Asked  7 Months ago    Answers:  5   Viewed   42 times

I am using XAMPP for development. Recently I upgraded my installation of xampp from an old version to 1.7.3.

Now when I curl HTTPS enabled sites I get the following exception

Fatal error: Uncaught exception 'RequestCore_Exception' with message 'cURL resource: Resource id #55; cURL error: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (60)'

Everyone suggest using some specific curl options from PHP code to fix this problem. I think this shouldn't be the way. Because I didn't have any problem with my old version of XAMPP and happened only after installing the new version.

I need help to figure out what settings change in my PHP installation, Apache etc can fix this problem.

 Answers

81

curl used to include a list of accepted certificate authorities (CAs) but no longer bundles ANY CA certs since 7.18.1 and onwards. So by default it'll reject all TLS/SSL certificates as unverifiable.

You'll have to get your CA's root certificate and point curl at it. More details at curl's details on TLS/SSL certificates verification.

Wednesday, March 31, 2021
 
Gigamegs
answered 7 Months ago
66

That's an interesting problem.

If you query SSLLabs for this site you will see, that it only supports various ECDHE-ECDSA-* ciphers and no other ciphers. But, in the version history of curl you will find a bug with ECC ciphers and the NSS library (which you use) which is only fixed in curl version 7.36 "nss: allow to use ECC ciphers if NSS implements them".

Since you are using curl 7.19.7 your curl is too old to use the necessary ciphers together with the NSS library. This means you need to upgrade your curl library.

Wednesday, March 31, 2021
 
mozlima
answered 7 Months ago
94

I totally agree with Tim: we need "angle" (aperture) of cone to get the answer.

Let's do some coding then! I'll use some terminology from here.

Result-giving function:

/**
 * @param x coordinates of point to be tested 
 * @param t coordinates of apex point of cone
 * @param b coordinates of center of basement circle
 * @param aperture in radians
 */
static public boolean isLyingInCone(float[] x, float[] t, float[] b, 
                                    float aperture){

    // This is for our convenience
    float halfAperture = aperture/2.f;

    // Vector pointing to X point from apex
    float[] apexToXVect = dif(t,x);

    // Vector pointing from apex to circle-center point.
    float[] axisVect = dif(t,b);

    // X is lying in cone only if it's lying in 
    // infinite version of its cone -- that is, 
    // not limited by "round basement".
    // We'll use dotProd() to 
    // determine angle between apexToXVect and axis.
    boolean isInInfiniteCone = dotProd(apexToXVect,axisVect)
                               /magn(apexToXVect)/magn(axisVect)
                                 >
                               // We can safely compare cos() of angles 
                               // between vectors instead of bare angles.
                               Math.cos(halfAperture);


    if(!isInInfiniteCone) return false;

    // X is contained in cone only if projection of apexToXVect to axis
    // is shorter than axis. 
    // We'll use dotProd() to figure projection length.
    boolean isUnderRoundCap = dotProd(apexToXVect,axisVect)
                              /magn(axisVect)
                                <
                              magn(axisVect);
    return isUnderRoundCap;
}

Below are my fast implementations of basic functions, required by the upper code to manipulate vectors.

static public float dotProd(float[] a, float[] b){
    return a[0]*b[0]+a[1]*b[1]+a[2]*b[2];
}

static public float[] dif(float[] a, float[] b){
    return (new float[]{
            a[0]-b[0],
            a[1]-b[1],
            a[2]-b[2]
    });
}

static public float magn(float[] a){
    return (float) (Math.sqrt(a[0]*a[0]+a[1]*a[1]+a[2]*a[2]));
}

Have fun!

Thursday, July 29, 2021
 
Yarin
answered 3 Months ago
40

Solved! Thanks to @hank!

My solution is:

1) Open your site in Google Chrome, open certificate info.

2) Export it and each of his parent certs as X.509. Concat cert files into the one cert file - make cert chain.

3) Use file with cert chain with the code

curl_easy_setopt(curl, CURLOPT_CAINFO, "c:\Art\Projects\LifeSimLauncher\MyStaticLib\lifesim.biz.crt.cer");
Friday, July 30, 2021
 
RahulG
answered 3 Months ago
13

Here's my solution:

In class Volley in method

public static RequestQueue newRequestQueue(Context context, HttpStack stack)

locate the following text:

stack = new HurlStack();

Then change this line to:

stack = new HurlStack(null, createSslSocketFactory());

where method createSslSocketFactory() is defined as following:

private static SSLSocketFactory createSslSocketFactory() {
    TrustManager[] byPassTrustManagers = new TrustManager[]{new X509TrustManager() {
        public X509Certificate[] getAcceptedIssuers() {
            return new X509Certificate[0];
        }

        public void checkClientTrusted(X509Certificate[] chain, String authType) {
        }

        public void checkServerTrusted(X509Certificate[] chain, String authType) {
        }
    }};

    SSLContext sslContext = null;
    SSLSocketFactory sslSocketFactory = null;
    try {
        sslContext = SSLContext.getInstance("TLS");
        sslContext.init(null, byPassTrustManagers, new SecureRandom());
        sslSocketFactory = sslContext.getSocketFactory();

    } catch (NoSuchAlgorithmException e) {
        e.printStackTrace();
        Log.e(TAG, StringUtils.EMPTY, e);
    } catch (KeyManagementException e) {
        Log.e(TAG, StringUtils.EMPTY, e);
    }

    return sslSocketFactory;
}

I know that this is not secure, but I use it for testing purposes only. You can improve the security by accepting only certificates from your servers.

Wednesday, August 4, 2021
 
ala
answered 3 Months ago
ala
Only authorized users can answer the question. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :