Fix curl SSL certificate problem

Fix curl SSL certificate problem

When using curl, from PHP, from time to time, I had to use some 3rd party API services. Today I would like to deep dive into common error when trying to connect to 3rd party services using HTTPS/SSL using curl.

When the certificate chain is not properly configured on the client app server that tries to establish a connection to 3rd party API service you will get an error. For example, in the case of a self-signed certificate is used, it can be:

SSL certificate problem: self signed certificate

Most of the developers do not try to solve this problem and force curl to establish SSL connection.

They add the following line (in bold), which is not secure:

$ch = curl_init();
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

This is not the right solution as it basically discharges the essence of SSL that is establishing trust.

Solution for paranoids

If you are paranoid like me, the best solution is specifically exact certificate and make sure curl is using it. You will need to do the following:

  1. Extract public key from the 3rd party API server
  2. Save to file
  3. Configure curl to use this file

Let’s say you want to connect to https://www.google.com/ . Use the following command to extract certificates.

echo quit | openssl s_client -showcerts -servername \
  www.google.com -connect google.com:443

You will get something like this:

CONNECTED(00000005)
 depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
 verify return:1
 depth=1 C = US, O = Google Trust Services, CN = Google Internet Authority G3
 verify return:1
 depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = www.google.com
 verify return:1
 Certificate chain
  0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=www.google.com
    i:/C=US/O=Google Trust Services/CN=Google Internet Authority G3
 -----BEGIN CERTIFICATE-----
 MIIDzzCCAregAwIBAgIQTAKF/mTTiunPDZ51KWg/EzANBgkqhkiG9w0BAQsFADBU
 XXXXXXXXXXXXXXXXX
 AWBQx3SbgohiAde4zLqtz/NJfQ==
 -----END CERTIFICATE-----
  1 s:/C=US/O=Google Trust Services/CN=Google Internet Authority G3
    i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
 -----BEGIN CERTIFICATE-----
 MIIEXDCCA0SgAwIBAgINAeOpMBz8cgY4P5pTHTANBgkqhkiG9w0BAQsFADBMMSAw
  XXXXXXXXXXXXXXXXX
 c7o835DLAFshEWfC7TIe3g==
 -----END CERTIFICATE-----
 Server certificate
 subject=/C=US/ST=California/L=Mountain View/O=Google LLC/CN=www.google.com
 issuer=/C=US/O=Google Trust Services/CN=Google Internet Authority G3
 No client certificate CA names sent
 Server Temp Key: ECDH, X25519, 253 bits
 SSL handshake has read 2581 bytes and written 308 bytes
 New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-CHACHA20-POLY1305
 Server public key is 256 bit
 Secure Renegotiation IS supported
 XXXXXXXX
 DONE

You need to copy all lines, starting from —–BEGIN CERTIFICATE—– to —–END CERTIFICATE—– and save it to a single file that will have full certificate chain file. For example certs.pem.

For example, the file will have the following contents (it can be 1 certificate too):

 -----BEGIN CERTIFICATE-----
 MIIDzzCCAregAwIBAgIQTAKF/mTTiunPDZ51KWg/EzANBgkqhkiG9w0BAQsFADBU
 XXXXXXXXXXXXXXXXX
 AWBQx3SbgohiAde4zLqtz/NJfQ==
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIEXDCCA0SgAwIBAgINAeOpMBz8cgY4P5pTHTANBgkqhkiG9w0BAQsFADBMMSAw
 XXXXXXXXXXXXXXXXX
 c7o835DLAFshEWfC7TIe3g==
 -----END CERTIFICATE-----

Now, the last thing. You need to configure PHP curl to use this certificate chain file now. You will need to add the following lines of code to your PHP program:

curl_setopt($ch, CURLOPT_CAINFO,  getcwd().'/certs.pem');

Hope this solution helps you. leave your comments.

I LOVE FEEDBACK 🙂

About the author

Yuli Stremovsky
Yuli StremovskyParanoid Security Guy
For the past 15 years I’ve been leading the evolution of startups and enterprises to achieve the highest level of security and compliance. Throughout my career I’ve been a Cyber Security expert and advanced solutions architect with many years of hands on experience both on offensive and defensive side. Knowledgeable at the highest level in application development, networking, data and databases, web applications, large scale Software as a Service solutions, cloud security and blockchain technologies.

I’ve been working with CISO’s of international enterprises, helping them set Information Security strategy, and overseeing the implementation of these recommendations. As part of these projects, I’ve been assisting companies to achieve compliance in GDPR, PCI, HIPAA and SOX.

Among my credits, I was a founder of a database security company GreenSQL/Hexatier which was acquired by Huawei and I’ve co-founded Kesem.io, Secure multi-signature Crypto wallet.

Specialties: Software and cloud architecture, Compliance (GDPR, HIPAA, PCI, SOX), blockchain technologies, software development, secure architectures, project management and low level research.