Viewed   149 times

I would like to be able to read the SSL certificate information with CURL. From the Linux console I get this response header:

GET -ed
Cache-Control: private, max-age=0
Connection: close
Date: Sun, 20 Jun 2010 21:34:12 GMT
Server: gws
Content-Type: text/html; charset=ISO-8859-1
Expires: -1
Client-Date: Sun, 20 Jun 2010 21:34:18 GMT
Client-Response-Num: 1
Client-SSL-Cert-Issuer: /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
Client-SSL-Cert-Subject: /C=US/ST=California/L=Mountain View/O=Google Inc/
Client-SSL-Cipher: RC4-SHA
Client-SSL-Warning: Peer certificate not verified
Set-Cookie: PREF=ID=4d56960f6e3ad831:TM=1277069652:LM=1277069652:S=GF-w8Yc-_61NBzzJ; expires=Tue, 19-Jun-2012 21:34:12 GMT; path=/;
Title: Google
X-XSS-Protection: 1; mode=block

But with CURL the header is much shorter:

HTTP/1.1 200 OK
Date: Sun, 20 Jun 2010 21:39:07 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=UTF-8
Set-Cookie: PREF=ID=2d4fb1c933eebd09:TM=1277069947:LM=1277069947:S=6_TgGKzD0rM4IWms; expires=Tue, 19-Jun-2012 21:39:07 GMT; path=/;
Server: gws
X-XSS-Protection: 1; mode=block
Transfer-Encoding: chunked

Is there any possibility to get these information, the full header with CURL or with some other PHP function?



No. EDIT: A CURLINFO_CERTINFO option has been added to PHP 5.3.2. See

Apparently, that information is being given to you by your proxy in the response headers. If you want to rely on that, you can use curl's CURLOPT_HEADER option to trueto include the headers in the output.

However, to retrieve the certificate without relying on some proxy, you must do

$g = stream_context_create (array("ssl" => array("capture_peer_cert" => true)));
$r = fopen("", "rb", false, $g);
$cont = stream_context_get_params($r);

You can manipulate the value of $cont["options"]["ssl"]["peer_certificate"] with the OpenSSL extension.

EDIT: This option is better since it doesn't actually make the HTTP request and does not require allow_url_fopen:

$g = stream_context_create (array("ssl" => array("capture_peer_cert" => true)));
$r = stream_socket_client("ssl://", $errno, $errstr, 30,
$cont = stream_context_get_params($r);
Tuesday, December 13, 2022
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);

Change that to 1. Also, set this after CURLOPT_SSL_VERIFYPEER:

curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
Thursday, September 8, 2022

Identify or detect the character encoding and convert the data to UTF-8 if necessary.

For HTML (i.e. text/html) there are three ways to specify the character encoding:

  1. An HTTP "charset" parameter in a "Content-Type" field.
  2. A META declaration with "http-equiv" set to "Content-Type" and a value set for "charset".
  3. The charset attribute set on an element that designates an external resource.

If neither of these is present, you might do some content sniffing or switch to some default character encoding (e.g. ISO 8859-1).

If the identified/detected character encoding is not UTF-8, you then can convert the data to UTF-8 with iconv or mb_convert_encoding.

Monday, August 22, 2022

How to parse the expiration date from the certificate

Cast it to an X509Certificate and call getNotAfter().

How to determine the certificate chain, eg, the github certificate with chains

You've got it. That's what the Certificate[] array is, as it says in the Javadoc.

How did i know which certificate to get the expiration date from?

Read the Javadoc. "The peer's own certificate first followed by any certificate authorities".

However I don't know why you're doing any of this. Java should already do it all for you.

And please throw away that insecure and incorrect TrustManager implementation. The correct way to handle self-signed certificates is to import them into the client truststore. Please also throw away your insecure HostnameVerifier, and use the default one, or a secure one. Why use HTTPS at all if you don't want it to be secure?

Tuesday, December 27, 2022

The answer to this problem is that the root certificate displayed for in IE11, "GeoTrust Global CA," is cross-rooted to an older GeoTrust root certificate named "Equifax Secure Certificate Authority." When the "GeoTrust Global CA" certificate that displays as the root in the 3-certificate chain showing in my IE11 is used by my PHP script as the root certificate for my PHP script can't authenticate's certificate BECAUSETHE REAL ROOT CERTIFICATE FOR ISN'T THE "GeoTrust Global CA" CERTIFICATE BUT THE GeoTrust "Equifax Secure Certificate Authority" certificate. Once I figured this out, I used the "Equifax Secure Certificate Authority" in my PHP .PEM file and I successfully validated the certificate.

