Solved

ERROR: curl_exec error 60 SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Posted on 2016-10-19
28
123 Views
Last Modified: 2016-10-24
Hello Experts,

This application was built by a developer that is no longer available (and very little documentation) and we are suddenly experiencing the following error after the user clicks the Paypal pay button.

ERROR: curl_exec error 60 SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

I have done some research and it appears that the fix is to set the  CURLOPT_SSL_VERIFYPEER to FALSE
or to add the CA Cert of the site you are trying to link too.  The code is already set to false.

checkout_credits.ctp
<div style="padding-bottom:15px;">
<?php 
//echo $html->link(__('Edit Payment Type', true), array(null, 'action'=>'edit_student', $member_id),array('style'=>'border:solid 1px #808080;padding:2px //10px 2px 10px;'));  

// Kirby Glad HIT Web 801 376 2050 comment out this button 4/13/10
echo $form->button('Edit Payment Type', array('onclick' => "location.href=\"". INDEX_SECURE_URL.'members/edit_student/'.$member_id."\""));

?>
</div>
<div class="members form">
	<fieldset>
 		<legend><?php __('Buy Credits');?></legend>
	<?php
        
	?>

<?php 

echo "Price: $" . $price;
echo "<br /><br />";
echo $message;
//var_dump($_SESSION);
?>

<br /><br />
<?PHP //var_dump($_SERVER); ?>
    <?php //$_SERVER['SERVER_NAME'] == 'localhost'

        //https://www.paypal.com/en_US/i/btn/btn_xpressCheckout.gif' border='0' align='top' alt='PayPal'
        echo $html->image('https://www.paypal.com/en_US/i/btn/btn_xpressCheckout.gif', array(
            'alt'=>'PayPal',
			'style'=>'border:none;',
            'url'=>array('action'=>'express')));
        //echo $html->image('PayPal', 'https://www.paypal.com/en_US/i/btn/btn_xpressCheckout.gif', null, null, null);
        
    ?>
	</fieldset>
</div>

Open in new window


tpaypal_controller.php
<?php

App::import('Sanitize');

class TpaypalController extends AppController {

	var $name = 'Members';
	var $helpers = array('Html', 'Form', 'Number');

	//var $components = array('Auth', 'Paypal');

    var $components = array('Auth', 'Paypal', 'PhpBB3','Email', 'RequestHandler', 'Security');

    var $uses = array('Member', 'Language', 'LanguagesMember', 'MemberType', 'StudentsAndTutor', 'TutorLesson', 'StudentCompensation', 'Price', 'MemberInbox', 'AdminMessage');
    var $paginate = array(
        'limit' => 25,
		'AdminMessage' => array('limit'=>'10','conditions' => array('deleted'=>0),'order' => array('created'=>'desc')),
		'MemberInbox' => array('limit'=>'10','conditions' => array('deleted'=>0),'order' => array('created'=>'desc'))

        //'conditions' => array('member_type_id'=>2)
    );
    function beforeFilter(){
        $this->Auth->allow('home','languages','how','faq','contacts','ad_s', 'add_student', 'add_tutor', 'u_login', 'forgot_pw', 'reset_pw', 'reset_pw2','thanks');
        $this->Auth->loginAction = array('controller' => 'members', 'action' => 'login');
        $this->Auth->userScope = array('Member.active' => '1');
		
        $this->whoami();
		$this->layout = 'more';

    }

function express($callback = null)
{
    if (isset($callback) && isset($_REQUEST['csid']))
    {
        // Restore session
        
        if (!$this->Paypal->restoreSession($_REQUEST['csid']))
        {
            $this->redirect('/');
            exit;
        }
    }
    
    // Neither buyer nor credit card information since it
    // is handled by PayPal
    
    $order = array(
        'action' => CAKE_COMPONENT_PAYPAL_ORDER_TYPE_SALE,
        'description' => 'CakePHP Component',
        'total' => 40.00
    );
    
    // Set up common component's parameters

	$this->Paypal->setEnvironment(CAKE_COMPONENT_PAYPAL_ENVIRONMENT_SANDBOX);
    $this->Paypal->setUser('#####');
    $this->Paypal->setPassword('#');
	$this->Paypal->setSignature('#');
    //$this->Paypal->setCertificate('cert_perm.txt');
    $this->Paypal->setOrder($order);
    
    if (!isset($callback))
    {
        // First call, user gets redirected to PayPal
    
