Write For Us
php
ssl
curl
https

How to get SSL certificate info with CURL in PHP?

Viewed   149 times

I would like to be able to read the SSL certificate information with CURL. From the Linux console I get this response header:

GET https://www.google.com/ -ed
Cache-Control: private, max-age=0
Connection: close
Date: Sun, 20 Jun 2010 21:34:12 GMT
Server: gws
Content-Type: text/html; charset=ISO-8859-1
Expires: -1
Client-Date: Sun, 20 Jun 2010 21:34:18 GMT
Client-Peer: 66.102.13.106:443
Client-Response-Num: 1
Client-SSL-Cert-Issuer: /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
Client-SSL-Cert-Subject: /C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
Client-SSL-Cipher: RC4-SHA
Client-SSL-Warning: Peer certificate not verified
Set-Cookie: PREF=ID=4d56960f6e3ad831:TM=1277069652:LM=1277069652:S=GF-w8Yc-_61NBzzJ; expires=Tue, 19-Jun-2012 21:34:12 GMT; path=/; domain=.google.com
Title: Google
X-XSS-Protection: 1; mode=block

But with CURL the header is much shorter:

HTTP/1.1 200 OK
Date: Sun, 20 Jun 2010 21:39:07 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=UTF-8
Set-Cookie: PREF=ID=2d4fb1c933eebd09:TM=1277069947:LM=1277069947:S=6_TgGKzD0rM4IWms; expires=Tue, 19-Jun-2012 21:39:07 GMT; path=/; domain=.google.com
Server: gws
X-XSS-Protection: 1; mode=block
Transfer-Encoding: chunked

Is there any possibility to get these information, the full header with CURL or with some other PHP function?

 Answers

5

No. EDIT: A CURLINFO_CERTINFO option has been added to PHP 5.3.2. See http://bugs.php.net/49253

Apparently, that information is being given to you by your proxy in the response headers. If you want to rely on that, you can use curl's CURLOPT_HEADER option to trueto include the headers in the output.

However, to retrieve the certificate without relying on some proxy, you must do

<?php
$g = stream_context_create (array("ssl" => array("capture_peer_cert" => true)));
$r = fopen("https://www.google.com/", "rb", false, $g);
$cont = stream_context_get_params($r);
var_dump($cont["options"]["ssl"]["peer_certificate"]);

You can manipulate the value of $cont["options"]["ssl"]["peer_certificate"] with the OpenSSL extension.

EDIT: This option is better since it doesn't actually make the HTTP request and does not require allow_url_fopen:

<?php
$g = stream_context_create (array("ssl" => array("capture_peer_cert" => true)));
$r = stream_socket_client("ssl://www.google.com:443", $errno, $errstr, 30,
    STREAM_CLIENT_CONNECT, $g);
$cont = stream_context_get_params($r);
var_dump($cont["options"]["ssl"]["peer_certificate"]);
Tuesday, December 13, 2022
 
alex_chernilov-0578a06fb4ac
 
alex_chernilov-0578a06fb4ac
2 
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);

Change that to 1. Also, set this after CURLOPT_SSL_VERIFYPEER:

curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
Thursday, September 8, 2022
 
promo
 
promo
3

Identify or detect the character encoding and convert the data to UTF-8 if necessary.

For HTML (i.e. text/html) there are three ways to specify the character encoding:

  1. An HTTP "charset" parameter in a "Content-Type" field.
  2. A META declaration with "http-equiv" set to "Content-Type" and a value set for "charset".
  3. The charset attribute set on an element that designates an external resource.

If neither of these is present, you might do some content sniffing or switch to some default character encoding (e.g. ISO 8859-1).

If the identified/detected character encoding is not UTF-8, you then can convert the data to UTF-8 with iconv or mb_convert_encoding.

Monday, August 22, 2022
 
shmck
 
shmck
2

How to parse the expiration date from the certificate

Cast it to an X509Certificate and call getNotAfter().

How to determine the certificate chain, eg, the github certificate with chains

You've got it. That's what the Certificate[] array is, as it says in the Javadoc.

How did i know which certificate to get the expiration date from?

Read the Javadoc. "The peer's own certificate first followed by any certificate authorities".

However I don't know why you're doing any of this. Java should already do it all for you.

And please throw away that insecure and incorrect TrustManager implementation. The correct way to handle self-signed certificates is to import them into the client truststore. Please also throw away your insecure HostnameVerifier, and use the default one, or a secure one. Why use HTTPS at all if you don't want it to be secure?

Tuesday, December 27, 2022
 
kihu
 
kihu
2

The answer to this problem is that the root certificate displayed for https://www.google.com in IE11, "GeoTrust Global CA," is cross-rooted to an older GeoTrust root certificate named "Equifax Secure Certificate Authority." When the "GeoTrust Global CA" certificate that displays as the root in the 3-certificate chain showing in my IE11 is used by my PHP script as the root certificate for https://www.google.com my PHP script can't authenticate https://www.google.com's certificate BECAUSETHE REAL ROOT CERTIFICATE FOR https://www.google.com ISN'T THE "GeoTrust Global CA" CERTIFICATE BUT THE GeoTrust "Equifax Secure Certificate Authority" certificate. Once I figured this out, I used the "Equifax Secure Certificate Authority" in my PHP .PEM file and I successfully validated the https://www.google.com certificate.

