Can't connect to HTTPS site using cURL. Returns 0 length content instead. What can I do?

php curl https
alex picture alex · Nov 25, 2008 · Viewed 103.4k times · Source

I have a site that connects using cURL (latest version) to a secure gateway for payment.

The problem is cURL always returns 0 length content. I get headers only. And only when I set cURL to return headers. I have the following flags in place.

curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_ANY);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_URL, $gatewayURI);
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_POST, 1);

The header returned is

HTTP/1.1 100 Continue

HTTP/1.1 200 OK
Date: Tue, 25 Nov 2008 01:08:34 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 0
Content-Type: text/html
Set-Cookie: ASPSESSIONIDxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx; path=/
Cache-control: private

I have also tried cURL'ing different sites and they return content fine. I think the problem might have something to do with the https connection.

I have spoken with the company and they are unhelpful.

Has anyone else experienced this error and know a work around? Should I ditch cURL and try and use fsockopen() ?

Thank you. :)

Answer

SchizoDuckie picture SchizoDuckie · Nov 25, 2008

I had the same problem today. Curl comes with an outdated file to authenticate HTTPS certificates from.

get the new one from:

http://curl.haxx.se/ca/cacert.pem

save it into some dir on your site

and add 

curl_setopt ($curl_ch, CURLOPT_CAINFO, dirname(__FILE__)."/cacert.pem");

To every request :-)

IGNORE any dumbass comments about disabling CURLOPT_VERIFYPEER and CURLOPT_VERIFYHOST!! That leaves your code vulnerable to man in the middle attacks!

December 2016 edit:

Solve this properly by using Jasen's method mentioned below.

add curl.cainfo=/etc/ssl/certs/ca-certificates.crt to you php.ini

October 2017 edit:

There is now a composer package that helps you manage the ca certificates, so that you're not vulnerable if your cacert.pem becomes outdated due to revoking certificates.

https://github.com/paragonie/certainty -> composer require paragonie/certainty:dev-master

Related questions

How to get file_get_contents() to work with HTTPS?

I'm working on setting up credit card processing and needed to use a workaround for CURL. The following code worked fine when I was using the test server (which wasn't calling an SSL URL), but now when I am testing …

Read More
PHP CURL CURLOPT_SSL_VERIFYPEER ignored

For some reason I am unable to use CURL with HTTPS. Everything was working fine untill I ran upgrade of curl libraries. Now I am experiencing this response when trying to perform CURL requests: Problem with the SSL CA cert (…

Read More
PHP CURL & HTTPS

I found this function that does an AWESOME job (IMHO): http://nadeausoftware.com/articles/2007/06/php_tip_how_get_web_page_using_curl /** * Get a web file (HTML, XHTML, XML, image, etc.) from a URL. Return an * array containing the HTTP …

Read More