Jump to content

[Solved] curl.cainfo and openssl.cafile

daneesv

By daneesv
in Escalated Requests

 Share

Recommended Posts

daneesv Rookie

daneesv

Posted
Posted

Good day. I need to configure the following values in PHP:

curl.cainfo = "/private/cacert.pem"
openssl.cafile = "/private/cacert.pem"

How can I do this? I have tried uploading php.ini, .user.ini, and .htaccess files, but the configuration is not applied.

I am hosting an application that uses SOAP with cURL.
How can I modify these values on HelioHost's shared hosting?

Thank you!

wolstech Grand Master

wolstech

Posted
Posted

Krydos would have to answer this, but it's quite likely that you can't change this yourself, if it all.

daneesv Rookie

daneesv

Posted
  • Author
Posted

I understand. What I want is to use an AFIP/Argentina web service that connects to URLs like https://wsaa.afip.gov.ar/ws/services/*** using SoapClient in PHP. This works correctly on other hosting providers, but on HelioHost, I get the error:

"Fatal error: Uncaught Exception: SOAP Fault: HTTP Could not connect to host".

I believe there is an issue with the certificate configuration, specifically with the values of curl.cainfo and openssl.cafile.

Is it possible to enable these connections in any way?

Thank you!

Krydos Grand Master

Krydos

Posted
Posted
1 hour ago, daneesv said:

"Fatal error: Uncaught Exception: SOAP Fault: HTTP Could not connect to host".

There's about 100 reasons why you could see this error, and yes SSL is one of them, but I doubt that is the case here. The SSL certificate for wsaa.afip.gov.ar seems fine and Johnny's curl is accepting the connection with SSL just fine.

daneesv Rookie

daneesv

Posted
  • Author
Posted

The problem has been resolved. Thank you very much for your attention.

The Heliohost server rejects the SSL connection with AFIP because the DH (Diffie-Hellman) key is too small and is not considered secure.

Heliohost has strict SSL security settings that block connections with small DH keys.

The AFIP server uses an old or weak DH key, which causes Heliohost to reject the connection.

OpenSSL on Heliohost is blocking connections with certain ciphers.

The solution was to add the following context to the SOAP connection: 

'stream_context' => stream_context_create([
    'ssl' => [
        'crypto_method' => STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT,
        'verify_peer' => false,
        'verify_peer_name' => false,
        'ciphers' => 'DEFAULT:@SECLEVEL=1'
    ]
])
  • Krydos changed the title to [Solved] curl.cainfo and openssl.cafile
  • Krydos locked this topic
Guest
This topic is now closed to further replies.
 Share
Go to topic listing
×
×
  • Create New...