2

I just develop some softvare by php,use curllib to connect amazon,paypal,wechat,I want to verify cert and I find some params relate to this:

CURLOPT_SSL_VERIFYPEER : I think if you want to verify ssl cert,this param should set true;

but I am confused about CURLOPT_CAINFO and 

curl_setopt($ch,CURLOPT_SSLCERTTYPE,'PEM');
curl_setopt($ch,CURLOPT_SSLCERT, $sslCertPath);
curl_setopt($ch,CURLOPT_SSLKEYTYPE,'PEM');
curl_setopt($ch,CURLOPT_SSLKEY, $sslKeyPath);

when should I set CURLOPT_CAINFO and when should i set follow 4 params?

I think CURLOPT_CAINFO is a param that to make sure amazon is the amazon,paypal is the paypal;

the follow 4 params is to confirm I am the real me,amazon can confirm by these 4 params.

Am I correct?

and I don't know how to get CURLOPT_CAINFO ca?because I think if I confirm amazon is the amazon ,I just verify the ca that amazon send me is enough,why shoul i send a ca to amazon?

Improve this question

3 Answers 3

Reset to default
1

Try it if you want to use CURLOPT_SSL_VERIFYPEER:

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($ch, CURLOPT_CAINFO, __DIR__ . '/cacert.pem');

Download cacert.pem here https://curl.haxx.se/docs/caextract.html

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

Usually, when you receive a certificate from a website - it contains the website own certificate plus the intermediate certificate (the one that signed/issued the website's certificate). In order to verify them both, you must have a list of root certificates (CA is abbreviated from Certificate Authority) which is called "CA bundle" and usually lives at /etc/ssl/certs/ca-bundle.crt. The intermediate certificate (there can be more than one intermediate certificate - each of them will/must be signed by the next one up in the chain) must be signed by a root certificate in order to be trusted.

So the purpose of CURLOPT_CAINFO is to allow you to specify the pathname of ca-bundle.crt if it can not be found automatically by cURL - or if you want to check against your custom root certificate(s).

The purpose of CURLOPT_SSLCERT and CURLOPT_SSLKEY is to present a client (as opposed to a server one) certificate so that the server can verify your identity (usually used for online banking so that you can sign your transactions) - most probably you do not need these in your use case.

The purpose of CURLOPT_SSL_VERIFYPEER is for you to be able to force cURL to skip verification of the server certificate - in case your CA bundle is not up to date or missing at all.

Improve this answer

Comments

1

So after downloading this cacert.pem file into your project, in PHP you can now do this:

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, TRUE);
curl_setopt($ch, CURLOPT_CAINFO, "/path/to/cacert.pem");

Alternatively, this can be set globally by adding the following to your php.ini

curl.cainfo=/path/to/cacert.pem

Hope this helps you.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.