'm using in case of updates. – MrPHP Apr 11 '12 at 10:10
  • 1
    Then this might help you: http://serverfault.com/questions/151157/ubuntu-10-04-curl-how-do-i-fix-update-the-ca-bundle – Destralak Apr 11 '12 at 10:18
  • If you can clarify what's not working for you, I can try to help you again. – Destralak Apr 12 '12 at 07:44
  • you may also use curl.cainfo=/path/to/ca-bundle.crt option in php.ini to avoid doing curl_setopt in every application (and make it server independent) – WayFarer Nov 26 '12 at 12:29