Reputation: 71
php curl ssl verify
I just develop some softvare by php,use curllib to connect amazon,paypal,wechat,I want to verify cert and I find some params relate to this:
CURLOPT_SSL_VERIFYPEER : I think if you want to verify ssl cert,this param should set true;
but I am confused about CURLOPT_CAINFO and
curl_setopt($ch,CURLOPT_SSLCERTTYPE,'PEM');
curl_setopt($ch,CURLOPT_SSLCERT, $sslCertPath);
curl_setopt($ch,CURLOPT_SSLKEYTYPE,'PEM');
curl_setopt($ch,CURLOPT_SSLKEY, $sslKeyPath);
when should I set CURLOPT_CAINFO and when should i set follow 4 params?
I think CURLOPT_CAINFO is a param that to make sure amazon is the amazon,paypal is the paypal;
the follow 4 params is to confirm I am the real me,amazon can confirm by these 4 params.
Am I correct?
and I don't know how to get CURLOPT_CAINFO ca?because I think if I confirm amazon is the amazon ,I just verify the ca that amazon send me is enough,why shoul i send a ca to amazon?
Upvotes: 2
Views: 3866
Answers (3)
Reputation: 892
So after downloading this cacert.pem file into your project, in PHP you can now do this:
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, TRUE);
curl_setopt($ch, CURLOPT_CAINFO, "/path/to/cacert.pem");
Alternatively, this can be set globally by adding the following to your php.ini
curl.cainfo=/path/to/cacert.pem
Hope this helps you.
Upvotes: 1
Reputation: 14269
Usually, when you receive a certificate from a website - it contains the website own certificate plus the intermediate certificate (the one that signed/issued the website's certificate). In order to verify them both, you must have a list of root certificates (CA is abbreviated from Certificate Authority) which is called "CA bundle" and usually lives at /etc/ssl/certs/ca-bundle.crt. The intermediate certificate (there can be more than one intermediate certificate - each of them will/must be signed by the next one up in the chain) must be signed by a root certificate in order to be trusted.
So the purpose of CURLOPT_CAINFO is to allow you to specify the pathname of ca-bundle.crt if it can not be found automatically by cURL - or if you want to check against your custom root certificate(s).
The purpose of CURLOPT_SSLCERT and CURLOPT_SSLKEY is to present a client (as opposed to a server one) certificate so that the server can verify your identity (usually used for online banking so that you can sign your transactions) - most probably you do not need these in your use case.
The purpose of CURLOPT_SSL_VERIFYPEER is for you to be able to force cURL to skip verification of the server certificate - in case your CA bundle is not up to date or missing at all.
Upvotes: 1
Reputation: 26
Try it if you want to use CURLOPT_SSL_VERIFYPEER:
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($ch, CURLOPT_CAINFO, __DIR__ . '/cacert.pem');
Download cacert.pem here https://curl.haxx.se/docs/caextract.html
Upvotes: 1
Related Questions
- PHP CURL CURLOPT_SSL_VERIFYPEER ignored
- cURL with SSL verification works but how do I validate that it is encrypted?
- cURL requires CURLOPT_SSL_VERIFYPEER=FALSE
- How to check if PHP CURL SSL works
- Configuring cURL for SSL
- curl server certificate verification failed
- PHP CURL and SSL certificate (or cert chain)
- Can't seem to get CURLOPT_SSL_VERIFYPEER to behave in PHP
- php curl to check ssl connection
- SSL error with PHP curl