Asking OpenSSL to Verify Server's Certificate

This section provides a tutorial example on how to ask the OpenSSL module to verify HTTPS server's certificate using 'verify_peer' SSL context option.

Based on the documentation of "SSL context options", the OpenSSL module does not verify HTTPS server certificates by default. In this tutorial, I want to show you how to ask Open OpenSSL to verify server certificate when communicating with https://login.yahoo.com.

1. Get a copy of the root CA certificate that for login.yahoo.com certificate. This can be done by using Firefox 3 to visit https://login.yahoo.com. Read the Firefox 3 chapter of this book for more details.

2. Modify the OpenSSL test script:

<?php # OpenSSL_HTTPS_file_get_contents_with_CA.php
#- Copyright (c) 2011, HerongYang.com, All Rights Reserved.
#
$script = array_shift($argv);
$url = array_shift($argv);

$context = stream_context_create(array(
    'ssl' => array(
        'verify_peer' => true,
        'cafile' => 'CA_Bundle.crt' 
    )
));

$html = file_get_contents($url, false, $context);
echo $html;
?>

3. Run the modified test script:

C:\herong>\local\php\php OpenSSL_HTTPS_file_get_contents_with_CA.php
   https://login.yahoo.com

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3....
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Sign in to Yahoo!</title>

<meta http-equiv="Pragma" content="no-cache">
...

The "verify_peer" option seems to be working.

Last update: 2011.

Table of Contents

 About This Book

 Introduction of PKI (Public Key Infrastructure)

 Introduction of HTTPS (Hypertext Transfer Protocol Secure)

 Using HTTPS with IE (Internet Explorer) 10

 Using HTTPS with Chrome 40

 Using HTTPS with Firefox 35

 Perl Scripts Communicating with HTTPS Servers

PHP Scripts Communicating with HTTPS Servers

 Configuring PHP OpenSSL on Windows

 Testing OpenSSL with file_get_contents()

 OpenSSL Configuration Errors

 SSL Context Options for OpenSSL

Asking OpenSSL to Verify Server's Certificate

 OpenSSL Failing to Verify Server's Certificate

 Multiple CA Certificates in a Single File

 Testing OpenSSL with fopen()

 Java Programs Communicating with HTTPS Servers

 Certificate Stores and Certificate Console

 .NET Programs Communicating with HTTPS Servers

 CAcert.org - Root CA Offering Free Certificates

 PKI CA Administration - Issuing Certificates

 Digital Signature - Microsoft Word 2007

 Digital Signature - OpenOffice.org 3

 S/MIME and Email Security

 PKI (Public Key Infrastructure) Terminology

 Outdated Tutorials

 References

 PDF Printing Version