HTTPS post request with CURL

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

rmk
Forum Newbie
Posts: 9
Joined: Wed Jul 16, 2003 3:04 pm

HTTPS post request with CURL

Post by rmk »

Hi all.

I'm trying to make an https post request using the CURL library. When I use plain html form all works fine. But when using php and curl functions, I'm getting :

* Your connection is using a weak random seed!
* Closing live connection (#0)

from the server. What could be the problem ?
User avatar
Stoker
Forum Regular
Posts: 782
Joined: Thu Jan 23, 2003 9:45 pm
Location: SWNY
Contact:

Post by Stoker »

does your PHP binary have Curl with SSL support compiled in?

could you post some of the curl code?
rmk
Forum Newbie
Posts: 9
Joined: Wed Jul 16, 2003 3:04 pm

Post by rmk »

I think my php support the CURL because when I type (i the prompt) :
php -m
there is a list in which the "curl" is present.

I have copyed all files from
c:\php\dlls
to
c:\windows\system32 (I use windows XP)
the dlls copyed includes (libeay32.dll and ssleay32.dll)

The php code is very simple :

$data = "abc=123&def=456";
$f_error = fopen("errors.txt", "w");
$ch = curl_init("https://www.xxxxxxx.com/yyyy/zzzz.asp");
curl_setopt($ch, CURLOPT_VERBOSE, 1); // to dump errors
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
curl_setopt($ch, CURLOPT_STDERR, $f_error);
curl_exec($ch);
curl_close($ch);
fclose($f_error);

after the execution, there is a file "error.txt" in which I can read :

* Your connection is using a weak random seed!
* Closing live connection (#0)

I think this is response from the server, not from my php but I'm not sure.
User avatar
Stoker
Forum Regular
Posts: 782
Joined: Thu Jan 23, 2003 9:45 pm
Location: SWNY
Contact:

Post by Stoker »

try setting CURLOPT_RETURNTRANSFER to 1

Even if curl is compiled in it may not have SSL support, try a <?php phpinfo(); ?> and look for the curlsection and make sure there is some mention of ssl there, like libssl or openssl..
rmk
Forum Newbie
Posts: 9
Joined: Wed Jul 16, 2003 3:04 pm

Post by rmk »

From phpinfo() :

CURL support enabled
CURL Information libcurl 7.8 (OpenSSL 0.9.6a)

So the CURL and OpenSLL library are ok. I'll try with this CURLOPT_RETURNTRANSFER option, but I think I should use some certificates in my authorization. I'll post here if I found some solution.
User avatar
Stoker
Forum Regular
Posts: 782
Joined: Thu Jan 23, 2003 9:45 pm
Location: SWNY
Contact:

Post by Stoker »

You dont need certificates unless you are in fact doing that sort of communication whereyou authenticate to the server and/or the server authenticates to you with matching certs, very unusual for public webservers
User avatar
Stoker
Forum Regular
Posts: 782
Joined: Thu Jan 23, 2003 9:45 pm
Location: SWNY
Contact:

Post by Stoker »

btw, you only set RETURNTRASFER if you want something back, and the data is returned by the exec function...
$return = curl_exec($ch);
rmk
Forum Newbie
Posts: 9
Joined: Wed Jul 16, 2003 3:04 pm

Post by rmk »

No effect at all :(
User avatar
Stoker
Forum Regular
Posts: 782
Joined: Thu Jan 23, 2003 9:45 pm
Location: SWNY
Contact:

Post by Stoker »

what are you trying to do? should the post make something happen on the target, or are you expecting a return? Your initial code had nothing that would assign any returned data..

Can you check the logs on the receiving webserver to see if the request where coming in at all, ok'd or rejected or whatever?
rmk
Forum Newbie
Posts: 9
Joined: Wed Jul 16, 2003 3:04 pm

Post by rmk »

I'm trying to make an electronic payment. The goal is to make a payment, which does not occur. According to the CURL library the target server, returns these lines :

* Your connection is using a weak random seed!
* Closing live connection (#0)
User avatar
Stoker
Forum Regular
Posts: 782
Joined: Thu Jan 23, 2003 9:45 pm
Location: SWNY
Contact:

Post by Stoker »

those are warnings from curl and not the returned values.. as mentioned, curl_exec returns the response if RETURNTRANSFER was set to 1..
rmk
Forum Newbie
Posts: 9
Joined: Wed Jul 16, 2003 3:04 pm

Post by rmk »

There is some progress !!! :)
I've upgraded my php. I was using 4.0.6, and now I'm using 4.3.2. Now I connect to the server, but the sertificates are not correct.

The new messages is :

* About to connect() to http://www.xxxxxxxx.com:443
* Connected to http://www.xxxxxxxxx.com (xxx.xxx.xxx.xxx) port 443
* unable to set private key file: 'c:/certificate.pem' type PEM

* Closing connection #0

I think it is because I export the certificate from IE in Base64 format and then just change the file extension. I think I should find some convertor. :)
User avatar
Stoker
Forum Regular
Posts: 782
Joined: Thu Jan 23, 2003 9:45 pm
Location: SWNY
Contact:

Post by Stoker »

uhm, as I said before, if you are just connecting to a merchant gateway with SSL, like authorizenet, surepay or verisign, it is VERY unlikely that you authenticate with certificates.. DO NOT DO ANY CERT STUFF on your end, just let curl do SSL version 2 or 3 (auto) and that will work..
rmk
Forum Newbie
Posts: 9
Joined: Wed Jul 16, 2003 3:04 pm

Post by rmk »

If I remove the CURLOPT_SSLCERT option and leave only CURLOPT_SSL_VERIFYHOST set to 2 or 3, or even if I remove the CURLOPT_SSL_VERIFYHOST option at all, I get this message :

* About to connect() to http://www.e-gold.com:443
* Connected to http://www.e-gold.com (63.240.230.10) port 443
* SSL certificate problem, verify that the CA cert is OK
* Closing connection #0

As you can see, I'm trying to make an e-gold payment.
User avatar
Stoker
Forum Regular
Posts: 782
Joined: Thu Jan 23, 2003 9:45 pm
Location: SWNY
Contact:

Post by Stoker »

i just checked the cert at http://www.e-gold.com and the cert is valid and signed by verisign.. when I was writing 2 or 3 I ment SSL mode/version and nothing about verification, curl needs the root CA fingerprints and that in order to do verifications, try without any at first.

Your best approach is do as little and simple as possible, turn all verification and authentication off, have as few setopts as possible and it should work just fine..

I just did a simple test post to https://www.e-gold.com/ with success (well it returns 405 since the index is not a script that accepts post)..
Post Reply