CURL Request crashes SSL

Question

I've noticed a little problem with CURL in PHP. Whenever I request a https:// connection it returns "false", and every website that I try to reach while I have my PHP page open reports to have an Untrusted certificate.

This is my request method:

private function request($url, $params, $method = "GET") {
        if ($method == "GET")
            $url = $this->structGET($url, $params);
        $ch = curl_init($url);
        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
        if (isset($_SERVER['HTTP_USER_AGENT'])) {
            curl_setopt($ch, CURLOPT_USERAGENT, $_SERVER['HTTP_USER_AGENT']);
        } else {
            curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/0.X.Y.Z Safari/525.13.');
        }
        curl_setopt($ch, CURLOPT_TIMEOUT, 30);

        $header[] = 'Accept-Language: EN';
        curl_setopt($ch, CURLOPT_HTTPHEADER, $header);
        if ($method == "POST") {
            curl_setopt($ch, CURLOPT_POST, true);
            if ($params)
                curl_setopt($ch, CURLOPT_POSTFIELDS, $params);
        }
        $result = curl_exec($ch);
        curl_close($ch);
        return $result;
    }

And this is what Chrome returns when I try visiting Facebook.

The site's security certificate is not trusted!

You attempted to reach www.facebook.com, but the server presented a certificate issued by an entity that is not trusted by your computer's operating system. This may mean that the server has generated its own security credentials, which Google Chrome cannot rely on for identity information, or an attacker may be trying to intercept your communications. You cannot proceed because the website operator has requested heightened security for this domain.

Answer 1

Don't use techniques that disable certificate verification. While they may "solve" your problem on the surface, they only ignore the problem, rather than fixing it. Never do this in production code.

The most likely cause is that you're on a network where there is a MITM corporate proxy. However legitimate these devices may be, they are effectively MITM devices.

What they do is that they will replace the original certificate with a certificate issued using their own internal CA, so as to be able to monitor the traffic.

If this device was legitimately set up by your network administrator, you should be able to get its CA certificate (in those circumstances, the CA certificate would typically be installed on all end-user machines centrally administered).

It's quite likely that, as a developer, you may have installed your own machine, and might not have the CA certificate installed. Ask your network administrator for that CA certificate, and install it with the certificates used by your browser and by curl within PHP (two different locations). Where the curl default location is may depend on the system you're using, but you can also configure it via CURLOPT_CAINFO.

Presumably, you're developing within a local network, but may possibly deploy that service on a different network when it's done. Make sure that this is configurable.

Answer 2

You need to add these two lines for SSL

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);     
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2); 

Answer 3

Yeah that happens when cURL tries to see if the SSL is verified. Facebook usually has a verified signature but may be because of network, it is returning invalid (happens in my case: using fortiguard proxy, facebook blocked!)

So, what you can do is, you can choose to ignore that error totally.

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);

That should fix it. But, if you want to fix it properly, then you should probably use a proxy or something or get a certificate for the server(if it is yours).