tags:

views:

6867

answers:

9

I have a site that connects using cURL (latest version) to a secure gateway for payment.

The problem is cURL always returns 0 length content. I get headers only. And only when I set cURL to return headers. I have the following flags in place.

curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_ANY);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_URL, $gatewayURI);
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_POST, 1);

The header returned is

HTTP/1.1 100 Continue

HTTP/1.1 200 OK
Date: Tue, 25 Nov 2008 01:08:34 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 0
Content-Type: text/html
Set-Cookie: ASPSESSIONIDxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx; path=/
Cache-control: private

I have also tried cURL'ing different sites and they return content fine. I think the problem might have something to do with the https connection.

I have spoken with the company and they are unhelpful.

Has anyone else experienced this error and know a work around? Should I ditch cURL and try and use fsockopen() ?

Thank you. :)

A: 

You are using POST method, but are you providing an array of data? E.g.

curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
too much php
$data would be simply the string of an XML file... the company says this is how it should be sent.
alex
+1  A: 

Whenever I'm testing something with PHP/Curl, I try it from the command line first, figure out what works, and then port my options to PHP.

Issac Kelly
A: 

there might be a problem at your web hosting company from where you are testing the secure communication for gateway, that they might not allow you to do that.

also there might be a username, password that must be provided before connecting to remote host.

or your IP might need to be in the list of approved IP for the remote server for communication to initiate.

Web hosting company denies any problemUsername/password is not necessaryThere is no white list on the other serverThank you for your suggestions :)
alex
+5  A: 

I had the same problem today. Curl comes with an outdated file to authenticate HTTPS certificates from.

get the new one from:

http://curl.haxx.se/ca/cacert.pem

save it into some dir on your site

and add

curl_setopt ($curl_ch, CURLOPT_CAINFO, dirname(__FILE__)."/cacert.pem");

To every request :-)

IGNORE any dumbass comments about disabling CURLOPT_VERIFYPEER and CURLOPT_VERIFYHOST!! That leaves your code vulnerable to man in the middle attacks!

SchizoDuckie
This sounded promising but it didn't work :(Do you have any other ideas?
alex
Disable your own veryfipeer and verifyhost calls. You have them in the examplecode in your post. They need to be enabled!
SchizoDuckie
I tried that... did your server you cURL'd to also return only headers with content-length: 0 ? This is driving me insane....
alex
This solved my problem. Thanks!!
JannieT
+6  A: 

You should also try checking the error messages in curl_error(). You might need to do this once after each curl_* function.

http://www.php.net/curl_error

too much php
awesome. thank you. this revealed my problem. i solved it using SchizoDuckie's solution.
Zachary Burt
A: 
adyphp
A: 

I discovered this error on a recent application project. I was writing to run from the command line or the browser window, so I was using server detection to get the relative URL of the document I was asking for. The trouble was, the site is https, and each time I attempted to access http://%28same server), cURL helpfully changed it to https.

This works fine from the browser, but from the command-line, I'd then get an SSL error even with both verify's set to false. What I had to do was,

1) Check $_SERVER['HTTP_HOST']. If present, use ($_SERVER['HTTPS'] ? "https://" : "http://").$_SERVER['HTTP_HOST']

2) Check $_SERVER['COMPUTERNAME'], and if it matched the production server, provide the https URL. ("https://(servername)")

3) If neither condition passed, it means I'm running command-line on a different server, and use "http://localhost".

Now, this worked, but it's a hack. Also, I never did figure out why on one server (https) cURL changed my URL, while on the other (also https) it left my URL alone.

Weird.

Michael
A: 

Sometimes you have to upgrade your Curl certificates to latest version not to have errors with https.

Elzo Valugi
A: 
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);     
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2); 

Just add them. It works. But yeah, only for testing. Please use real SSL on production if you want HTTPS protection.

mixdev