Problem with cURL and SSL/https

Posted on by Robert Thivierge

Recently, I had a need to to programmatically load a web page in my WordPress site’s custom plug-in. To do this, I used the cURL library that comes with PHP.

cURL is the name of a command line tool, as well as a code library in different languages, including PHP. It is useful for being able to access different internet hosts, including web hosts, to receive, and send data. Unfortunately, I found it has one giant hole in the default PHP installation. It doesn’t come with a “certificate” file that allows it access secure https/SSL pages on the web. As a result, I could load any “http” page, but not any “https” page. The “curl_exec” function simply returned “false” due to the error.

I use PHP as part of WAMP (Windows-Apache-MySQL-PHP) when developing web sites (the “live” version is on Linux, but I experiment and develop locally on Windows). As part of that installation, PHP was installed, with cURL support included. However, there is a setting in the “php.ini” configuration file called “curl.cainfo” which wasn’t set. That setting tells PHP/cURL where to look to find the Certificate Authority file, which allows cURL to securely access encrypted web content via the https/SSL.

I was able download cacert.pem at https://curl.se/docs/caextract.html . After downloading, I saved the file to C:\wamp64\bin\php\php7.3.21\extras\ssl” on my machine. I updated my “php.ini” file to have the following line: 

[curl]
; A default value for the CURLOPT_CAINFO option. This is required to be an
; absolute path.
curl.cainfo = C:/wamp64/bin/php/php7.3.21/extras/ssl/cacert.pem

Of course, the proper directory varies for every installation, in part depending on what version of PHP is installed. After saving the file, and pointing to it, I had to shut everything down, and start all over. For me, I had to do a full reboot, as a simple stop/start services wasn’t sufficient.

I somewhat understand the reason for this not working “out of the box”, as it would be hard to include a certificate authority file with cURL that is always up-to-date and what the user wants. However, I think it would be better if cURL did not easily install, or simply didn’t work by default, without such a critical file being setup. A concerning thing, is that there is a setting for simply not using the certificate authority file, which means the SSL certificate of any website is not verified. Of course, that’s a giant security hole. Sadly many sites have taken the “easy” way out.

My code for using cURL looks something like this:

// This starts all uses of cURL
$curl_handle= curl_init();

// url is set the web page to open.  Works with "https" and other protocols.

curl_setopt($curl_handle, CURLOPT_URL, $url);  

 // so that "curl_exec" returns content to variable, not echo to screen

curl_setopt($curl_handle, CURLOPT_RETURNTRANSFER, 1); 

// This will return content of web page, or "false" if there is an error
$output = curl_exec($curl_handle);  

// close curl resource to free up system resources
curl_close($curl_handle);

If this post was helpful to you, feel free to let me know.