Dealing With “SSL3_GET_SERVER_CERTIFICATE: certificate verify failed”

I have experience again an error like below recently:

Fatal error: Uncaught exception 'ErrorException' with message
'stream_socket_enable_crypto(): SSL operation failed with code 1.
OpenSSL Error messages:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed'

While I am using the adpater Zend\Http\Client\Adapter\Socket ships
with Zend Framework 2 to retrieve the content of a HTTPS
website. And above error message complains that it doesn’t know if the website’s SSL
certification is trustable or not, hence throw out the excpetion for warning.

In order to make the script working well, we’d need to make the script to know the target
website’s SSL certificate. There are 2 methods:

1. Ignore the warning

Warning

Warning: this can introduce security issues that SSL is designed to protect
against, and thus it’s not recommended.

But a really simple fix that worked and pretty straing forward.

If you are using CURL, set as following:

curl_setopt ( $ch ,  CURLOPT_SSL_VERIFYPEER , false );

If you are using sockets streams, set following option while creating:

$contextOptions = array(
    'ssl' => array(
        'verify_peer'   => false,
    )
);

2. Verify against CA Certs

The safer way is to check the website’s SSL certificate against CA Certs if the remote
resource is protected by a certificate issued by one of the main CA’s like Verisign,
GeoTrust etc, you can safely compare against Mozilla’s CA certificate bundle which you
can get from http://curl.haxx.se/docs/caextract.html. You need to download cacert.pem
and put into your project folder.

If you are using CURL, set as following:

curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, TRUE); 
curl_setopt ($ch, CURLOPT_CAINFO, __DIR__ . '/cacert.pem');

If you are using sockets streams, set following option while creating:

$contextOptions = array(
    'ssl' => array(
        'verify_peer'   => true,
        'cafile'        => __DIR__ . '/cacert.pem',
    )
);
Posted in PHP

Leave a Reply

Your email address will not be published. Required fields are marked *

*