CODEWITHSUNDEEP
phpsslcurl
Caynadian
Caynadian

Reputation: 779

cURL SSL CA Config with Windows Server 2008R2 and PHP 5.2

I am trying to get cURL SSL to work properly under PHP 5.2 (required by some of the older code we have running) without disabling SSL verification. I have downloaded the latest (Jan 20) cacert.pem file and placed it in to our PHP dir (E:\PHP) and then I run a little test script:

<?php
  function nxs_cURLTest($url, $msg, $testText){  
    $ch = curl_init(); 
    curl_setopt($ch, CURLOPT_URL, $url); 
    curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.73 Safari/537.36"); 
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); 
    curl_setopt($ch, CURLOPT_TIMEOUT, 10); 
    curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 10);
    curl_setopt($ch, CURLOPT_VERBOSE, true);
    curl_setopt($ch, CURLOPT_CAINFO, "e:\php\cacert.pem");

    $verbose = fopen('php://temp', 'w+');
    curl_setopt($ch, CURLOPT_STDERR, $verbose);    

    $response = curl_exec($ch); 
    $errmsg = curl_error($ch); 
    $cInfo = curl_getinfo($ch); 
    curl_close($ch); 
    echo "<br />Testing ... ".$url." - ".$cInfo['url']."<br />";
    if (stripos($response, $testText)!==false) 
      echo "....".$msg." - OK<br />"; 
    else 
    { 
      echo "....<b style='color:red;'>".$msg." - Problem</b><br /><pre>"; 
      print_r($errmsg); 
      print_r($cInfo); 
      print_r(htmlentities($response)); 
      echo "</pre>There is a problem with cURL. You need to contact your server admin or hosting provider.<br />";
    }
    rewind($verbose);
    $verboseLog = stream_get_contents($verbose);
    echo "<br />Verbose output:</br />";
    echo "<pre>", htmlspecialchars($verboseLog), "</pre>";    
  }

  nxs_cURLTest("https://www.google.com/", "HTTPS to Google", "Mountain View, CA");
  nxs_cURLTest("https://internalserver.example.com/curl/", "HTTPS to Internal", "Internal Test");
?>

Now I expect that the SSL for the call to the internal server will fail as it uses a self signed certificate that is not in the cacert.pem file (one step at a time) but I cannot even get the call to Google to work. This is the output:

Testing ... https://www.google.com/ - https://www.google.com/....HTTPS to Google - Problem
SSL certificate problem, verify that the CA cert is OK. 
Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Array
(
    [url] => https://www.google.com/
    [content_type] =>
    [http_code] => 0
    [header_size] => 0
    [request_size] => 0
    [filetime] => -1
    [ssl_verify_result] => 0
    [redirect_count] => 0
    [total_time] => 0.047
    [namelookup_time] => 0.031
    [connect_time] => 0.047
    [pretransfer_time] => 0
    [size_upload] => 0
    [size_download] => 0
    [speed_download] => 0
    [speed_upload] => 0
    [download_content_length] => -1
    [upload_content_length] => -1
    [starttransfer_time] => 0
    [redirect_time] => 0
)
There is a problem with cURL. You need to contact your server admin or hosting provider.
Verbose output:
* About to connect() to www.google.com port 443 (#0)
*   Trying 216.58.192.100... * connected
* Connected to www.google.com (216.58.192.100) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: e:\php\cacert.pem
    CApath: none
* SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
* Closing connection #0


Testing ... https://internalserver.example.com/curl/ - https://internalserver.example.com/curl/.... HTTPS to InternalServer - Problem
SSL certificate problem, verify that the CA cert is OK. 
Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Array
(
    [url] => https://internalserver.example.com/curl/
    [content_type] =>
    [http_code] => 0
    [header_size] => 0
    [request_size] => 0
    [filetime] => -1
    [ssl_verify_result] => 0
    [redirect_count] => 0
    [total_time] => 0
    [namelookup_time] => 0
    [connect_time] => 0
    [pretransfer_time] => 0
    [size_upload] => 0
    [size_download] => 0
    [speed_download] => 0
    [speed_upload] => 0
    [download_content_length] => -1
    [upload_content_length] => -1
    [starttransfer_time] => 0
    [redirect_time] => 0
)
There is a problem with cURL. You need to contact your server admin or hosting provider.

Verbose output:
* About to connect() to internalserver.example.com port 443 (#0)
*   Trying 192.168.1.10... * connected
* Connected to internalserver.example.com (192.168.1.10) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: e:\php\cacert.pem
    CApath: none
* SSL certificate problem, verify that the CA cert is OK. Details:
  error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
* Closing connection #0

Upvotes: 1

Views: 579

Answers (1)

drew010
drew010

Reputation: 69967

I see two potential issues here.

1: Google only supports TLSv1.0, TLSv1.1, and TLSv1.2. Since you have an older version of PHP and probably cURL and OpenSSL as well, based on the error message you may not have any TLS support.

2: In the line curl_setopt($ch, CURLOPT_CAINFO, "e:\php\cacert.pem");, the \ needs to be escaped, so it might not be picking up the path to the certs correctly. Try curl_setopt($ch, CURLOPT_CAINFO, "e:\\php\\cacert.pem"); or simply curl_setopt($ch, CURLOPT_CAINFO, "e:/php/cacert.pem");

But based on the error message, SSL3_GET_SERVER_CERTIFICATE:certificate verify failed I think it is the first issue.

Check <?php phpinfo() ?> and see what cURL and OpenSSL versions PHP has. If it is OpenSSL 0.9.8, then you most likely don't have TLS support.

Upvotes: 2

Related Questions