        $this->Paypal->setTokenUrl('http://www.mylanguagelounge.com/index.php/tpaypal/express/pay?csid=' . session_id());
        $this->Paypal->setCancelUrl('http://www.mylanguagelounge.com/index.php/tpaypal/express/cancel?csid=' . session_id());
 
        // Save current session
        
        $this->Paypal->storeSession();
    
        // Make payment via PayPal
        
        $result = $this->Paypal->expressCheckout();
        
        if ($result === false)
        {
            echo 'ERROR: ' . $this->Paypal->getError();
            exit;
        }
    }
    else if ($callback == 'cancel')
    {
        echo 'SNIFF... Why not?';
        exit;
    }
    else if ($callback == 'pay')
    {
        // Second call, make payment via PayPal
        
        $result = $this->Paypal->expressCheckout();
        
        // Check PayPal status
        
        if ($result === false)
        {
            echo 'ERROR: ' . $this->Paypal->getError();
            exit;
        }
        else
        {
            echo 'Woha! Got the money!';
            echo '<pre>'; print_r($result); echo '</pre>';
            exit;
        }
    }
}

}

Open in new window



Any suggestions would be greating appreciated.  Thank you
0
Comment
Question by:rcowen00
  • 12
  • 10
  • 2
  • +2
28 Comments
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 41851049
If those are 'real' credentials, delete this question and start over.
2
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 41851070
Agree with Dave -- you do not want to expose real credentials like this.

But that said, you've got a cURL error, however there is nothing in the code that makes reference to a cURL function.  Can you find the part that uses cURL and show us that, please?
0
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 41851088
I suspect that the curl code is in 'TpaypalController'.  It is undoubtedly out of date.  Paypal keeps sending notices out about requiring up to date TLS and ciphers.
1
 
LVL 34

Accepted Solution

by:
gr8gonzo earned 250 total points
ID: 41851293
I have done some research and it appears that the fix is to set the  CURLOPT_SSL_VERIFYPEER to FALSE or to add the CA Cert of the site you are trying to link too.  The code is already set to false.

NO!!! BAD!!!! Don't listen to the first part of that advice - it is 100% wrong. That's literally saying, "Well, I can't find my house keys, so the fix is to just leave my front door unlocked at all times." Disabling verify peer literally disables security checks that are important to HTTPS. It will make the error go away, but it leaves your script in a bad, insecure state. So whatever you do, DON'T turn off peer verification!

That said, the error message is just indicating it doesn't have the necessary certificates to validate that PayPal is actually PayPal during the secure connection / handshake.

This could be for a number of reasons.

1. You might be using an outdated version of cURL and/or OpenSSL (which is -usually- the engine behind cURL), and because of this, it might not know how to handle the latest certificates. It's ALWAYS a good idea to keep OpenSSL (and cURL, but OpenSSL is more important) up to date. Not only will it keep you up to date with the latest ciphers so you're using strong encryption, but it also avoids security vulnerabilities. So check to see which version of OpenSSL you're using (cURL has an information function that will dump all this information for you), and then you'll have to figure out how to update. This process depends a lot on how your server / hosting is set up.

2. It could be an out-of-date CA bundle. The CA bundle is a big file that contains all the major, recognized Certificate Authorities, like Verisign and so on. CAs will update their certificates from time to time, and if you don't update your bundle, then you might not be able to validate sites that get their certificates from new/updated CAs. The makers of cURL distribute a version of the CA bundle that can be used for cURL transactions like yours. You get it from here:

https://curl.haxx.se/docs/caextract.html
(Yes, it's a terrible domain name, but it really is the official cURL site.)

...or you can Google for "cURL CA bundle" and find one that way, too. Every year, schedule time to go visit that above URL and download the latest bundle.

Once it's downloaded, just tell cURL where to find the bundle and that should fix the issue.

You usually set it like this:
curl_setopt($ch,CURLOPT_CAINFO,'cacert.pem');

In some cases, you might need to provide the full path to the file:
curl_setopt($ch,CURLOPT_CAINFO,'/path/to/cacert.pem');

3. If PayPal is using its own certs, you might have to download those separately and point cURL to use those, but I'm pretty sure that's not the case. The updated CA bundle should handle the problem.
1
 
LVL 34

Expert Comment

by:gr8gonzo
ID: 41851294
I also noticed this line:
//$this->Paypal->setCertificate('cert_perm.txt');

You might need to just uncomment that line and set it to the actual value. I'm not sure if it's looking for a CA bundle or PayPal certs specifically, but I'd suggest starting with the CA bundle.
0
 
LVL 14

Assisted Solution

by:Giovanni Heward
Giovanni Heward earned 125 total points
ID: 41851314
As you can see by the output of sslscan below, paypal.com no longer supports SSLv3.  This means you'll need to set the CURLOPT_SSLVERSION option to support TLS 1.1 or higher.

curl_setopt($curl, CURLOPT_SSLVERSION, 6);

Open in new window

or
curl_setopt($curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);

Open in new window


sslscan output:
Version: 1.11.0 Windows 64-bit (Mingw)
OpenSSL 1.0.2 22 Jan 2015

Testing SSL server www.paypal.com on port 443

  TLS renegotiation:
Secure session renegotiation supported

  TLS Compression:
Compression disabled

  Heartbleed:
TLS 1.2 not vulnerable to heartbleed
TLS 1.1 not vulnerable to heartbleed
TLS 1.0 not vulnerable to heartbleed

  Supported Server Cipher(s):
Preferred TLSv1.2  128 bits  ECDHE-RSA-AES128-GCM-SHA256   Curve P-256 DHE 256
Accepted  TLSv1.2  256 bits  ECDHE-RSA-AES256-GCM-SHA384   Curve P-256 DHE 256
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-SHA256       Curve P-256 DHE 256
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-SHA          Curve P-256 DHE 256
Accepted  TLSv1.2  256 bits  ECDHE-RSA-AES256-SHA384       Curve P-256 DHE 256
Accepted  TLSv1.2  256 bits  ECDHE-RSA-AES256-SHA          Curve P-256 DHE 256
Accepted  TLSv1.2  128 bits  AES128-GCM-SHA256
Accepted  TLSv1.2  256 bits  AES256-GCM-SHA384
Accepted  TLSv1.2  128 bits  AES128-SHA256
Accepted  TLSv1.2  256 bits  AES256-SHA256
Accepted  TLSv1.2  128 bits  AES128-SHA
Accepted  TLSv1.2  256 bits  AES256-SHA
Accepted  TLSv1.2  112 bits  DES-CBC3-SHA
Preferred TLSv1.1  128 bits  ECDHE-RSA-AES128-SHA          Curve P-256 DHE 256
Accepted  TLSv1.1  256 bits  ECDHE-RSA-AES256-SHA          Curve P-256 DHE 256
Accepted  TLSv1.1  128 bits  AES128-SHA
Accepted  TLSv1.1  256 bits  AES256-SHA
Accepted  TLSv1.1  112 bits  DES-CBC3-SHA
Preferred TLSv1.0  128 bits  ECDHE-RSA-AES128-SHA          Curve P-256 DHE 256
Accepted  TLSv1.0  256 bits  ECDHE-RSA-AES256-SHA          Curve P-256 DHE 256
Accepted  TLSv1.0  128 bits  AES128-SHA
Accepted  TLSv1.0  256 bits  AES256-SHA
Accepted  TLSv1.0  112 bits  DES-CBC3-SHA

  SSL Certificate:
Signature Algorithm: sha256WithRSAEncryption
RSA Key Strength:    2048

Subject:  www.paypal.com
Altnames: DNS:history.paypal.com, DNS:t.paypal.com, DNS:c.paypal.com, DNS:c6.pay
pal.com, DNS:developer.paypal.com, DNS:p.paypal.com, DNS:www.paypal.com
Issuer:   Symantec Class 3 EV SSL CA - G3

Not valid before: Feb  2 00:00:00 2016 GMT
Not valid after:  Oct 30 23:59:59 2017 GMT
0
 
LVL 34

Expert Comment

by:gr8gonzo
ID: 41851322
It's usually best NOT to set CURLOPT_SSLVERSION at all. Not setting it will result in auto-negotiation of the strongest protocol and cipher that both client and server support. You should only set that option if you absolutely want to use a specific protocol, which is usually not the case unless you're debugging something.

