Can't connect to HTTPS site using cURL. Returns 0 length content instead. What can I do?

0 votes
asked Nov 25, 2008 by alex

I have a site that connects using cURL (latest version) to a secure gateway for payment.

The problem is cURL always returns 0 length content. I get headers only. And only when I set cURL to return headers. I have the following flags in place.

curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_ANY);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_URL, $gatewayURI);
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_POST, 1);

The header returned is

HTTP/1.1 100 Continue

HTTP/1.1 200 OK
Date: Tue, 25 Nov 2008 01:08:34 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 0
Content-Type: text/html
Set-Cookie: ASPSESSIONIDxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx; path=/
Cache-control: private

I have also tried cURL'ing different sites and they return content fine. I think the problem might have something to do with the https connection.

I have spoken with the company and they are unhelpful.

Has anyone else experienced this error and know a work around? Should I ditch cURL and try and use fsockopen() ?

Thank you. :)

8 Answers

0 votes
answered Nov 3, 2008 by too-much-php

You should also try checking the error messages in curl_error(). You might need to do this once after each curl_* function.

http://www.php.net/curl_error

0 votes
answered Nov 25, 2008 by too-much-php

You are using POST method, but are you providing an array of data? E.g.

curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
0 votes
answered Nov 25, 2008 by issac-kelly

Whenever I'm testing something with PHP/Curl, I try it from the command line first, figure out what works, and then port my options to PHP.

0 votes
answered Nov 25, 2008 by schizoduckie

I had the same problem today. Curl comes with an outdated file to authenticate HTTPS certificates from.

get the new one from:

http://curl.haxx.se/ca/cacert.pem

save it into some dir on your site

and add

curl_setopt ($curl_ch, CURLOPT_CAINFO, dirname(__FILE__)."/cacert.pem"); 

To every request :-)

IGNORE any dumbass comments about disabling CURLOPT_VERIFYPEER and CURLOPT_VERIFYHOST!! That leaves your code vulnerable to man in the middle attacks!

December 2016 edit:

Solve this properly by using Jasen's method mentioned below.

add curl.cainfo=/etc/ssl/certs/ca-certificates.crt to you php.ini

0 votes
answered Nov 5, 2010 by elzo-valugi

Sometimes you have to upgrade your Curl certificates to latest version not to have errors with https.

0 votes
answered Nov 19, 2012 by cobra-fast

Just had a very similar problem and solved it by adding

curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);

Apparently the site I'm fetching redirects to another location and php-curl doesn't follow redirects by default.

0 votes
answered Nov 12, 2013 by user203319

I had a situation where this helped: (PHP 5.4.16 on Windows)

curl_setopt($ch, CURLOPT_SSLVERSION, 3);
0 votes
answered Sep 15, 2017 by heitor

The best way to use https and avoid security issues is to use Firefox (or another tool) and download the certificate to your server. This webpage helped me a lot, and these were the steps that worked for me:

1) Open in Firefox the URL you're gonna use with CURL

2) On the address bar click on the padlock > more information (FF versions can have different menus, just find it). Click the "View certificate" button > Details tab.

3) Highlight the "right" certificate in "Certificate hierarchy". In my case it was the second of three, called "cPanel, Inc. Certification Authority". I just discovered the right one by "trial and error" method.

4) Click the "Export" button. In my case the one who worked was the file type "PEM with chains" (again by trial and error method).

5) Then in your PHP script add:

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);    
curl_setopt($ch, CURLOPT_CAINFO, [PATH_TO_CRT_FILE]);

In addition I'd say that we must pay attention on the fact that these steps will probably need to be redone once a year or whenever the URL certificate is replaced or renewed.

Welcome to Q&A, where you can ask questions and receive answers from other members of the community.
Website Online Counter

...