Asked  7 Months ago    Answers:  5   Viewed   34 times

I am trying to download the content of a secure (uses https) webpage using php and curl libraries.

However, reading failed and I get error 60: "SSL certificate problem, verify that the CA cert is OK."

also "Details: SSL3_GET_SERVER_CERTIFICATE:certificate verify failed"

So...pretty self explanatory error msg's.

My question is: How do I send an SSL certificate (the right one?) and get this page to verify it and let me in?

Also, here is my options array in case you are wondering:

    $options = array(
        CURLOPT_RETURNTRANSFER => true,     // return web page
        CURLOPT_HEADER         => false,    // don't return headers
        CURLOPT_FOLLOWLOCATION => true,     // follow redirects
        CURLOPT_ENCODING       => "",       // handle all encodings
        CURLOPT_USERAGENT      => "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:x.x.x) Gecko/20041107 Firefox/x.x", // who am i
        CURLOPT_AUTOREFERER    => true,     // set referer on redirect
        CURLOPT_CONNECTTIMEOUT => 120,      // timeout on connect
        CURLOPT_TIMEOUT        => 120,      // timeout on response
        CURLOPT_MAXREDIRS      => 10,       // stop after 10 redirects
        CURLOPT_SSL_VERIFYHOST => 1,
    );

Any suggestions would be great, Andrew

 Answers

41

It sounds like you might be misinterpreting the error. It looks to me like the site you're connecting to is self-signed or some other common problem. Just like the usual browser warning, you're easiest work around is to disable the checks.

You'll need to set CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST to FALSE. This should disable the two main checks. They may not both be required, but this should at least get you going.

To be clear, this disables a feature designed to protect you. Only do this if you have verified the certificate and server by some other means.

More info on the PHP site: curl_setopt()

Wednesday, March 31, 2021
 
Tapha
answered 7 Months ago
66

That's an interesting problem.

If you query SSLLabs for this site you will see, that it only supports various ECDHE-ECDSA-* ciphers and no other ciphers. But, in the version history of curl you will find a bug with ECC ciphers and the NSS library (which you use) which is only fixed in curl version 7.36 "nss: allow to use ECC ciphers if NSS implements them".

Since you are using curl 7.19.7 your curl is too old to use the necessary ciphers together with the NSS library. This means you need to upgrade your curl library.

Wednesday, March 31, 2021
 
mozlima
answered 7 Months ago
67

The current CA Cert extracts provided by cURL contain the GeoTrust Global CA certificate authority which signed Google's CA cert which in turn signs YouTube's cert, so you should have no problem using the file you have.

Based on the last error, it looks like the problem is because you were missing the / after C:. The message error setting certificate verify locations means that it couldn't open or read the file specified by curl.cainfo so it's not finding any certs at all.

If you change C:php/ext/cacert.pem to C:/php/ext/cacert.pem it should be able to read the CA file correctly and then verify the site properly.

Wednesday, March 31, 2021
 
samayo
answered 7 Months ago
23

You need to add the Curl libraries to the command line PHP.ini.

You can probably just copy the file C:wampbinapacheApache2.2.xbinphp.ini to c:wampbinphpphp5.3.10php.ini (adjust for the actual directories on your system).

Wednesday, March 31, 2021
 
Fanda
answered 7 Months ago
89

Paypal now supports only TLS 1.2 on the sandbox (and in June the same will apply to production systems). If you want to use TLS 1.2 you'll need to upgrade to OpenSSL 1.0.1+ as a minimum, and then you'll be able to set CURLOPT_SSLVERSION to 6 (TLS 1.2). If you want TLS 1.2 to be used automatically during SSL requests, you'll also need to upgrade to PHP 5.5.19+ (this is the ideal solution but many projects are still on older PHP versions).

However, you've said you're on shared hosting and can't upgrade the software yourself...so you're out of luck. My advice would be to get away from whatever hosting provider is still stuck on OpenSSL 0.9.8.

Reference: https://devblog.paypal.com/upcoming-security-changes-notice/

Saturday, May 29, 2021
 
McAn
answered 5 Months ago
Only authorized users can answer the question. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :