1

I got instructions from an organisation how to connect to their server with a CA, key and cert. Tried in the terminal successfully with the following:

openssl s_client -connect api-system3.xxxx.com:443 -CAfile teliasonerarootcav1.cer -cert BolagACert.crt -key BolagAKey.key

and a following GET request. Seems to return ok:

    CONNECTED(00000003)
    depth=2 O = TeliaSonera, CN = TeliaSonera Root CA v1
    verify return:1
    depth=1 C = FI, O = TeliaSonera, CN = TeliaSonera Server CA v2
    verify return:1
    depth=0 C = SE, L = XXXXX, O = XXXXX, OU = IT, CN = *.XXXX.COM
    verify return:1
    ---
    Certificate chain
     0 s:/C=SE/L=XXXXX/O=XXXXX/OU=IT/CN=*.XXXXXX
       i:/C=FI/O=TeliaSonera/CN=TeliaSonera Server CA v2
     1 s:/C=FI/O=TeliaSonera/CN=TeliaSonera Server CA v2
       i:/O=TeliaSonera/CN=TeliaSonera Root CA v1
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
   XXXXXX
    -----END CERTIFICATE-----
    subject=/C=XX/L=XXXXX/O=XXXXXX/OU=IT/CN=*.XXXXXX.COM
    issuer=/C=FI/O=TeliaSonera/CN=TeliaSonera Server CA v2
    ---
    No client certificate CA names sent
    Peer signing digest: SHA256
    Server Temp Key: ECDH, P-256, 256 bits
    ---
    SSL handshake has read 3879 bytes and written 441 bytes
    ---
    New, TLSv1/SSLv3, Cipher is XXXXX
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : XXXXX
        Session-ID: XXXXXX
        Session-ID-ctx: 
        Master-Key: XXXXXX
        Key-Arg   : None
        PSK identity: None
        PSK identity hint: None
        SRP username: None
        Start Time: 1517505794
        Timeout   : 300 (sec)
        Verify return code: 0 (ok)
    ---
    GET /XXXXXX/
    depth=2 O = TeliaSonera, CN = TeliaSonera Root CA v1
    verify return:1
    depth=1 C = FI, O = TeliaSonera, CN = TeliaSonera Server CA v2
    verify return:1
    depth=0 C = XX, L = XXXX, O = XXXXX, OU = IT, CN = *.XXXXX.COM
    verify return:1
    read R BLOCK
    <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    <html><head>
    <title>302 Found</title>
    </head><body>
    <h1>Found</h1>
    <p>The document has moved <a href="https://www.xxxxx.com/">here</a>.</p>
    <hr>
    <address>Apache Server at system3-jas123.system3.xxxxx.com Port 443</address>
    </body></html>
    read:errno=0

Trying to implement this into a PHP cURL request but the code below generates the error: The requested URL returned error: 403 Forbidden

Any thoughts what is wrong?

Code:

$CAfile = getcwd()."/teliasonerarootcav1.cer";
$pemfile = getcwd()."/BolagACert.crt";
$keyfile = getcwd()."/BolagAKey.key";
$url = "https://xxxx.com/xxxxx";

$ch = curl_init();

curl_setopt($ch, CURLOPT_URL, $url); 
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); 
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 1); 
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 1); 
curl_setopt($ch, CURLOPT_FAILONERROR, 1); 
curl_setopt($ch, CURLOPT_SSLCERT, $pemfile); 
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322)');
curl_setopt($ch, CURLOPT_CAINFO,  $CAfile);
curl_setopt($ch, CURLOPT_SSLCERTTYPE, 'PEM'); 
curl_setopt($ch, CURLOPT_SSLKEY, $keyfile); 
$ret = curl_exec($ch);

//if error
if ($ret === false) {
    $info = curl_error($ch);
    curl_close($ch);
    die('Error: ' . $info);
}


curl_close($ch);

echo "<pre>";
print_r(json_decode($ret,true));
echo "</pre>";
Improve this question
3
  • It might be that the site tries to block non-browsers. See for example PHP Curl gets 403 error, but browser from same machine can request page?. Another thing is that your openssl s_client command might not access the same endpoint as curl in case the server behaves differently when accessed with different hostnames - use -servername option to test this. Commented Feb 1, 2018 at 17:59
  • tried -servername xxxx.com in the terminal but got the exact same response Commented Feb 1, 2018 at 19:15
  • When you redact important information like $url = "https://xxxx.com/xxxxx";, we cannot help with the problem. Since Stack Overflow hides the Close reason from you: Questions seeking debugging help ("why isn't this code working?") must include the desired behavior, a specific problem or error and the shortest code necessary to reproduce it in the question itself. Questions without a clear problem statement are not useful to other readers. See: How to create a Minimal, Complete, and Verifiable example. Commented Feb 1, 2018 at 20:29

1 Answer 1

Reset to default
0

SSL and HTTP response code are two different stories. First you use SSL to connect to the server, then the server processes the request and returns response code. In your openssl dump there's nothing about what HTTP response code is, so it may actually have returned 403. On the other hand the 403 response in PHP means you got the connection set up correctly and the server does process your request. Please check if the API requires some kind of credentials passed along.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

403 Forbidden is returned, what does this exactly mean?
This means the server wants your script to "login", i.e. provide some way to identify itself (like an API key, or partner ID, or user&password, or an authentication token, or I don't know what) and to prove it has enough privilege to execute requests. Please refer to the API's documentation or to its support team for the details.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.