How do I keep my cacert.pem current for security reasons when using curl?

php curl mozilla pem php-openssl
20,581

Solution 1

Since initially writing this article, (and thus this rewrite), I was able to resolve my own problem by including links directly to the only legitimate source to maintain this file which is provided on the site maintained by the author of curl at this location

Further as technology is advancing this question has been updated to show how to use curl in PHP and force TLS v1.2 connection (something which certain transaction providers require or recommend and may not supply the information on how to do this).

Regarding certificate authorities, there are a few key root authorities such as :

  • Symantec
  • RapidSSL
  • thawte
  • GeoTrust
  • Comodo

As well as other authorities by their nature such as

  • Microsoft
  • Mozilla
  • Google

Which can be a frame for anyone looking to maintain their own cacert.pem. Keep in mind that you would need to download their revocation lists (certificates that have been breached or expired) from the respective crl's to maintain a proper trust mechanism, while you should be able to get away with just downloading their root certificate chains and using those as a local authorative file as your cacert.pem.

Solution 2

cacert.pem is used by curl. There is no ultimate authority on which certificates are to be trusted, but the lists used by web browsers are a good source. These lists are constantly updated due to CA changes and changes to security practices.

The authors of curl maintain a tool which can extract a cacert.pem from Firefox, and post a reasonably up-to-date output on their site:

  • cacert.pem generated by the authors of curl
  • caextract: for the most security-conscious, download the tool, inspect the source code and run it against your own Firefox.
Share:
20,581
Kraang Prime
Author by

Kraang Prime

Run this javascript to find out what I am doing right now : var day = new Date().getDay(); var hour = new Date().getHours(); var result = "having Lucid dreams of Code"; if(hour <= 9 && hour >= 17 && day <= 5) { result = "Writing Code"; } console.log("I am currently " + result);

Updated on September 06, 2020

Comments

  • Kraang Prime
    Kraang Prime over 3 years

    I would like to keep my root certificates current for use with cURL and PHP's internal curl command, however there is no parameter currently to download the current file it requires for a proper secure connection and to keep it current.

    And example of using curl in PHP for a secure connection which requires a file named cacert.pem (PEM encoded certificate chain for validating remote connections) is as follows :

    $ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "https://www.google.com");
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 15);
curl_setopt($ch, CURLOPT_TIMEOUT, 15);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 1);
curl_setopt($ch, CURLOPT_CAINFO, "pathto/cacert.pem");
curl_setopt($ch, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
if (!($data = curl_exec($ch))) {
    echo "No data received";
} else {
    echo strlen($data) + " total byte(s)";
}
curl_close($ch);

    While most people simply set CURLOPT_SSL_VERIFYPEER to false, and thus ignore the problem, which is bad . You can see here where a certificate authority shows that if you do not have this file current, the only way to connect to a secure server is to disable certificate checking and further warns of the implications behind disabling peer verification.

    What I am requesting is for a legitimate way to maintain a local copy of cacert.pem so that when I use curl in PHP to communicate with other servers, I can continue to do so securely .

    This is not a request for an external resource or off-site link etc, however due to the nature of the problem, it is likely that may be the ONLY way to resolve this as it would require continuous updating as certificate chains are revoked. To date, there is no way to obtain this file either as part of the distribution of curl itself, or php, or the curl library for php and continue to maintain it. While it is discouraging that this is not something which a simple update command like curl --update-root-ca would be nice, it does not exist in any form.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

56 Received HTTP code 403 from proxy after CONNECT?
How to convert curl xml response into array in php?
cURL returns please enable cookies?
PHP cURL sync and async
Activation Curl on EasyPHP
Upload video on Youtube using curl and api v3
cURL/PHP Request Executes 50% of the Time
PHP CURL - Empty output with no error
PHP cURL error: Could not resolve proxy
Unsupported media type for xml php curl request