11

I would like to keep my root certificates current for use with cURL and PHP's internal curl command, however there is no parameter currently to download the current file it requires for a proper secure connection and to keep it current.

And example of using curl in PHP for a secure connection which requires a file named cacert.pem (PEM encoded certificate chain for validating remote connections) is as follows :

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "https://www.google.com");
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 15);
curl_setopt($ch, CURLOPT_TIMEOUT, 15);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 1);
curl_setopt($ch, CURLOPT_CAINFO, "pathto/cacert.pem");
curl_setopt($ch, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
if (!($data = curl_exec($ch))) {
    echo "No data received";
} else {
    echo strlen($data) + " total byte(s)";
}
curl_close($ch);

While most people simply set CURLOPT_SSL_VERIFYPEER to false, and thus ignore the problem, which is bad . You can see here where a certificate authority shows that if you do not have this file current, the only way to connect to a secure server is to disable certificate checking and further warns of the implications behind disabling peer verification.

What I am requesting is for a legitimate way to maintain a local copy of cacert.pem so that when I use curl in PHP to communicate with other servers, I can continue to do so securely .

This is not a request for an external resource or off-site link etc, however due to the nature of the problem, it is likely that may be the ONLY way to resolve this as it would require continuous updating as certificate chains are revoked. To date, there is no way to obtain this file either as part of the distribution of curl itself, or php, or the curl library for php and continue to maintain it. While it is discouraging that this is not something which a simple update command like curl --update-root-ca would be nice, it does not exist in any form.

Community
  • 1
  • 1
Kraang Prime
  • 9,981
  • 10
  • 58
  • 124

2 Answers2

22

Since initially writing this article, (and thus this rewrite), I was able to resolve my own problem by including links directly to the only legitimate source to maintain this file which is provided on the site maintained by the author of curl at this location

Further as technology is advancing this question has been updated to show how to use curl in PHP and force TLS v1.2 connection (something which certain transaction providers require or recommend and may not supply the information on how to do this).

Regarding certificate authorities, there are a few key root authorities such as :

  • Symantec
  • RapidSSL
  • thawte
  • GeoTrust
  • Comodo

As well as other authorities by their nature such as

  • Microsoft
  • Mozilla
  • Google

Which can be a frame for anyone looking to maintain their own cacert.pem. Keep in mind that you would need to download their revocation lists (certificates that have been breached or expired) from the respective crl's to maintain a proper trust mechanism, while you should be able to get away with just downloading their root certificate chains and using those as a local authorative file as your cacert.pem.

Kraang Prime
  • 9,981
  • 10
  • 58
  • 124
  • 2
    You get the bounty because no-one else posted a good answer, but I don't feel this really addresses the question of what is an *official* source. So I've posted my own answer. – Roman Starkov Oct 16 '14 at 00:58
  • 2
    Amusingly enough, that site doesn't support an https-based download, so if you get your certificates from there, you may be downloading compromised authorities! Obviously it's useful to have an http version for bootstrapping. – android.weasel Dec 10 '15 at 11:52
  • 1
    @android.weasel - that is a good comment, however it is incorrect in regards to compromised authorities. The file is plain text. Being hosted on non-ssl (which is definitely ironic ), only means that the information can be viewed by others in transit. Since there is no code on that page, it is not realistic to consider XSS / etc as an injection attack since there is nothing to attack as the data is raw non-exec text. (i did vote on your comment though as I do agree with the irony of not being hosted on SSL / TLS ) – Kraang Prime Dec 11 '15 at 20:26
  • @SanuelJackson I was thinking about mitm substitution more than xss - someone diverting me to a clone of the site with compromised certs, although to be honest I was in the middle of a frustrating problem of which getting certs was only one step, so I didn't think too deeply about what someone might manage beyond that - and I presume that exploiting a compromised certificate would be a shed -load of effort. I ended up exporting the one I needed from Firefox, which felt secure enough. – android.weasel Dec 13 '15 at 05:50
  • This is a much better answer now. I removed my comment and my downvote :) – Magisch Aug 05 '16 at 12:57
  • The [documentation](https://curl.haxx.se/docs/caextract.html) of curl shows the following snippet for automated downloads: `curl --remote-name --time-cond cacert.pem https://curl.haxx.se/ca/cacert.pem` – Ñhosko Oct 11 '19 at 04:01
13

cacert.pem is used by curl. There is no ultimate authority on which certificates are to be trusted, but the lists used by web browsers are a good source. These lists are constantly updated due to CA changes and changes to security practices.

The authors of curl maintain a tool which can extract a cacert.pem from Firefox, and post a reasonably up-to-date output on their site:

  • cacert.pem generated by the authors of curl
  • caextract: for the most security-conscious, download the tool, inspect the source code and run it against your own Firefox.
Kraang Prime
  • 9,981
  • 10
  • 58
  • 124
Roman Starkov
  • 59,298
  • 38
  • 251
  • 324