Not hacking CurlException: 60 (cURL SSL Certificate Verification)

The error that alot of people get with Facebook authentication is:

CurlException: 60: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

And the only information I can find about it suggest to add the fo开发者_C百科llowing lines of code to curl:

$opts[CURLOPT_SSL_VERIFYPEER] = false;
$opts[CURLOPT_SSL_VERIFYHOST] = 2;

I know this works, but what is going on here? Isn't there any server settings/configuraton that can be changed instead of hacking up facebook.php.

What It Does & Meaning:

The following code tells the cURL to NOT verify that security certificates are correct. Hence, the error disappears.

  $opts[CURLOPT_SSL_VERIFYPEER] = false;
  $opts[CURLOPT_SSL_VERIFYHOST] = 2;

When you connect to a remote server with SSL, their certificate might be invalid, expired, or not signed by a recognized CA. The cURL normally checks it.

CURLOPT_SSL_VERIFYHOST:

• 1: to check the existence of a common name in the SSL peer certificate.
• 2: to check the existence of a common name and also verify that it matches the hostname provided.

CURLOPT_SSL_VERIFYPEER: FALSE to stop CURL from verifying the peer's certificate. Alternate certificates to verify against can be specified with the CURLOPT_CAINFO option or a certificate directory can be specified with the CURLOPT_CAPATH option. CURLOPT_SSL_VERIFYHOST may also need to be TRUE or FALSE if CURLOPT_SSL_VERIFYPEER is disabled (it defaults to 2).

How to Enable & Verify Correctly:

To verify correctly, we need to to verify the certificate being presented to us is good for real. We do this by comparing it against a certificate we reasonable* trust.

If the remote resource is protected by a certificate issued by one of the main CA's like Verisign, GeoTrust et al, you can safely compare against Mozilla's CA certificate bundle which you can get from http://curl.haxx.se/docs/caextract.html

Save the file cacert.pem somewhere in your server and set the following options in your script.

curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, TRUE); 
curl_setopt ($ch, CURLOPT_CAINFO, "pathto/cacert.pem");

If you are connecting to a resource protected by a self-signed certificate, all you need to do is obtain a copy of the certificate in PEM format and append it to the cacert.pem of the above paragraph.

In my case, I could not use curl_setopt, because I could not edit Facebook API classes ( conditions of project I was working in ).

I solved the problem by adding path to cacert.pem downloaded from http://curl.haxx.se/docs/caextract.html to my php.ini

[curl]
curl.cainfo = "c:\wamp\cacert.pem"

I just had the same problem, and disabling peer verification is not acceptable in my case. I updated the fa_ca_chain_bundle.crt file (from facebook's gitbub) and it works now.

Regards, Marek