Not hacking CurlException: 60 (cURL SSL Certificate Verification)

php ssl curl certificate verify
John picture John · Sep 4, 2010 · Viewed 7.9k times · Source

The error that alot of people get with Facebook authentication is:

CurlException: 60: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

And the only information I can find about it suggest to add the following lines of code to curl:

$opts[CURLOPT_SSL_VERIFYPEER] = false;
$opts[CURLOPT_SSL_VERIFYHOST] = 2;

I know this works, but what is going on here? Isn't there any server settings/configuraton that can be changed instead of hacking up facebook.php.

Answer

shamittomar picture shamittomar · Sep 4, 2010

What It Does & Meaning:

The following code tells the cURL to NOT verify that security certificates are correct. Hence, the error disappears.

  $opts[CURLOPT_SSL_VERIFYPEER] = false;
  $opts[CURLOPT_SSL_VERIFYHOST] = 2;

When you connect to a remote server with SSL, their certificate might be invalid, expired, or not signed by a recognized CA. The cURL normally checks it.

CURLOPT_SSL_VERIFYHOST:

  • 1: to check the existence of a common name in the SSL peer certificate.
  • 2: to check the existence of a common name and also verify that it matches the hostname provided.

CURLOPT_SSL_VERIFYPEER: FALSE to stop CURL from verifying the peer's certificate. Alternate certificates to verify against can be specified with the CURLOPT_CAINFO option or a certificate directory can be specified with the CURLOPT_CAPATH option. CURLOPT_SSL_VERIFYHOST may also need to be TRUE or FALSE if CURLOPT_SSL_VERIFYPEER is disabled (it defaults to 2).

How to Enable & Verify Correctly:

To verify correctly, we need to to verify the certificate being presented to us is good for real. We do this by comparing it against a certificate we reasonable* trust.

If the remote resource is protected by a certificate issued by one of the main CA's like Verisign, GeoTrust et al, you can safely compare against Mozilla's CA certificate bundle which you can get from http://curl.haxx.se/docs/caextract.html

Save the file cacert.pem somewhere in your server and set the following options in your script.

curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, TRUE); 
curl_setopt ($ch, CURLOPT_CAINFO, "pathto/cacert.pem");

If you are connecting to a resource protected by a self-signed certificate, all you need to do is obtain a copy of the certificate in PEM format and append it to the cacert.pem of the above paragraph.

Related questions

HTTPS and SSL3_GET_SERVER_CERTIFICATE:certificate verify failed, CA is OK

I am using XAMPP for development. Recently I upgraded my installation of xampp from an old version to 1.7.3. Now when I curl HTTPS enabled sites I get the following exception Fatal error: Uncaught exception 'RequestCore_Exception' with message 'cURL resource: …

Read More
PHP - SSL certificate error: unable to get local issuer certificate

I'm running PHP Version 5.6.3 as part of XAMPP on Windows 7. When I try to use the Mandrill API, I'm getting the following error: Uncaught exception 'Mandrill_HttpError' with message 'API call to messages/send-template failed: SSL certificate problem: unable to …

Read More
cURL error 60: SSL certificate: unable to get local issuer certificate

I use WAMP on a local development environment and am trying to charge a credit card but get the error message: cURL error 60: SSL certificate problem: unable to get local issuer certificate I searched a lot on Google and lots …

Read More