Setting it only adds one more thing to break in the future. For example, I have clients who are trying to get off of TLS 1.0 at the moment because of its deprecation within PCI compliance, and I'm having to rework scripts that have this line of code in them. The simple fix 99.9% of the time is to comment out that line and let cURL and OpenSSL do what they normally do.
0
 
LVL 82

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 125 total points
ID: 41851331
Note that the ciphers that come with PHP curl are dependent on the PHP version and the version of curl that comes with it.  PHP 5.3 with curl 7.30.0 doesn't work with recent TLS certs.  PHP 5.6 or greater with curl 7.39 or greater does still work.  PHP 7.08 with curl 7.49 also works here.
0
 
LVL 14

Expert Comment

by:Giovanni Heward
ID: 41851343
@gr8gonzo
Not setting it will result in auto-negotiation of the strongest protocol and cipher that both client and server support.

What's interesting is I ran into this same issue myself awhile back--  I didn't have any related options set (CURLOPT_SSLVERSION, CURLOPT_SSL_CIPHER_LIST, etc.), just the default.  For the PHP/curl version combination I was using I had to explicitly specify TLSv1, otherwise it would fail with a SSLv3 error, by default.
0
 
LVL 34

Expert Comment

by:gr8gonzo
ID: 41851392
@Dave - It's the underlying SSL engine (usually OpenSSL) that determines the compatibility with ciphers. cURL is just a wrapper around it all - all the heavy lifting, SSL handshakes, etc, are all done by OpenSSL. On Windows builds, the more recent the PHP version, usually the more recent the OpenSSL engine. If you compile your own, then you can use the latest OpenSSL build against an older verson of PHP and cURL if you want. You might not have some of the SSL constants for TLS 1.1 and 1.2, but it'll still work with the hardcoded integer.

@Giovanni - That's pretty bizarre. It'd be worth seeing if that's still the case, and if so, run the destination site through an SSL scan to see what ciphers/protocols it supports. Maybe there's some issue with the handshake where it doesn't like the TLS ciphers and is falling back to SSLv3 for some reason?
0
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 41851405
@gr8gonzo - The Windows version of the curl extension (php_curl.dll) that is included in PHP is complete and does not need any external support other than the libeay32.dll and ssleay32.dll (from OpenSSL) that come with it.  On my Ubuntu and CentOS systems, PHP includes a 'curl.so' extension that is tied to the PHP version.  'libcurl' is also there.

You might be able to upgrade and replace these OpenSSL support files... but most people aren't going to be able to.  I don't know if you can substitute a newer version of the DLLs for the older ones.

When I was running experiments last year with PHP curl, I had to explicitly set the TLS version also.  'auto' didn't work.
0
 
LVL 34

Expert Comment

by:gr8gonzo
ID: 41852251
@Dave - Right - it needs those libraries because it's depending on OpenSSL to do the work. To be clear, I'm not talking about the OpenSSL PHP extension. That extension simply exposes different functions from the same library set. cURL is its own extension for sure, but it's merely a wrapper / easy way to do SSL calls. That's why libcurl has varying support for different web protocols (e.g. LDAP, LDAPS, POP3, SMTP, IMAP, etc)... - It simply hands off its calls to another library to do the same work, but it has to be compiled with that support (on your Ubuntu/CentOS systems, download the source tarball for curl and then run ./configure --help to see all the flags and the corresponding libraries it uses). You can't build cURL with HTTPS support without having some kind of SSL engine (which is usually OpenSSL) libraries.

On Windows, you can't really upgrade just by swapping out DLLs (at least not reliably). You -can- build PHP on Windows, but it's usually easier just to upgrade the whole kit and kaboodle. Compiling/recompiling on Linux is far easier, especially if you've saved your exact configure commands and you stay consistent with how you manage your libraries.

If you use a package manager like yum or apt, it'll be harder to be guaranteed to be up to date, which is why I don't use package managers for mission-critical components like Apache and PHP and cURL and OpenSSL. Package managers always lag behind with releases, and sometimes you end up not getting any new versions after a while (CentOS tends to do this - I think CentOS 6 is still pushing PHP 5.3 via its official yum repositories).

