CODEWITHSUNDEEP
phppostcurl
user2536244
user2536244

Reputation:

PHP cURL returns FALSE on HTTPS

I'm trying to make a bot for: https://coinroll.it/api

From the site:
The Coinroll API is a stateless interface which works over HTTPS. Requests are made using POST variables (application/x-www-form-urlencoded) while responses are encoded in JSON (application/json). A HTTPS connection is required for accessing the API.

I have the following code: 

$ch = curl_init();
$data = array('user' => 'xxx', 'password' => 'yyy');
curl_setopt($ch, CURLOPT_URL, 'https://coinroll.it');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded'));   
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); 
$result = curl_exec($ch);
echo $result;

When I run this code, it returns a blank page, what am I doing wrong?

EDIT
I don't actually need to use cURl, if there is a better solution, please tell me.

Upvotes: 8

Views: 22193

Answers (3)

Fabien Haddadi
Fabien Haddadi

Reputation: 2080

Today I had the case where "It had been working fine until now.", but it stopped working when the FQDN changed, and I had to self-sign another certificate, with a different DN.

After a few experiments, it turned out to be that the Subject Alternate Name (aka SAN) was not matching the certificate name, and the curl call had not been set with CURLOPT_SSL_VERIFYHOST, 2.

Conclusion: by default, CURLOPT_SSL_VERIFYHOST is set to 2, but, if your cert SAN is wrong, it will fail, unless you deactivate CURLOPT_SSL_VERIFYHOST, and, with it, CURLOPT_SSL_VERIFYPEER.

It is obviously the best practice to set both, and have a SAN that matches the subject.

Reminder: this is how to quickly check the SAN using OpenSSH on command line:

openssl x509 -in /etc/ssl/certs/recette.pharmags.fr.crt -noout -text | grep -A1 "Subject Alternative Name"

Upvotes: 0

eloibm
eloibm

Reputation: 909

You can use the following cURL option in order to see what happens with the HTTP connection:

curl_setopt($ch, CURLOPT_VERBOSE, true);

When TRUE it outputs verbose information.

Upvotes: 3

MrCode
MrCode

Reputation: 64526

You can prevent cURL from trying to verify the SSL certificate by using CURLOPT_VERIFYPEER.

Also set the action in the URL:

$ch = curl_init();
$data = array('user' => 'xxx', 'password' => 'yyy');
curl_setopt($ch, CURLOPT_URL, 'https://coinroll.it/getbalance');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); 
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$result = curl_exec($ch);
echo $result;

Upvotes: 13

Related Questions