cURL，php和SSL错误

Question

I got instructions from an organisation how to connect to their server with a CA, key and cert. Tried in the terminal successfully with the following:

openssl s_client -connect api-system3.xxxx.com:443 -CAfile teliasonerarootcav1.cer -cert BolagACert.crt -key BolagAKey.key

and a following GET request. Seems to return ok:

    CONNECTED(00000003)
    depth=2 O = TeliaSonera, CN = TeliaSonera Root CA v1
    verify return:1
    depth=1 C = FI, O = TeliaSonera, CN = TeliaSonera Server CA v2
    verify return:1
    depth=0 C = SE, L = XXXXX, O = XXXXX, OU = IT, CN = *.XXXX.COM
    verify return:1
    ---
    Certificate chain
     0 s:/C=SE/L=XXXXX/O=XXXXX/OU=IT/CN=*.XXXXXX
       i:/C=FI/O=TeliaSonera/CN=TeliaSonera Server CA v2
     1 s:/C=FI/O=TeliaSonera/CN=TeliaSonera Server CA v2
       i:/O=TeliaSonera/CN=TeliaSonera Root CA v1
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
   XXXXXX
    -----END CERTIFICATE-----
    subject=/C=XX/L=XXXXX/O=XXXXXX/OU=IT/CN=*.XXXXXX.COM
    issuer=/C=FI/O=TeliaSonera/CN=TeliaSonera Server CA v2
    ---
    No client certificate CA names sent
    Peer signing digest: SHA256
    Server Temp Key: ECDH, P-256, 256 bits
    ---
    SSL handshake has read 3879 bytes and written 441 bytes
    ---
    New, TLSv1/SSLv3, Cipher is XXXXX
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : XXXXX
        Session-ID: XXXXXX
        Session-ID-ctx: 
        Master-Key: XXXXXX
        Key-Arg   : None
        PSK identity: None
        PSK identity hint: None
        SRP username: None
        Start Time: 1517505794
        Timeout   : 300 (sec)
        Verify return code: 0 (ok)
    ---
    GET /XXXXXX/
    depth=2 O = TeliaSonera, CN = TeliaSonera Root CA v1
    verify return:1
    depth=1 C = FI, O = TeliaSonera, CN = TeliaSonera Server CA v2
    verify return:1
    depth=0 C = XX, L = XXXX, O = XXXXX, OU = IT, CN = *.XXXXX.COM
    verify return:1
    read R BLOCK
    <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    <html><head>
    <title>302 Found</title>
    </head><body>
    <h1>Found</h1>
    <p>The document has moved <a href="https://www.xxxxx.com/">here</a>.</p>
    <hr>
    <address>Apache Server at system3-jas123.system3.xxxxx.com Port 443</address>
    </body></html>
    read:errno=0

Trying to implement this into a PHP cURL request but the code below generates the error: The requested URL returned error: 403 Forbidden

Any thoughts what is wrong?

Code:

$CAfile = getcwd()."/teliasonerarootcav1.cer";
$pemfile = getcwd()."/BolagACert.crt";
$keyfile = getcwd()."/BolagAKey.key";
$url = "https://xxxx.com/xxxxx";

$ch = curl_init();

curl_setopt($ch, CURLOPT_URL, $url); 
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); 
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 1); 
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 1); 
curl_setopt($ch, CURLOPT_FAILONERROR, 1); 
curl_setopt($ch, CURLOPT_SSLCERT, $pemfile); 
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322)');
curl_setopt($ch, CURLOPT_CAINFO,  $CAfile);
curl_setopt($ch, CURLOPT_SSLCERTTYPE, 'PEM'); 
curl_setopt($ch, CURLOPT_SSLKEY, $keyfile); 
$ret = curl_exec($ch);

//if error
if ($ret === false) {
    $info = curl_error($ch);
    curl_close($ch);
    die('Error: ' . $info);
}


curl_close($ch);

echo "<pre>";
print_r(json_decode($ret,true));
echo "</pre>";

Answer 1

SSL and HTTP response code are two different stories. First you use SSL to connect to the server, then the server processes the request and returns response code. In your openssl dump there's nothing about what HTTP response code is, so it may actually have returned 403. On the other hand the 403 response in PHP means you got the connection set up correctly and the server does process your request. Please check if the API requires some kind of credentials passed along.