0

I'm trying to write some code to fetch pages either via HTTP or HTTPS.

<?php
$ch = curl_init('https://www.google.com');

// <START OPTIONS>
// Uncomment the following line to "fix" error 60: "SSL certificate problem: unable to get local issuer certificate"
//curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

// These options make no difference
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($ch, CURLOPT_CAINFO, 'C:/server/cacert.pem');

// This changes error 60 to error 58: "unable to set private key file: 'C:/server/cacert.pem' type PEM"
curl_setopt($ch, CURLOPT_SSLCERT, 'C:/server/cacert.pem');
// <END OPTIONS>

if (curl_exec($ch) === false) {
  var_dump(curl_errno($ch), curl_error($ch));
}
curl_close($ch);

I've followed the advice in this answer about adding a cacert.pem file to php.ini, but I'm still getting error 60. I believe this is what the CURLOPT_CAINFO option does too.

If I include curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); it works, but only by bypassing the security checks.

cURL settings from php -i:

curl

cURL support => enabled
cURL Information => 7.42.1
Age => 3
Features
AsynchDNS => Yes
Debug => No
GSS-Negotiate => No
IDN => No
IPv6 => Yes
Largefile => Yes
NTLM => Yes
SPNEGO => Yes
SSL => Yes
SSPI => Yes
krb4 => No
libz => Yes
CharConv => No
Protocols => dict, file, ftp, ftps, gopher, http, https, imap, imaps, ldap, pop3, pop3s, rtsp, scp, sftp, smtp, smtps, telnet, tftp
Host => i386-pc-win32
SSL Version => OpenSSL/0.9.8zf
ZLib Version => 1.2.7
libSSH Version => libssh2/1.5.0

cURL settings from phpinfo():

curl

cURL support    enabled
cURL Information    7.42.1
Age 3
Features
AsynchDNS   Yes
Debug   No
GSS-Negotiate   No
IDN No
IPv6    Yes
Largefile   Yes
NTLM    Yes
SPNEGO  Yes
SSL Yes
SSPI    Yes
krb4    No
libz    Yes
CharConv    No
Protocols   dict, file, ftp, ftps, gopher, http, https, imap, imaps, ldap, pop3, pop3s, rtsp, scp, sftp, smtp, smtps, telnet, tftp
Host    i386-pc-win32
SSL Version OpenSSL/1.0.1e
ZLib Version    1.2.7
libSSH Version  libssh2/1.5.0

The settings are identical except for SSL Version => OpenSSL/0.9.8zf (CLI) SSL Version OpenSSL/1.0.1e (CGI)

My development machine is Windows XP, PHP 5.4.45 but when I get it working I'll want to transfer it to a Linux server.

Do I need to configure php.ini differently or use different cURL options? How can I get cURL to succeed only if the site is correctly signed, i.e. with curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);?

CJ Dennis
  • 4,226
  • 2
  • 40
  • 69
  • Its the same problem as described in the article you linked. If you followed the advice on editing your php.ini file and the config you added is not shown in phpinfo, then you forgot to restart your PHP service. – symcbean Feb 11 '18 at 01:12
  • @symcbean I restarted Apache after every change I made to `php.ini`, and as far as I can tell, adding the `CURLOPT_CAINFO` line does the same thing anyway. – CJ Dennis Feb 11 '18 at 01:16
  • Trying to fiddle with `CURLOPT_SSLCERT` makes no sense: this is for client side certificates and requires a private key which you don't have and thus you get this error. `CURLOPT_CAINFO` is the correct setting instead. But, it is not enough to add "some" `cacert.pem` file. It needs to have the right contents and it is unclear what the contents of the file is on your system. And seriously, you are using rotten old software like XP and ancient OpenSSL versions and then you are trying to get support for such a messed up setup? – Steffen Ullrich Feb 11 '18 at 06:18
  • @SteffenUllrich A little compassion here? If I knew how cURL worked, I wouldn't be fiddling with the settings. So cURL never worked 10 years ago? That explains why I've always had so much trouble with it! Thanks for the offer of a new computer! I hope it doesn't cost you too much to ship to Australia! – CJ Dennis Feb 11 '18 at 07:43
  • @CJDennis: The world has not stayed unchanged in the last 10 years and this is especially true for anything around SSL. What worked 10 years ago might not work any longer. And again, it is not known what the contents of your cacert.pem actually is, i.e. if it contains the needed CA certificate or not. – Steffen Ullrich Feb 11 '18 at 07:46
  • @SteffenUllrich I can't post it here because it's over 200 kB. You can download it yourself at the link in the answer I've linked to. – CJ Dennis Feb 11 '18 at 07:48
  • @CJDennis: if this is the latest version you got from this link then it should be sufficient. But there might be some SSL interception going on in your environment (firewalls, antivirus) which affect the validation. Apart from that: my main reason that I complained about ancient OS and OpenSSL is that this indicates that the system was installed ages ago. In this time it probably accumulated a lot of cruft which causes strange and hard to debug problems. I would recommend to start with the minimal fresh install in order to not run into problems due to all the accumulated cruft. – Steffen Ullrich Feb 11 '18 at 07:52

0 Answers0