php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #22379 bug introduced going from PHP 4.3.x to 4.3.1+
Submitted: 2003-02-22 17:24 UTC Modified: 2003-03-05 17:19 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: jason at hdev dot net Assigned: edink (profile)
Status: Closed Package: cURL related
PHP Version: 4.3.1 OS: Windows 2000
Private report: No CVE-ID: None
 [2003-02-22 17:24 UTC] jason at hdev dot net
A bug was introduced in the new version(s) of PHP 4.3.1,
where cURL has now stopped working when trying to access a page through secure https. It worked in the release version of PHP 4.3.0 and any prior versions. This bug seems to be extension-related.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-02-22 23:25 UTC] sniper@php.net
Nothing changed between 4.3.0 -> 4.3.1 in this part
which could cause this bug so it's either an install
error or some build problem by Edin. (I tend to think it's Edin's fault, assigning to him :)

 [2003-02-24 14:45 UTC] bharris at spro dot net
Getting error:
<error>
* About to connect() to login.postini.com:443 * Connected to login.postini.com (64.75.1.252) port 443 * SSL: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed* Closing connection #0 
</error>
Cert is fine, loads with issue in latest versions of Opera, Mozilla and IE.  Was working in the 4.2.1 release of PHP as well via Curl.
 [2003-02-24 14:46 UTC] bharris at spro dot net
That should read "without issue"...
 [2003-02-24 15:34 UTC] bharris at spro dot net
WORKAROUND: Setting CURLOPT_SSL_VERIFYPEER to 0 will bypass error (and security).
 [2003-02-24 19:44 UTC] jason at hdev dot net
Actually I experienced the problem only with the extension, php_curl.dll in the php extensions folder. Simply replacing the dll with the version from 4.3.0 fixed the problem, so I suspected something wrong with one of the dlls.
 [2003-02-24 19:45 UTC] jason at hdev dot net
It was returning blank response when I used curl.
 [2003-02-24 22:52 UTC] sniper@php.net
Did you replace _all_ existing extra dlls in your system from the dlls/ folder from the 4.3.1 package?

 [2003-02-25 02:04 UTC] daniel at haxx dot se
This doesn't look like a bug but the expected behavior with libcurl 7.10 or later. As can be read with somewhat more details here:

http://curl.haxx.se/lxr/source/SSLCERTS
 [2003-02-25 02:09 UTC] sniper@php.net
Not bug -> bogus.

 [2003-02-25 04:46 UTC] jason at hdev dot net
Differences between 4.3.0 php_curl.dll and 4.3.1 is
4.3.0 is 176KB and 4.3.1 is 120KB.

Also, it doesn't work with the php_gd2.dll from 4.3.1, I have to use the php_gd2.dll from 4.3.0, so the problem is probably related to both php_gd2.dll and php_curl.dll, as my script only works when I use the previous versions of both of these files.

The DLLs which I install on Win2k are expat.dll, libeay32.dll, libmhash.dll, sablot.dll, and ssleay32.dll, all from the 4.3.1 release. (overwriting the old DLLs from the previous php)

Here is the code snippet if you want to test:

$URL=""; 
$ch = curl_init();    
curl_setopt($ch, CURLOPT_URL,"https://$URL");  
curl_setopt($ch, CURLOPT_POST, 1); 
curl_setopt($ch, CURLOPT_POSTFIELDS, "");
curl_exec($ch);
curl_close($ch);
 [2003-02-25 04:49 UTC] jason at hdev dot net
It still doesn't work when I tried with

curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, FALSE);
 [2003-02-25 05:00 UTC] jason at hdev dot net
The line
curl_easy_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
does not work with the script with php 4.3.0
It just runs the script and doesn't do anything about the secure web page!
 [2003-02-25 16:54 UTC] bharris at spro dot net
For Win2000: To get the 4.3.1 curl dll to work with https you now need to download the latest win32 curl library from http://curl.haxx.se and snag the ca-bundle.crt file from the lib directory.

Then in your PHP script, add the following setopt line to the rest of your curl_setopt commands:

curl_setopt($ch, CURLOPT_CAFILE, 'C:\Inetpub\ca-bundle.crt')

This worked for me and allowed me to discontinue using the CURLOPT_SSL_VERIFYPEER set to zero hack.
 [2003-02-25 17:07 UTC] bharris at spro dot net
Scratch the CAFILE method, it doesn't work...my test was flawed :(
 [2003-02-25 18:45 UTC] jason at hdev dot net
I've just tried the ca-bundle.crt method, and confirm that it doesn't seem to work.
 [2003-02-25 18:52 UTC] jason at hdev dot net
By the way, can I use ca-bundle.crt to enable SSL in Apache, and how to find out how to do this?
 [2003-03-05 17:19 UTC] jason at hdev dot net
Resolved. This works with

	curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
	curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Sat Feb 29 05:01:26 2020 UTC