You can see how the cross-rooting takes place by doing the following (I used IE11 for this):

  1. Open a BLANK Web page
  2. Click the padlock icon in the URL window, then click "View certificates."
  3. The Certificates window for appears. Click the Certification Path tab. The certificate chain of three certificates will be displayed. The "GeoTrust Global CA" certificate shows as the root certificate - BUT THAT'S NOT TRUE.
  4. Close the Certificate window. In the "Run" box in the Start Menu (I'm using Windows 7) type "certmgr.msc" and click the "OK" button. This will launch Windows' Certificate Manager.
  5. Click the "Trusted Root Certification Authorities" entry in the left pane, then click "Certificates."
  6. In the right pane, locate the "GeoTrust Global CA" certiticate. Double-click this entry to open it's certificate window.
  7. Click the "Details" tab, then click the "Edit properties" button. NOTE THAT "Server Authentication," "Client Authentication," "Code Signing," "Secure Email," and "Time Stamping" are selected.
  8. Click the "Disable all purposes for this certificate" button. THIS WILL DISABLE THIS CERTIFICATE FROM USE. NOTE ON THE "General" TAB THAT THE EXPIRATION DATE FOR THIS CERTIFICATE IS 5/20/2022 AND THE "Issued to:" and "Issued by:" ITEMS ARE BOTH SIGNED "GeoTrust Global CA," INDICATING THAT THIS IS A ROOT CERTIFICATE. Click the "OK" button to return to the Windows Certificate Manager. Minimize the Certificate Manager.
  9. Move to your blank Web page. Refresh the page, then view the certificates. NOW YOU WILL SEE FOUR CERTIFICATES, INSTEAD OF THE THREE THAT WERE DISPLAYED IN SETP #3!!
  10. WHAT HAPPENED? Double-click the "GeoTrust Global CA" certificate. Look at the expiration date on the "General" tab. It's 8/20/2018, NOT THE 5/20/2022 displayed for the "GeoTrust Global CA" certificate in Step #3. Also look at the "Issued to:" and "Issued by:" items - THEY ARE DIFFERENT. The "Issued to:" is "GeoTrust Global CA" and the "Issued by" is "Equifax Secure Certificate Authority." THIS IS A DIFFERENT "GeoTrust Global CA" CERTIFICATE THAT THE ONE DISPLAYED IN STEP #3!! This version of the "GeoTrust Global CA" certificate is cross-rooted to "Equifax Security Certificate Authority" as evidenced in the "Issued by:" item!!
  11. Double click the "GeoTrust" root certificate. Notice that this is a self-signed root certificate issued by "Equifax Secure Certificate Authority." THIS IS THE REAL ROOT CERTIFICATE USED BY!! When I copied this certificate into my PHP .PEM file and used it to validate's certificate everything work perfectly!!
  12. Go back to the Windows Certificate Manager and reverse the disablement you performed in Steps 5 - 8. Click the "Enable only the following purposes" button and re-check the purposes listed in Step #7. This will restore your "GeoTrust Global CA" certificate dated 5/20/2022 to functioning status.

There's a link on the GeoTrust Website that describes the "GeoTrust Global CA" cross-root certificate that appeared in Step #9. You can download it as well. However, for my application the cross-root certificate didn't validate's certificate - I NEEDED TO USE THE "GeoTrust" ROOT CERTIFICATE BECAUSE IT IS THE ONLY ONE THAT WORKS TO VALIDATE Here's the link:

You can also download the equivalent of the "GeoTrust" certificate from the GeoTrust Website. It's listed as the "Equifax Secure Certificate Authority" in the Resources > Root Certificates section of the Website. Here's the link:

You can also find more details about the certificate chain for any Web page by visiting the following Symantec Web page:

I hope this helps you PHP developers who need to validate an HTTPS connection with DREW010 - Thanks for hanging with me through this! I appreciate your help.

Saturday, September 24, 2022
Only authorized users can answer the search term. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :