Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Not hacking CurlException: 60 (cURL SSL Certificate Verification)

The error that alot of people get with Facebook authentication is:

CurlException: 60: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

And the only information I can find about it suggest to add the following lines of code to curl:

$opts[CURLOPT_SSL_VERIFYPEER] = false;
$opts[CURLOPT_SSL_VERIFYHOST] = 2;

I know this works, but what is going on here? Isn't there any server settings/configuraton that can be changed instead of hacking up facebook.php.

like image 424
John Avatar asked Sep 04 '10 15:09

John


People also ask

How do I skip SSL verification in curl?

To bypass SSL certificate validation for local and test servers, you can pass the -k or --insecure option to the Curl command. This option explicitly tells Curl to perform "insecure" SSL connections and file transfers. Curl will ignore any security warnings about an invalid SSL certificate and accept it as valid.

How do I fix curl error 60 SSL certificate problem certificate has expired?

The only solution to this problem is to get your host to update the root certificate on your server. So, you need to contact your server host and ask them to insert a new cacert. pem file into their servers, and configure it within their php. ini file.

How do I fix curl 60 SSL certificate problem self-signed certificate?

The error you have encountered claims your certificate is self-signed, so it's non-trusted by default. That's why you are getting the OpenSSL warning. To solve this, you'll need to install it as a trusted server. If it's signed by a non-trusted CA, you'll have to install that CA's certificate as well.


2 Answers

In my case, I could not use curl_setopt, because I could not edit Facebook API classes ( conditions of project I was working in ).

I solved the problem by adding path to cacert.pem downloaded from http://curl.haxx.se/docs/caextract.html to my php.ini

[curl]
curl.cainfo = "c:\wamp\cacert.pem"
like image 45
malloc4k Avatar answered Nov 15 '22 05:11

malloc4k


What It Does & Meaning:

The following code tells the cURL to NOT verify that security certificates are correct. Hence, the error disappears.

  $opts[CURLOPT_SSL_VERIFYPEER] = false;
  $opts[CURLOPT_SSL_VERIFYHOST] = 2;

When you connect to a remote server with SSL, their certificate might be invalid, expired, or not signed by a recognized CA. The cURL normally checks it.

CURLOPT_SSL_VERIFYHOST:

  • 1: to check the existence of a common name in the SSL peer certificate.
  • 2: to check the existence of a common name and also verify that it matches the hostname provided.

CURLOPT_SSL_VERIFYPEER: FALSE to stop CURL from verifying the peer's certificate. Alternate certificates to verify against can be specified with the CURLOPT_CAINFO option or a certificate directory can be specified with the CURLOPT_CAPATH option. CURLOPT_SSL_VERIFYHOST may also need to be TRUE or FALSE if CURLOPT_SSL_VERIFYPEER is disabled (it defaults to 2).


How to Enable & Verify Correctly:

To verify correctly, we need to to verify the certificate being presented to us is good for real. We do this by comparing it against a certificate we reasonable* trust.

If the remote resource is protected by a certificate issued by one of the main CA's like Verisign, GeoTrust et al, you can safely compare against Mozilla's CA certificate bundle which you can get from http://curl.haxx.se/docs/caextract.html

Save the file cacert.pem somewhere in your server and set the following options in your script.

curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, TRUE); 
curl_setopt ($ch, CURLOPT_CAINFO, "pathto/cacert.pem");

If you are connecting to a resource protected by a self-signed certificate, all you need to do is obtain a copy of the certificate in PEM format and append it to the cacert.pem of the above paragraph.

like image 80
shamittomar Avatar answered Nov 15 '22 03:11

shamittomar