How to ignore server's intermediate certificate?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
ctinmnita
Forum Newbie
Posts: 1
Joined: Mon Jun 12, 2006 5:37 am

How to ignore server's intermediate certificate?

Post by ctinmnita »

Hello,

I am trying to access a site using the PHP cURL and I encountered a problem. The server is providing me an expired intermediate certificate.

The server's certificate chain looks like:
- Root certificate (/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority)
- Intermediate certificate (/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign)
- Server certificate

Using
openssl s_client -connect http://WWW.CLERK-17TH-FLCOURTS.ORG:443 -CAfile D:\Work2\ie_verisign_c3.pem -showcerts
I was able to see the two certificates sent by the server and that the problem is the intermediate certificate has expired (in 2004).
Also 2 browsers, Firefox and Opera are warning about a problem with the server certificates. Opera states clearly that the server is sending an expired certificate. IE behaved the best and it seams to me that it downloaded (or used its own) valid intermediate certificate instead of the expired one. It was able to verify the server certificate.
So, I exported the IE intermediate and root certificate, which are both valid and tried to use them. But it appears that openssl doesn't look at my intermediate certificate, and it uses only the server's one.

The question is, how can I tell openssl and/or libcurl to ignore the server's intermediate certificate and use my own?

Thank you very much,
Constantin Nita
User avatar
anjanesh
DevNet Resident
Posts: 1679
Joined: Sat Dec 06, 2003 9:52 pm
Location: Mumbai, India

Post by anjanesh »

If you want to skip validation :

Code: Select all

curl_setopt ($handle, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt ($handle, CURLOPT_SSL_VERIFYHOST, 0);
Post Reply