I'm trying to connect to a Web Service, which requires SSL Certificate pinning. Previous implementation has been done with Java and now I have to convert it to PHP.
I converted the JKS to a pem file and using it like below.
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_SSLKEY, "F:\www\key.pem");
curl_setopt($ch, CURLOPT_SSLVERSION, 6);
/// END - CERTIFICATION ///
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $xml_user_registration);
//curl_setopt($ch, CURLOPT_VERBOSE, true);
$result = curl_exec($ch);
if ($result == false) {
echo "Satrt:";
echo curl_error($ch);
echo $result;
echo ":End";
}
else{
echo "No Error";
}
But I'm getting below error.
error:14082174:SSL routines:ssl3_check_cert_and_algorithm:dh key too small
Have anyone faced this issue. Am I doing something wrong or is the Web Service is having some issue.
Issue was not with my script but the server itself. Certificate used by this particular service is outdated. But my PHP scripts run on a newer version of RedHat which has the latest CURL version.
This curl version does not support smaller Diffie-Hellman keys. Precisely, it does not support keys smaller than 1023. So I modified my server to accept keys as small as 768 by modifying nss configurations.
My service provider is going to update their certificate.
Found a very good article on this issue - CURL issue with NSS 3.28.4-3.0.1 - curl: (35) SSL connect error - ciphers rsa_rc4_128 only working by Mahesh Chopker