These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

EVE Technology Lab

 
  • Topic is locked indefinitely.
 

Problems with SSO callback function

First post
Author
Previous Topic Next Topic
Jen Moriarty
Out of Focus
Odin's Call
#1 - 2015-03-11 17:48:45 UTC
Hi there,

I've been using the SSO for a few months now to authenticate people accessing my tool. The code I've used is pretty straight-forward and mosly scavenged from Steve's example. It was working well.

A few hours ago I've started seeing this problem when calling the callback function for the SSO authentication:
SSL certificate problem: unable to get local issuer certificate

This is the code that produces the error:

    //Do the initial check.
    $header='Authorization: Basic '.base64_encode($client_id.':'.$secret);
    $fields_string='';
    $fields=array(
                'grant_type' => 'authorization_code',
                'code' => $code
            );
    foreach ($fields as $key => $value) {
        $fields_string .= $key.'='.$value.'&';
    }
    $fields_string = rtrim($fields_string, '&');
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $token_url);
    curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
    curl_setopt($ch, CURLOPT_HTTPHEADER, array($header));
    curl_setopt($ch, CURLOPT_POST, count($fields));
    curl_setopt($ch, CURLOPT_POSTFIELDS, $fields_string);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
    // While using this is optional, it may be required if you encounter
    // the "SSL certificate problem: unable to get local issuer certificate"
    // error when calling the API using curl.
    //curl_setopt( $ch, CURLOPT_SSL_VERIFYPEER, false );

    $result = curl_exec($ch);

    if ($result===false) {
        auth_error(curl_error($ch));
    }


I've tried setting CURLOPT_SSL_VERIFYPEER to false, but even that produces the same error. Has something changed on the SSO side to suddenly cause this?
Aineko Macx
#2 - 2015-03-11 18:04:24 UTC
Just tested my scripts and couldn't replicate the issue. Are you seeing this consistently or sporadically?

The curl options I set are slightly different though, notably CURLOPT_SSL_CIPHER_LIST although I don't think protocol negotiation is the problem here. https://github.com/aineko-m/iveeCrest/blob/master/www/getrefreshtoken.php#L110

iveeCore 3.0: The PHP engine for industrial activities and CREST library
Jen Moriarty
Out of Focus
Odin's Call
#3 - 2015-03-11 18:38:27 UTC
I'm seeing this quite consistently.

When checking this on my local server, it works well. It used to work well on my hosting service as well. Up until a few hours ago.
Kali Izia
GoomWaffe
#4 - 2015-03-11 19:42:11 UTC
Is this TQ or Sisi? I believe they have different SSL configurations, or at least they used to.
Some CURL setups hate a lot of CCP SSL sites because of their weak ciphers/signatures/protocols etc.
I'd also check to make sure your server's CA bundle is up to date.

I haven't been seeing any recent issues though, and I tested your code on both TQ & Sisi with no problems.
Jen Moriarty
Out of Focus
Odin's Call
#5 - 2015-03-11 20:20:32 UTC
Kali Izia wrote:
Is this TQ or Sisi?

TQ

Quote:

I'd also check to make sure your server's CA bundle is up to date.


Not very familiar with this. What specifically do I need to check?
Jen Moriarty
Out of Focus
Odin's Call
#6 - 2015-03-13 07:12:15 UTC
Is there a way to fix this myself? Can't really get much cooperation from my host.
Please be detailed :)
Steve Ronuken
Fuzzwork Enterprises
Vote Steve Ronuken for CSM
#7 - 2015-03-13 12:58:30 UTC
Try setting this in amongst the other curl_setopts

curl_setopt($ch, CURLOPT_CAINFO, dirname(__FILE__) . '/cacert.pem');

and having this file in the same directory. (or have it elsewhere, and update the path.
http://curl.haxx.se/ca/cacert.pem

Woo! CSM XI!

Fuzzwork Enterprises

Twitter: @fuzzysteve on Twitter