Using HTTPS protocol with PHP

Using HTTPS protocol with PHP

When integrating with targets that use HTTPS, many PHP developers face problems of validation of the certificate used by the target.

This issue is often simply ignored, by disabling the SSL verification on curl, and redefining the CURLOPT_SSL_VERIFYPEER directive to FALSE.

This is a mistake, because, even though the communication has no problems, the encryption is not carried out, leaving your data unprotected and vulnerable to third parties’ interception.

Solving this problem correctly is very simple, in most cases, the root certificates list only needs to be updated (CA root certificate bundle).

Some of PHP installations for Windows do not even have this file in the package.

For that, you just need to download the updated list available at:

http://curl.haxx.se/docs/caextract.html

Once you have the file, add the following line to the php.ini settings file.

curl.cainfo=c:\php\cacert.pem