0

I'm debugging an issue that someone is having in accessing a payment gateway using a PHP plugin. The only way he has been able to avoid a 404 error after clicking the Checkout button is by setting CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST to 0. I know this is bad, but does anyone know why this might be? It seems to be distrusting of the SSL certificate of the payment website...could this just be an issue with his server not trusting certain SSL certificates? The response he is getting from the curl_exec() function is just false when the checks are turned on.

EDIT: So I've seen multiple solutions that say to add something similar to this to my curlopt lines after getting the certificate file:

curl_setopt($ch, CURLOPT_CAINFO, getcwd() . "/CAcerts/certificate.cert");

But what if I'm dealing with a bunch of separate customers that are having this issue? That path won't work for everyone. What can I put instead that will apply to each person?

If I can't put a general line, then where would I tell the person to put their certificate file? This would have to be done by their web hosting service, right?

Evan LaHurd
  • 977
  • 2
  • 14
  • 27

2 Answers2

0

here is a good answer to your problem: Security consequences of disabling CURLOPT_SSL_VERIFYHOST (libcurl/openssl)

i suggest to analyze the certificate issued by the payment website..
the url used by the php plugin is exactly the same specified in the common name field of the certificate?

If you are sure the certificate provided it's ok, and trusted, You could set the CURLOPT_CAINFO option to trust this certificate and avoid the error: curl_setopt($ch, CURLOPT_CAINFO, 'C:\path\to\curl-ca-bundle.crt');

Community
  • 1
  • 1
clagio
  • 106
  • 1
  • 6
  • Would that 3rd parameter be the path to the company's certificate? – Evan LaHurd Jun 21 '13 at 12:38
  • yes, but it's a local path, so you have to download it somewhere on the php server first – clagio Jun 21 '13 at 12:54
  • Where would /etc/pki/tls/certs/ca-bundle.crt be? – Evan LaHurd Jun 21 '13 at 13:05
  • i didn't understood your last question sorry.. to make it simple, connect with your browser to the url configured in your php script (with https), check the certificate, export it, and copy this file to the php server in a path of your choice.. then change the third parameter of CURLOPT_CAINFO with the complete path to this file – clagio Jun 21 '13 at 13:12
  • But I can't push those changes because that line wouldn't be applicable to everyone, correct? – Evan LaHurd Jun 21 '13 at 13:48
  • this line will simply tell curl to trust the certificate specified in the CURLOPT_CAINFO. If you need to make different curl calls, to different https websites, you can change the CURLOPT_CAINFO to trust the right certificate before each curl call, or create a single ca file containing all the trusted certificates – clagio Jun 21 '13 at 14:12
0

Chech your SSL Certificate here : http://www.digicert.com/help/ I had a similar issue because certificates hadn't been good chained.

emilie zawadzki
  • 2,035
  • 1
  • 18
  • 25
  • It passes all of the checks on that website...I'm just trying to figure out how to set that certificate for CURLOPT_CAINFO :P – Evan LaHurd Jun 21 '13 at 12:42