Certificate Pinning with PHP cURL

Question

I see there is tons of post in SO, about error:

SSL certificate problem: unable to get local issuer certificate

And which is the one I am getting.

All of their answer is just saying download root certificates from:

https://curl.haxx.se/ca/cacert.pem

And setting into the CURLOPT_CAINFO or setting php.ini's curl.cainfo.

But what this does is actually just telling cURL to trust the list of root CA and their trusted CA.

From my understanding, Certificate Pinning should ignore all these root CA and just trust the single certificate of a particular provider.

What is the correct way to fix this error?

    $ch =  curl_init($url);
    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);        
    curl_setopt($ch, CURLOPT_CAINFO, '/etc/httpd/static.gc.apple.com.pem');
    curl_setopt($ch, CURLOPT_CAPATH, '/etc/httpd/');

    //curl_setopt($ch, CURLOPT_PINNEDPUBLICKEY, "sha256//TeyzGG/8dvpuksAeSCb3tsvLEHbY6w9q63tXhOIf0Tg=");
    $sslCertificate = curl_exec($ch);

I know for libcurl itself, it has a option "CURLOPT_PINNEDPUBLICKEY" which do absolutely what I need, but currently PHP still not supporting it... (it doesn't have such constant in PHP and I have no idea what is the actual value of the constant)

Answer 1

Basically the issue is because the PHP itself installed with yum from Remi didn't compiled with the curl and openssl that support it. So we have to update curl, openssl, compile PHP from source and it worked.