curlcommand available that uses the libcurl library)
// Initialize session and set URL. $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); // Set so curl_exec returns the result instead of outputting it. curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); // Get the response and close the channel. $response = curl_exec($ch); curl_close($ch);
$urlpoints toward an HTTPS resource, you’re likely to encounter an error like the one below:
Failed: Error Number: 60. Reason: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
The quick fix
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
The proper fix
CURLOPT_CAINFOparameter. This is used to point towards a CA certificate that cURL should trust. Thus, any server/peer certificates issued by this CA will also be trusted. In order to do this, we first need to get the CA certificate. In this example, I’ll be using thehttps://api.del.icio.us/ server as a reference.
CURLOPT_CAINFOset to point to where we saved the CA certificate file to.
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2); curl_setopt($ch, CURLOPT_CAINFO, getcwd() . "/CAcerts/BuiltinObjectToken-EquifaxSecureCA.crt");
CURLOPT_SSL_VERIFYHOSTcan be set to the following integer values:
- 0: Don’t check the common name (CN) attribute
- 1: Check that the common name attribute at least exists
- 2: Check that the common name exists and that it matches the host name of the server
CURLOPT_SSL_VERIFYPEERset to false, then from a security perspective, it doesn’t really matter what you’ve set
CURLOPT_SSL_VERIFYHOSTto, since without peer certificate verification, the server could use any certificate, including a self-signed one that was guaranteed to have a CN that matched the server’s host name. So this setting is really only relevant if you’ve enabled certificate verification.
CURLOPT_CAPATHoption that allows you to specify a directory that holds multiple CA certificates to trust. But it’s not as simple as dumping every single CA certificate in this directory. Instead, they CA certificates must be named properly, and the OpenSSL
c_rehashutility can be used to properly setup this directory for use by cURL.