Page 1 of 2
HTTPS post request with CURL
Posted: Wed Jul 16, 2003 3:04 pm
by rmk
Hi all.
I'm trying to make an https post request using the CURL library. When I use plain html form all works fine. But when using php and curl functions, I'm getting :
* Your connection is using a weak random seed!
* Closing live connection (#0)
from the server. What could be the problem ?
Posted: Wed Jul 16, 2003 3:58 pm
by Stoker
does your PHP binary have Curl with SSL support compiled in?
could you post some of the curl code?
Posted: Thu Jul 17, 2003 12:09 am
by rmk
I think my php support the CURL because when I type (i the prompt) :
php -m
there is a list in which the "curl" is present.
I have copyed all files from
c:\php\dlls
to
c:\windows\system32 (I use windows XP)
the dlls copyed includes (libeay32.dll and ssleay32.dll)
The php code is very simple :
$data = "abc=123&def=456";
$f_error = fopen("errors.txt", "w");
$ch = curl_init("
https://www.xxxxxxx.com/yyyy/zzzz.asp");
curl_setopt($ch, CURLOPT_VERBOSE, 1); // to dump errors
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
curl_setopt($ch, CURLOPT_STDERR, $f_error);
curl_exec($ch);
curl_close($ch);
fclose($f_error);
after the execution, there is a file "error.txt" in which I can read :
* Your connection is using a weak random seed!
* Closing live connection (#0)
I think this is response from the server, not from my php but I'm not sure.
Posted: Thu Jul 17, 2003 8:01 am
by Stoker
try setting CURLOPT_RETURNTRANSFER to 1
Even if curl is compiled in it may not have SSL support, try a <?php phpinfo(); ?> and look for the curlsection and make sure there is some mention of ssl there, like libssl or openssl..
Posted: Thu Jul 17, 2003 8:41 am
by rmk
From phpinfo() :
CURL support enabled
CURL Information libcurl 7.8 (OpenSSL 0.9.6a)
So the CURL and OpenSLL library are ok. I'll try with this CURLOPT_RETURNTRANSFER option, but I think I should use some certificates in my authorization. I'll post here if I found some solution.
Posted: Thu Jul 17, 2003 8:48 am
by Stoker
You dont need certificates unless you are in fact doing that sort of communication whereyou authenticate to the server and/or the server authenticates to you with matching certs, very unusual for public webservers
Posted: Thu Jul 17, 2003 9:14 am
by Stoker
btw, you only set RETURNTRASFER if you want something back, and the data is returned by the exec function...
$return = curl_exec($ch);
Posted: Thu Jul 17, 2003 2:07 pm
by rmk
No effect at all

Posted: Thu Jul 17, 2003 2:14 pm
by Stoker
what are you trying to do? should the post make something happen on the target, or are you expecting a return? Your initial code had nothing that would assign any returned data..
Can you check the logs on the receiving webserver to see if the request where coming in at all, ok'd or rejected or whatever?
Posted: Fri Jul 18, 2003 1:38 am
by rmk
I'm trying to make an electronic payment. The goal is to make a payment, which does not occur. According to the CURL library the target server, returns these lines :
* Your connection is using a weak random seed!
* Closing live connection (#0)
Posted: Fri Jul 18, 2003 7:02 am
by Stoker
those are warnings from curl and not the returned values.. as mentioned, curl_exec returns the response if RETURNTRANSFER was set to 1..
Posted: Fri Jul 18, 2003 2:59 pm
by rmk
There is some progress !!!

I've upgraded my php. I was using 4.0.6, and now I'm using 4.3.2. Now I connect to the server, but the sertificates are not correct.
The new messages is :
* About to connect() to
http://www.xxxxxxxx.com:443
* Connected to
http://www.xxxxxxxxx.com (xxx.xxx.xxx.xxx) port 443
* unable to set private key file: 'c:/certificate.pem' type PEM
* Closing connection #0
I think it is because I export the certificate from IE in Base64 format and then just change the file extension. I think I should find some convertor.

Posted: Fri Jul 18, 2003 3:20 pm
by Stoker
uhm, as I said before, if you are just connecting to a merchant gateway with SSL, like authorizenet, surepay or verisign, it is VERY unlikely that you authenticate with certificates.. DO NOT DO ANY CERT STUFF on your end, just let curl do SSL version 2 or 3 (auto) and that will work..
Posted: Fri Jul 18, 2003 3:26 pm
by rmk
If I remove the CURLOPT_SSLCERT option and leave only CURLOPT_SSL_VERIFYHOST set to 2 or 3, or even if I remove the CURLOPT_SSL_VERIFYHOST option at all, I get this message :
* About to connect() to
http://www.e-gold.com:443
* Connected to
http://www.e-gold.com (63.240.230.10) port 443
* SSL certificate problem, verify that the CA cert is OK
* Closing connection #0
As you can see, I'm trying to make an e-gold payment.
Posted: Fri Jul 18, 2003 3:52 pm
by Stoker
i just checked the cert at
http://www.e-gold.com and the cert is valid and signed by verisign.. when I was writing 2 or 3 I ment SSL mode/version and nothing about verification, curl needs the root CA fingerprints and that in order to do verifications, try without any at first.
Your best approach is do as little and simple as possible, turn all verification and authentication off, have as few setopts as possible and it should work just fine..
I just did a simple test post to
https://www.e-gold.com/ with success (well it returns 405 since the index is not a script that accepts post)..