cURL / Mailing Lists / curl-library / Single Mail

curl-library

can't verify SSL cert

From: Jay Edgar <jedgar_at_qualtim.com>
Date: Fri, 20 Feb 2009 11:49:17 -0600

Greetings,

I'm unable to verify the SSL Certificate in a communication with
PayTrace, although I can complete the communication without it.

Question #1: Comodo has suggested that even if I can't verify the
certificate, the connection is still secure. Is this accurate?

Question #2: Even if it _is_ secure, I'd be much more comfortable being
able to turn VERIFYPEER on. Am I being overly cautious?

Shown below is the verbose output of a demo transaction with
paytrace.com with CURLOPT_SSL_VERIFYPEER = false. Notice the "error
number 1 (20), continuing anyway."

==============================OUTPUT 1
Your transaction was successfully approved.

* About to connect() to paytrace.com port 443
* Trying 207.189.109.100... * connected
* Connected to paytrace.com (207.189.109.100) port 443
* successfully set certificate verify locations:
* CAfile: none
  CApath: c:\php5\certificates\
* SSL connection using RC4-MD5
* Server certificate:
* subject:
/C=US/postalCode=98664/ST=WA/L=Vancouver/streetAddress=8070 E Mill Plain
Blvd./O=PayTrace, LLC/OU=PayTrace Payment Gateway/OU=Comodo PremiumSSL
Legacy/CN=paytrace.com
* start date: 2007-11-27 00:00:00 GMT
* expire date: 2009-11-26 23:59:59 GMT
* subjectAltName: paytrace.com matched
* issuer: /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA
Limited/CN=AAA Certificate Services
* SSL certificate verify result: error number 1 (20), continuing anyway.
> POST /api/default.pay HTTP/1.1
Host: paytrace.com
Accept: */*
MIME-Version: 1.0
Content-type: application/x-www-form-urlencoded
Contenttransfer-encoding: text
Content-Length: 166
=============================/OUTPUT 1

And here's the output with ...VERIFYPEER = true, which fails:

=============================OUTPUT 2
* About to connect() to paytrace.com port 443
* Trying 207.189.109.100... * connected
* Connected to paytrace.com (207.189.109.100) port 443
* successfully set certificate verify locations:
* CAfile: none
  CApath: c:\php5\certificates\
* SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed
* Closing connection #0
=============================/OUTPUT 2

I have researched this, including
http://curl.haxx.se/docs/sslcerts.html. I got updated *.crt files from
Comodo, which I've placed in c:\php5\certificates (I'm on a windows
server). Here's the code I'm using (PHP), which I got from PayTrace, and
augmented slightly:

=============================CODE
//demo data
$parmlist = "parmlist=UN~demo123|PSWD~demo123|TERMS~Y|";
$parmlist .= "METHOD~ProcessTranx|TRANXTYPE~Sale|";
$parmlist .= "CC~4012881888818888|EXPMNTH~01|EXPYR~09|";
$parmlist .= "AMOUNT~1.00|CSC~999|";
$parmlist .= "BADDRESS~1234 Main|BZIP~10001|";
$header = array("MIME-Version: 1.0","Content-type:
application/x-www-form-urlencoded","Contenttransfer-encoding: text");

//point the cUrl to PayTrace's servers
$url = "https://paytrace.com/api/default.pay";
$ch = curl_init();

// set URL and other appropriate options
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_VERBOSE, 1); #if 1, outputs communication; 0,
doesn't
curl_setopt ($ch, CURLOPT_PROXYTYPE, CURLPROXY_HTTP);

//Depending on your PHP Host, you may need to specify their proxy server
//curl_setopt ($ch, CURLOPT_PROXY, "http://proxyaddress:port");
curl_setopt($ch, CURLOPT_HTTPHEADER, $header);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true); //or false, depending
upon testing...
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $parmlist);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_TIMEOUT, 10);
curl_setopt($ch, CURLOPT_CAPATH, "c:\\php5\\certificates\\");

// grab URL and pass it to the browser
$response = curl_exec($ch);
==================================/CODE

I'm using PHP with IIS 5 on a Windows server.

Question #3: Is there anything in the code above that indicates a
problem?
Question #4: Can anyone direct me how I might get the verification
working?

It seems like the problem might be in the installation or something.
While I've learned a lot, I'm still stumped.

Thanks very much in advance,

Jay
Received on 2009-02-20