2

I am doing this:

$ch = curl_init();
curl_setopt($ch, CURLOPT_VERBOSE, '1'); 
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, '2'); 
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, '1'); 
curl_setopt($ch, CURLOPT_CAINFO,  getcwd().'/public.pem'); 
curl_setopt($ch, CURLOPT_SSLCERT, getcwd().'/private.key'); 
curl_setopt($ch, CURLOPT_SSLCERTPASSWD, '1234');
curl_setopt($ch, CURLOPT_SSLKEYPASSWD, '1234'); 
curl_setopt($ch, CURLOPT_URL, "http://api-xxxxxx.duosecurity.com/auth/v2/preauth");
$dataa = curl_exec($ch);

I am getting this error: unable to use client certificate (no key found or wrong pass phrase?)

What am I missing? If the code is ok then could you please guide me on how to generate a pair of certificates for this purpose using either openssl OR ssh-keygen?

Bengali
  • 198
  • 2
  • 13
  • `curl_setopt($ch, CURLOPT_SSLCERT, getcwd().'/public.pem');` `curl_setopt($ch, CURLOPT_SSLKEY, getcwd().'/private.key');` – ojovirtual Nov 03 '15 at 11:38
  • @ojovirtual I tried that before and it gives me this error: _error setting certificate verify locations: CAfile: /var/www/duo/api/src/duo.pem CApath: /etc/ssl/certs_ – Bengali Nov 03 '15 at 11:42
  • `curl_setopt($link, CURLOPT_SSL_VERIFYPEER, FALSE); ` – ojovirtual Nov 03 '15 at 11:46
  • @ojovirtual that isn't allowed by the API I am trying to access with this CURL. – Bengali Nov 03 '15 at 11:48
  • A SSL certificate is composed by two parts: a certificate and a private key. My code above is correct (asuming your certificate is the .pem file). The error you get (error setting certificate verify locations) is because the web server is unable to read this file. Try to change permissions on the file `/var/www/duo/api/src/duo.pem` to enable it to be accessed by your web server. – ojovirtual Nov 03 '15 at 11:53
  • @ojovirtual I tried 766, 777, 700 to find luck. Please advise what options do I have left. I even tried a **file_get_contents** with the absolute path to see if the certificate file **readable** – Bengali Nov 03 '15 at 11:58
  • http://stackoverflow.com/questions/3160909/how-do-i-deal-with-certificates-using-curl-while-trying-to-access-an-https-url – ojovirtual Nov 03 '15 at 12:04
  • "how to generate a pair of certificates for this purpose" What is the purpose? to open an SSL connection to yahoo? You don't need client certificates for that. – chugadie Nov 03 '15 at 13:54
  • Where did you get the certificates you are trying to use currently? Are you sure they have a password on them? – chugadie Nov 06 '15 at 12:28
  • Can you add the output of openssl verify public.pem and openssl verify private.key ? – chugadie Nov 06 '15 at 12:33

1 Answers1

1

This is how you connect to yahoo over HTTPS

$ch = curl_init();
curl_setopt($ch, CURLOPT_VERBOSE, '1'); 
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, '2'); 
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, '1'); 
curl_setopt($ch, CURLOPT_URL, "https://m.yahoo.com/");
$dataa = curl_exec($ch);

You do not use client certificates to talk to HTTPS hosts.

The reasons that browers/clients don't use client certificates are too varied to list here.

It seems that client certificates are a method of authenticating - or logging in - to a web site - they are not part of encrypting the communication to the server.

https://en.wikipedia.org/wiki/Client_certificate

https://pilif.github.io/2008/05/why-is-nobody-using-ssl-client-certificates/

http://blogs.msdn.com/b/kaushal/archive/2012/02/18/client-certificates-v-s-server-certificates.aspx

Update

After learning that the original question concerns duosecurity's API, and not a regular yahoo http connection, I looked at duo's API documents and JS & PHP client libraries. I cannot find any reference to client side SSL certificates.

To circle back and tackle the original error of "no key found or wrong pass phrase" we should look at the CURLOPT_* settings.

In the original question, the cert and key are identified incorrectly with curlopt settings.

$ch = curl_init();
curl_setopt($ch, CURLOPT_VERBOSE, '1'); 
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, '2'); 
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, '1'); 

curl_setopt($ch, CURLOPT_SSLCERT,  getcwd().'/public.pem'); 
curl_setopt($ch, CURLOPT_SSLCERTPASSWD, '1234');

curl_setopt($ch, CURLOPT_SSLKEY, getcwd().'/private.key'); 
curl_setopt($ch, CURLOPT_SSLKEYPASSWD, '1234'); 
curl_setopt($ch, CURLOPT_URL, "http://api-xxxxxx.duosecurity.com/auth/v2/preauth");
$dataa = curl_exec($ch);

Use SSLCERT(PASSWORD) and SSLKEY(PASSWORD) to enable client side certificates. It is unlikely that your client side certificates needs a CA - CURLOPT_CAINFO is only used to help identify the peer, not yourself.

chugadie
  • 2,786
  • 1
  • 24
  • 33
  • Hello chugadie, I wasn't actually making request to Yahoo (sorry for the confusion), it is http://api-xxxxx.duosecurity.com/auth/v2/preauth I am trying to connect and they are asking for this SSL verification. – Bengali Nov 04 '15 at 11:24
  • I think the original example has some bad CURLOPT parameters, I updated the answer. – chugadie Nov 06 '15 at 12:52