Developing software in the Real World

SSL certificate verification on PHP 5.6

I recently updated my local OS X Zend Server installation to PHP 5.6 and when I ran composer self-update, I got this error message:

[Composer\Downloader\TransportException]                                                                                       
The "https://getcomposer.org/version" file could not be downloaded: SSL operation failed with code 1. OpenSSL Error messages:  
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed                                              
Failed to enable crypto                                                                                                        
failed to open stream: operation failed 

Googling around, I finally worked out that there have been various SSL improvements in PHP 5.6 and that the problem was that it couldn’t find any OpenSSL certificates on my system. This isn’t a total surprise as OS X has been moving away from using OpenSSL internally in favour of its own libraries.

There’s a new PHP function openssl_get_cert_locations that helps with this and so I ran:

$ php -r "print_r(openssl_get_cert_locations());"

on the command line to find out where PHP was looking. On my system, I got this:

Array
(
    [default_cert_file] => /usr/local/openssl-0.9.8zb/ssl/cert.pem
    [default_cert_file_env] => SSL_CERT_FILE
    [default_cert_dir] => /usr/local/openssl-0.9.8zb/ssl/certs
    [default_cert_dir_env] => SSL_CERT_DIR
    [default_private_dir] => /usr/local/openssl-0.9.8zb/ssl/private
    [default_default_cert_area] => /usr/local/openssl-0.9.8zb/ssl
    [ini_cafile] => 
    [ini_capath] => 
)

There is no directory /usr/local/openssl-0.9.8zb on my system and SSL_CERT_FILE and SSL_CERT_DIR are not defined, so it’s no surprise that PHP was struggling.

To fix it, I install openssl via homebrew:

brew install openssl

This installs the openssl certificates to /usr/local/etc/openssl/cert.pem, so we can now use the new PHP 5.6 INI setting openssl.cafile to tell PHP where to find the certificates:

Adding

openssl.cafile=/usr/local/etc/openssl/cert.pem

to Zend Server’s php.ini solved the problem and I can now use composer once again!

7 thoughts on “SSL certificate verification on PHP 5.6

  1. Must say that it works fine here using PHP 5.6 (via MAMP PRO 3.0.7.2) on OS X 10.10.

    Here some console output:

    $ composer self-update
    Updating to version 095dc6129550de93cd98170c8e6c6ccd4558e983.
        Downloading: 100%         
    Use composer self-update --rollback to return to version d249d0c1218a06a9380a97edee3b7a6b9e42d714
    
    $ php -v
    PHP 5.6.2 (cli) (built: Oct 20 2014 16:21:27) 
    Copyright (c) 1997-2014 The PHP Group
    Zend Engine v2.6.0, Copyright (c) 1998-2014 Zend Technologies
    
    $ php -r "print_r(openssl_get_cert_locations());"
    Array
    (
        [default_cert_file] => /System/Library/OpenSSL/cert.pem
        [default_cert_file_env] => SSL_CERT_FILE
        [default_cert_dir] => /System/Library/OpenSSL/certs
        [default_cert_dir_env] => SSL_CERT_DIR
        [default_private_dir] => /System/Library/OpenSSL/private
        [default_default_cert_area] => /System/Library/OpenSSL
        [ini_cafile] => 
        [ini_capath] => 
    )

    What happens if you change those paths to the ones I've got?

  2. Thanks Rob, i had the same problems using when using XAMPP and this fixed it perfectly.

  3. I also had this issue (XAMPP 5.6.3 on OSX 10.10.1) except I got these directories instead:

    $ php -r "print_r(openssl_get_cert_locations());"
    Array
    (
        [default_cert_file] => /Applications/XAMPP/xamppfiles/share/openssl/cert.pem
        [default_cert_file_env] => SSL_CERT_FILE
        [default_cert_dir] => /Applications/XAMPP/xamppfiles/share/openssl/certs
        [default_cert_dir_env] => SSL_CERT_DIR
        [default_private_dir] => /Applications/XAMPP/xamppfiles/share/openssl/private
        [default_default_cert_area] => /Applications/XAMPP/xamppfiles/share/openssl
        [ini_cafile] => 
        [ini_capath] => 
    )
    

    Although the directory was there, the "cert.pem" file didn't exist so I downloaded http://curl.haxx.se/ca/cacert.pem and saved it as "cert.pem" in the directory. Tried "composer install" again and no more ssl issues! :D

Comments are closed.