Same as with Giovanni, I'm curious about you having to explicitly set the TLS version and what site it was on (and what cURL / OpenSSL version you were using).
0
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 41852440
At this point it would be impossible to tell since I started doing it on this computer with PHP 5.0 and now have code that sets the TLS version on a couple of dozen systems here and on the web.  PHP curl would have been libcurl/7.21.0 OpenSSL/0.9.8q or earlier.  The most recent versions I have on web hosting is PHP 5.5 with curl 7.39 and up.  

And yes, my CentOS 6.7 box still has PHP 5.3.  Hosting companies to my experience almost never upgrade existing servers.  I have always had to move to a 'newer' server to get a newer version of PHP.
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 34

Expert Comment

by:gr8gonzo
ID: 41852513
So that might be why - the older version of cURL may not have had the protocol support necessary to make the proper calls to OpenSSL to make full use of what it was capable of.  The next time you set up a cURL call on your more recent versions, try it without setting the SSL version first.

Again, the upcoming PCI deprecation is going to lead to a lot of servers turning off TLS 1.0 support, which means that you might need to rework that code that you've got out there (and if cURL is still on an older version, you might need to use integers instead of constants to tell OpenSSL how to use TLS 1.1 or 1.2). Otherwise, if they're hardcoded to use TLS 1.0, then there's a good chance those calls will simply stop working within the next few months (whether anyone catches the failures or not is the next question).

Yeah, shared or managed hosting companies tend to fall behind. If you have shell access and the necessary tools installed (gcc, etc), then compiling components like PHP and Apache isn't that difficult and will let you stay up to date on security fixes on all of them. Once you get the compilation working the way you want it, maintenance is pretty painless (copy the configure line to the new version, tweak it as necessary, and re-run it, and you're good to go). I typically use the prefix flag so I can retain version-by-version builds in case I need to roll back, e.g.:
/usr/local/php-5.3.21
/usr/local/php-5.4.6
/usr/local/php-5.5.1
/usr/local/php-5.6.2
/usr/local/php -> /usr/local/php-5.6.2  (symbolic link so I can have /usr/local/php always point to the version I want to use, and I can deploy or roll back just by changing the link target).

I use yum to keep all the rest of the system components updated, and compile-from-source all the components that could be directly exposed to internet traffic.
0
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 41852613
You say above that "cURL has an information function that will dump all this information for you".  I need that on PHP curl and I haven't found it.  ??

Most of my Windows computers have multiple versions of PHP in different directories like you do.
0
 
LVL 34

Expert Comment

by:gr8gonzo
ID: 41852617
0
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 41852678
This is all I get from that:

CURL_VERSION_IPV6 matches
CURL_VERSION_KERBEROS4 does not match
CURL_VERSION_SSL matches
CURL_VERSION_LIBZ matches
0
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 41852703
If I add var_dump($version);, I get more.  But I still don't get anything like the response from SSLLABS above so I can't see what ciphers are supported.
array(9) {
  ["version_number"]=>
  int(466432)
  ["age"]=>
  int(3)
  ["features"]=>
  int(3005)
  ["ssl_version_number"]=>
  int(0)
  ["version"]=>
  string(6) "7.30.0"
  ["host"]=>
  string(13) "i386-pc-win32"
  ["ssl_version"]=>
  string(14) "OpenSSL/0.9.8y"
  ["libz_version"]=>
  string(5) "1.2.7"
  ["protocols"]=>
  array(19) {
    [0]=>
    string(4) "dict"
    [1]=>
    string(4) "file"
    [2]=>
    string(3) "ftp"
    [3]=>
    string(4) "ftps"
    [4]=>
    string(6) "gopher"
    [5]=>
    string(4) "http"
    [6]=>
    string(5) "https"
    [7]=>
    string(4) "imap"
    [8]=>
    string(5) "imaps"
    [9]=>
    string(4) "ldap"
    [10]=>
    string(4) "pop3"
    [11]=>
    string(5) "pop3s"
    [12]=>
    string(4) "rtsp"
    [13]=>
    string(3) "scp"
    [14]=>
    string(4) "sftp"
    [15]=>
    string(4) "smtp"
    [16]=>
    string(5) "smtps"
    [17]=>
    string(6) "telnet"
    [18]=>
    string(4) "tftp"
  }
}

