PHP CURL CURLOPT_SSL_VERIFYPEER ignored

Asked 28/2, 2013 at 12:41 Answered 19/5, 2023 at 5:58

163

For some reason I am unable to use CURL with HTTPS. Everything was working fine untill I ran upgrade of curl libraries. Now I am experiencing this response when trying to perform CURL requests: Problem with the SSL CA cert (path? access rights?)

Following suggestions posted here on related issues I have tried to do the following:

Disable verification for host and peer

curl_setopt($cHandler, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($cHandler, CURLOPT_SSL_VERIFYPEER, true);

Enable CURLOPT_SSL_VERIFYPEER and point to cacert.pem downloaded from http://curl.haxx.se/docs/caextract.html

curl_setopt($cHandler, CURLOPT_SSL_VERIFYPEER, true);  
curl_setopt($cHandler, CURLOPT_CAINFO, getcwd() . "/positiveSSL.ca-bundle");

I also tried to do the same thing with positiveSSL.ca-bundle which was provided as bundle CA certificate for the server I am trying to connect to.
Edit php ini settings with curl.cainfo=cacert.pem (file in the same directory and accessible by apache)
Rename /etc/pki/nssdb to /etc/pki/nssdb.old

Unfortunatelly none of the above are able to solve my problem and I constantly get Problem with the SSL CA cert (path? access rights?) message.

And I don't need this verification in the first place (I am aware of security issues).

Does anybody have any other suggestions?

UPDATE

After updating to the latest libraries and restart of the whole box, not just apache which I was doing it all seems to be working now again!!!

Effective answered 28/2, 2013 at 12:41 Comment(6)

Is you upgraded Curl library compiled against a different SSL stack (GnuTLS v.s OpenSSL, perhaps)? – Bodrogi 28/2, 2013 at 20:17

I wouldn't think so. The system is Fedora 16 and it was the case of yum update really. The most annoying thing is that I don't need/want this whole validation and I can't seem to be able to simply disable it. – Effective 1/3, 2013 at 9:33

If you're aiming to use HTTPS for security, you'll always want to have this validation process in place. – Bodrogi 1/3, 2013 at 10:16

I am aware of that, however my use case here makes it all a bit redundant. Also, I have updated curl to latest available, and php to 5.4. Now, The error message is gone, but I don't get any cotnent from curl either :) – Effective 1/3, 2013 at 10:51

Ha, now I get somewhere curl_errno function reports status 77 which according to the manual is CURLE_SSL_CACERT_BADFILE. – Effective 1/3, 2013 at 11:33

You have to enable read access for the webserver on the cacert.pem file or it won't work. Try: readfile('/path/to/cacert.pem'); in a web accessible script and make sure it prints the cert out to the screen. If it doesn't, the path is wrong, or the file isn't readable. It's also better to set openssl.cafile setting in php.ini and use ini_get to get the path. That way the path is available to everything, not just the script you're working on. – Roumell 10/10, 2019 at 20:20

327

According to documentation: to verify host or peer certificate you need to specify alternate certificates with the CURLOPT_CAINFO option or a certificate directory can be specified with the CURLOPT_CAPATH option.

Also look at CURLOPT_SSL_VERIFYHOST:

1 to check the existence of a common name in the SSL peer certificate.
2 to check the existence of a common name and also verify that it matches the hostname provided.

curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);

Liquorice answered 6/3, 2013 at 1:10 Comment(4)

Turning off the SSL verification pretty much removes all security of SSL anyway. You should fix your PHP configuration instead. – Drawers 21/8, 2017 at 22:31

@Drawers but sometimes you might need it on local development environments with self-signed certificates. So probably it makes no sense on non-public environments, but as reminder it is always better to have some warning in log (e.g. SSL verification disabled) – Jihad 26/11, 2017 at 12:55

Put 'false' works too. This solution is working for simple cases, but if SSL is really required it no will work. – Tirpitz 2/12, 2021 at 13:5

There is an error in your code. $ch must be $this->cURL. Than it works. – Zabrze 21/11, 2023 at 9:53

$ch = curl_init();
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); // Return data inplace of echoing on screen
curl_setopt($ch, CURLOPT_URL, $strURL);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); // Skip SSL Verification
$rsData = curl_exec($ch);
curl_close($ch);
return $rsData;

Spadework answered 23/2, 2022 at 4:1 Comment(0)

We had the same problem on a CentOS7 machine. Disabling the VERIFYHOST VERIFYPEER did not solve the problem, we did not have the cURL error anymore but the response still was invalid. Doing a wget to the same link as the cURL was doing also resulted in a certificate error.

-> Our solution also was to reboot the VPS, this solved it and we were able to complete the request again.

For us this seemed to be a memory corruption problem. Rebooting the VPS reloaded the libary in the memory again and now it works. So if the above solution from @clover does not work try to reboot your machine.

Cote answered 8/6, 2016 at 10:54 Comment(1)

Make sure it's not intermittent. I had an issue with paypal and peer verification where sometimes it worked, sometimes it didn't. It seemed random. Explicitly setting up the cafile path and telling curl where it was solved the problem. – Roumell 10/10, 2019 at 20:24

Try below if working for you:

For SSL verification we need to set 2

CURLOPT_SSL_VERIFYHOST = 2
CURLOPT_SSL_VERIFYPEER = 2

For not verification we need to set 0

CURLOPT_SSL_VERIFYHOST = 0
CURLOPT_SSL_VERIFYPEER = 0

default is always false

Bauxite answered 19/5, 2023 at 5:58 Comment(1)

Hi, question is 10 years old... and the author updated it, saying it's resolved. Please read how to answer. Thank you – Weigand 19/5, 2023 at 10:32

Recommended topics

Hot tags