Stop turning off CURLOPT_SSL_VERIFYPEER and fix your PHP config

This post is more than 11 years old.

As Pádraic Brady points out in a recent article about PHP security, there’s a whole lot of misinformation about how to deal with the error “SSL certificate problem, verify that the CA cert is OK” from curl. Nearly everyone advises that you turn CURLOPT_SSL_VERIFYPEER off (in fact, countless comments on the PHP manual page for curl_setopt tell you this). This is bad, because it allows your nice, encrypted stream of confidential data to be silently highjacked by a bad guy. Don’t do that! Instead, just fix your PHP installation so that it doesn’t get that error.

The error is caused by not having an up-to-date bundle of CA root certificates. This is typically a text file with a bunch of cryptographic signatures that curl uses to verify a host’s SSL certificate. You need to make sure that your installation of PHP has one of these files, and that it’s up to date.

Anyone running a recent Linux distribution is probably already OK, because they get the curl libraries bundled in through their package managers and recent curl libraries come with the latest CA root certificate bundle from Mozilla.org. This means you can just turn CURLOPT_SSL_VERIFYPEER on and you won’t get any errors.

For a PHP installation that doesn’t come with this file, like the Windows PHP distribution, you need to download the CA root certificate bundle and tell PHP where to find it. Luckily this is really easy. The curl website has the latest CA root certificate bundle ready to go, just download the .pem and save it where your PHP installation can access it.

Then you just need to edit your php.ini file to tell curl where you saved the .pem file. On my Windows test VM, I have several PHP versions under c:\php, so I put the file into that folder and added this line to each php.ini file:

curl.cainfo=c:\php\cacert.pem

After restarting the web service, curl now has a valid CA root certificate bundle and it can verify the SSL certificates of remote servers just fine. If it does get an error, it’s because the certificate is invalid — and that’s what you want it to do.

Job is done, safely.