Open in new window

0
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 41852757
I modified my test program to use the default SSL_VERSION instead of selecting a version and it works the same as it did.  On this computer, there is an error with one site about an unsupported protocol.  On other with newer versions of PHP, there isn't a problem.  I also turned back on CURLOPT_SSL_VERIFYHOST and no change.  However, CURLOPT_SSL_VERIFYPEER must be false on my local computers because they do not have SSL/TLS certificates so there is no 'peer' to verify against.  Setting CURLOPT_SSL_VERIFYPEER to true on my hosting that does have a certificate works fine.
0
 
LVL 34

Expert Comment

by:gr8gonzo
ID: 41852788
Yeah, the cipher lists aren't really exposed by curl_version because the ciphers / protocols belong to OpenSSL. You'd have to take the OpenSSL version:

 ["ssl_version"]=>
  string(14) "OpenSSL/0.9.8y"

...and then go look up the cipher/protocol list for that version, or find the OpenSSL binary for that version and run "openssl ciphers" to see the list:
https://www.openssl.org/docs/manmaster/apps/ciphers.html

You'd have to run the remote site through the SSL scan to get a nice display of the protocols / ciphers supported by the remote server. Alternatively, you can install/turn on Wireshark and then examine the handshake. Wireshark will give you a nice breakdown of the protocol and cipher within that handshake, as well as what the final cipher/protocol chosen was.

If you're connecting to a remote site that uses an SSL cert from a recognized CA like Verisign, then just download the CA bundle from cURL's site (mentioned earlier) and use CURLOPT_CAINFO to point cURL to the bundle. If it's a self-signed certificate or if it's signed by an internal / private CA, you can still download those public certificates and point cURL to those certificates. Once you've done it a few times, it's easy to continue doing, and it'll guarantee that you're not getting hit by a MITM attack or similar, and you don't have to turn off VERIFYPEER.
0
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 41852807
I have the bundles, I don't have a certificate on these computers.  The error said:

Error # 60 : Error message SSL certificate problem: unable to get local issuer certificate
0
 
LVL 34

Expert Comment

by:gr8gonzo
ID: 41852861
Maybe we should open up a separate question for this where you could attach the certificate from the remote server you're connecting to (so we're not hijacking the rest of this question) - I can walk you through the steps on how to set it up. :)
0
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 41853067
Possible answers to the original question are:

1.  Find the PHP curl code and fix it if you can.  You may have to do that even if some of the other options are needed because if SSLv3 is indeed specified, it will no longer be accepted.

2.  Run phpinfo() and see what version of PHP and curl you have on that server.  You may need to upgrade the version of PHP / curl on that server.  gr8gonzo mentioned a couple of ways above.  

Make sure you have complete backups of the site and databases before you do anything.
1
 

Author Comment

by:rcowen00
ID: 41853078
Thank you for catching and removing the credentials gr8gonzo and everyone else.  Too tired be posting questions.  I am reading all of your responses now.  Thank you.
0
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 41853417
Apparently I didn't have the CA bundle.  I downloaded it and added...

curl_setopt($ch,CURLOPT_CAINFO,'cacert.pem');

and set VERIFYPEER to true and it worked fine.  I still have one error with a site that has a newer SSL/TLS setup where I get...

Error # 35 : Error message Unknown SSL protocol error in connection to www.mysite.com:443

My other computers with newer versions of PHP and curl don't have that error.
0
 
LVL 34

Expert Comment

by:gr8gonzo
ID: 41853994
so "Unknown SSL protocol error" isn't related to the CA bundle or peer certificate verification. It's saying that the client and server can't agree on a mutually-acceptable protocol and cipher. Usually in these cases, I do a Wireshark packet capture and check out what the server says it supports, and then compare that against my local client versions.
0
 

Author Comment

by:rcowen00
ID: 41857719
Thank you for your assistance, this issue is beyond my scope and being moved to another department.  Thanks!
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Introduction HTML checkboxes provide the perfect way for a web developer to receive client input when the client's options might be none, one or many.  But the PHP code for processing the checkboxes can be confusing at first.  What if a checkbox is…
#SSL #TLS #Citrix #HTTPS #PKI #Compliance #Certificate #Encryption #StoreFront #Web Interface #Citrix XenApp
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now