[phpxmlrpc] XMLRPC & SSL - After the frustration

Mitchell S. Sharp mss-maillist at innohost.com
Thu Oct 7 19:14:32 BST 2004

Hello All!

After spending a day trying to get xmlrpc to use ssl/https rather than
http, I have finally succeeded!  It may be obvious how to do this to
some out there, but it took me a while to figure it out, even after
scouring the documentation (it would help if the online documentation
was up to date!) and list archives, so I thought I'd get a post in the
archive to help other thick skulled people like myself.  As of today,
the documentation online is version 1.0 and not 1.1.  The latter
contains the setSSLVerifyPeer() and setSSLVerifyHost() functions.  Of
course the documentation included with the tar/zip files contains the
appropriate definitions, which I did read, but it just didn't click!

In order to get xmlrpc to use secure http (https), you must do the

  $f=new xmlrpcmsg('example.call',array(new xmlrpcval(1,"int")));
  $c=new xmlrpc_client("/rpc/path","rpc.host.com", 443);
  $c->setSSLVerifyPeer(0);          // *** this is the key!!! ***

The setSSLVerifyPeer() function turns off client certificate
authentication, and allows us to just use https.  Only use
setCertificate() if you want to use certificate authentication, similar
to setCredentials() which uses a username/password combination.

Here are some of the errors you can get if you do something wrong:

        -- Forgetting to add setSSLVerifyPeer(0); --
        Fault: Code: 8 Reason 'CURL error: SSL certificate problem,
        verify that the CA cert is OK'

        -- Forgetting to add "https" to the send() function --
        400 Bad Request  Your browser sent a request that this server
        could not understand.  Reason: You're speaking plain HTTP to an
        SSL-enabled server port.  Instead use the HTTPS scheme to access
        this URL, please.
        -- Trying to use setCertificate() --
        -- Don't use setCertificate(), use setSSLVerifyPeer(0) --
        Fault: Code: 8 Reason 'CURL error: unable to set certificate
        file (wrong password?)'
I hope this helps someone in the future.  If you have any doubts that
this indeed encrypts your data, fire up ethereal, capture some packets
and take a look for yourself.  I'll sleep better now!  Big thanks to the
developer(s) for a simple to use php xmlrpc implementation!

Mitch Sharp
http://www.bluecrow.net (Personal site)

More information about the phpxmlrpc mailing list