You can see how the cross-rooting takes place by doing the following (I used IE11 for this):

  1. Open a BLANK https://www.google.com Web page
  2. Click the padlock icon in the URL window, then click "View certificates."
  3. The Certificates window for https://www.google.com appears. Click the Certification Path tab. The certificate chain of three certificates will be displayed. The "GeoTrust Global CA" certificate shows as the root certificate - BUT THAT'S NOT TRUE.
  4. Close the Certificate window. In the "Run" box in the Start Menu (I'm using Windows 7) type "certmgr.msc" and click the "OK" button. This will launch Windows' Certificate Manager.
  5. Click the "Trusted Root Certification Authorities" entry in the left pane, then click "Certificates."
  6. In the right pane, locate the "GeoTrust Global CA" certiticate. Double-click this entry to open it's certificate window.
  7. Click the "Details" tab, then click the "Edit properties" button. NOTE THAT "Server Authentication," "Client Authentication," "Code Signing," "Secure Email," and "Time Stamping" are selected.
  8. Click the "Disable all purposes for this certificate" button. THIS WILL DISABLE THIS CERTIFICATE FROM USE. NOTE ON THE "General" TAB THAT THE EXPIRATION DATE FOR THIS CERTIFICATE IS 5/20/2022 AND THE "Issued to:" and "Issued by:" ITEMS ARE BOTH SIGNED "GeoTrust Global CA," INDICATING THAT THIS IS A ROOT CERTIFICATE. Click the "OK" button to return to the Windows Certificate Manager. Minimize the Certificate Manager.
  9. Move to your blank https://www.google.com Web page. Refresh the page, then view the certificates. NOW YOU WILL SEE FOUR CERTIFICATES, INSTEAD OF THE THREE THAT WERE DISPLAYED IN SETP #3!!
  10. WHAT HAPPENED? Double-click the "GeoTrust Global CA" certificate. Look at the expiration date on the "General" tab. It's 8/20/2018, NOT THE 5/20/2022 displayed for the "GeoTrust Global CA" certificate in Step #3. Also look at the "Issued to:" and "Issued by:" items - THEY ARE DIFFERENT. The "Issued to:" is "GeoTrust Global CA" and the "Issued by" is "Equifax Secure Certificate Authority." THIS IS A DIFFERENT "GeoTrust Global CA" CERTIFICATE THAT THE ONE DISPLAYED IN STEP #3!! This version of the "GeoTrust Global CA" certificate is cross-rooted to "Equifax Security Certificate Authority" as evidenced in the "Issued by:" item!!
  11. Double click the "GeoTrust" root certificate. Notice that this is a self-signed root certificate issued by "Equifax Secure Certificate Authority." THIS IS THE REAL ROOT CERTIFICATE USED BY https://www.google.com!! When I copied this certificate into my PHP .PEM file and used it to validate https://www.google.com's certificate everything work perfectly!!
  12. Go back to the Windows Certificate Manager and reverse the disablement you performed in Steps 5 - 8. Click the "Enable only the following purposes" button and re-check the purposes listed in Step #7. This will restore your "GeoTrust Global CA" certificate dated 5/20/2022 to functioning status.

There's a link on the GeoTrust Website that describes the "GeoTrust Global CA" cross-root certificate that appeared in Step #9. You can download it as well. However, for my application the cross-root certificate didn't validate https://www.google.com's certificate - I NEEDED TO USE THE "GeoTrust" ROOT CERTIFICATE BECAUSE IT IS THE ONLY ONE THAT WORKS TO VALIDATE https://www.google.com. Here's the link:

https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=AR1426

You can also download the equivalent of the "GeoTrust" certificate from the GeoTrust Website. It's listed as the "Equifax Secure Certificate Authority" in the Resources > Root Certificates section of the Website. Here's the link:

https://www.geotrust.com/resources/root-certificates/

You can also find more details about the certificate chain for any Web page by visiting the following Symantec Web page:

https://cryptoreport.websecurity.symantec.com

I hope this helps you PHP developers who need to validate an HTTPS connection with Google.com. DREW010 - Thanks for hanging with me through this! I appreciate your help.

Saturday, September 24, 2022
 
nightwhistler
 
nightwhistler
Only authorized users can answer the search term. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :
php
ssl
curl
https
 
Share
Related Answers
91
 How to get AM/PM from a datetime in PHP
86
 How to get response of meeting invitation email in php
92
 How to get full filepath when uploading files in PHP?
61
 How to get id of selected table item in php
183
 How to Get IMEI numbers from tabs programatically in php
61
 how to get post from same name textboxes in php
72
 How to get all months between two dates in PHP?
225
 How to get the POST values from serializeArray in PHP?
72
 How to Get the multiple radio buttons values in PHP which having names dynamically
299
 How to get data from Relations with joins in yii
Top Answers Related To

php,ssl,curl,https

145
 HTTPS and SSL3_GET_SERVER_CERTIFICATE:certificate verify failed, CA is OK
102
 reading SSL page with CURL (php)
251
 curl errno 35 (Unknown SSL protocol error in connection to [secure site]:443)
76
 PHP : Curl https xml result returns blank
145
 PHP Curl (with NSS) is probably using SSLv3 instead of TLS when connecting to https
1075
 How to fix curl: (35) Cannot communicate securely with peer: no common encryption algorithm(s)
111
 php ssl curl : object moved error
220
 SSL certificate error in cURL
105
 How would you run a get request via curl on an ssl enabled website?
194
 Passing .PEM and .KEY as string in Curl using PHP
Write For Us · Blog · Privacy · Faqs · Terms of Use · Contact us ·