0

EDIT: I have solved the problem! :) I'm new in PKI, so I have problems with certificates. I am writing PHP script for downloading protected file which is updated every day.My company obtained data for generating demo server certificate. I had generated private key and downloaded demo server certificate and CA certificate. I had installed them all on Windows server 2012. I have these files:

  • CA certificate (APIS_IT.cer) can't be open in text editor
  • APIS_IT.pem -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----
  • cert_file.pem Bag Attributes Microsoft Local Key set: <No Values> localKeyID: 01 00 00 00 friendlyName: lh-... Microsoft CSP Name: Microsoft RSA SChannel Cryptographic Provider Key Attributes X509v3 Key Usage: 10 -----BEGIN ENCRYPTED PRIVATE KEY-----...-----END ENCRYPTED PRIVATE KEY----- Bag Attributes localKeyID: 01 00 00 00 subject=/C=HR/ST=Hrvatska/L=ZAGREB/O=HZZO/OU=HR0/CN=...2 issuer=/C=HR/ST=Hrvatska/L=ZAGREB/O=HZZO/OU=HR0/CN=...2 -----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----
  • democacert.cer (can't be open in text editor)
  • Privatekey.pfx (can't be open in text editor)
  • servercert.cer -----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----
  • novi.pem (combination of servercert.cer and APIS_IT.pem).

PHP script:

<?php
$OIB_URL="https://demo.apis-it.hr:8444/kpoib/kp_lista_aktiviranih_korisnika.txt";
$Cert_path="C:\\PKI\\servercert.cer";
$key_path="C:\\PKI\\cert_file.pem";
$APIS_pem="C:\\PKI\\novi.pem";
$cert_password="cert_pass";

$handle = curl_init();
$options = array( 
CURLOPT_RETURNTRANSFER=>TRUE,
CURLOPT_SSL_VERIFYPEER=>TRUE,
CURLOPT_CAINFO=>$APIS_pem,
CURLOPT_VERBOSE=>TRUE,
CURLOPT_SSL_VERIFYHOST=>FALSE,
CURLOPT_SSLCERTPASSWD=>$cert_password ,
CURLOPT_SSLCERT=>$key_path,
CURLOPT_SSLKEY=>$key_path,
CURLOPT_SSLVERSION=>3,
CURLOPT_URL=>$OIB_URL
);

curl_setopt_array($handle, $options);
echo curl_exec($handle);
if (curl_errno($handle)) {
echo 'Error: ' . curl_error($handle);
}
curl_close($handle);
?>

Error in Firefox is:

Error: Unknown SSL protocol error in connection to demo.apis-it.hr:8444

Error in command line is:

* Adding handle: conn: 0x2f91210
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x2f91210) send_pipe: 1, recv_pipe: 0
* About to connect() to demo.apis-it.hr port 8444 (#0)
*   Trying 185.20.28.196...
* Connected to demo.apis-it.hr (185.20.28.196) port 8444 (#0)
* successfully set certificate verify locations:
*   CAfile: C:\PKI\novi.pem
  CApath: none
* error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
* Closing connection 0
Error: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
Cikson
  • 106
  • 2
  • 17

1 Answers1

2

Your peer didn't like your certificate and sent you a fatal bad certificate alert message. Note SSL_VERIFY_PEER requests client auth but doesn't require it!

To require it add SSL_VERIFY_FAIL_IF_NO_PEER_CERT.

have you tried to set the CURLOPT_SSL_VERIFYPEER=>FALSE? also since your running this on windows, you may have to setup your own cert location

curl_setopt($handle, CURLOPT_CAINFO, 'C:\PKI\novi.pem');

Marty

Marty
  • 4,619
  • 2
  • 24
  • 35
  • I have tried all 4 combinations of CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST.Error: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate – Cikson Jan 28 '14 at 10:43