verify

Summary

Describes the SSL certificate verification behavior of a request.

- Set to true to enable SSL certificate verification and use the defaultCA bundle provided by operating system.
- Set to false to disable certificate verification (this is insecure!).
- Set to a string to provide the path to a CA bundle to enable verificationusing a custom certificate.
Types

- bool
- string
Default

true
Constant

GuzzleHttp\RequestOptions::VERIFY
  1. // Use the system's CA bundle (this is the default setting)
  2. $client->request('GET', '/', ['verify' => true]);
  3.  
  4. // Use a custom SSL certificate on disk.
  5. $client->request('GET', '/', ['verify' => '/path/to/cert.pem']);
  6.  
  7. // Disable validation entirely (don't do this!).
  8. $client->request('GET', '/', ['verify' => false]);

Not all system's have a known CA bundle on disk. For example, Windows andOS X do not have a single common location for CA bundles. When setting"verify" to true, Guzzle will do its best to find the most appropriateCA bundle on your system. When using cURL or the PHP stream wrapper on PHPversions >= 5.6, this happens by default. When using the PHP streamwrapper on versions < 5.6, Guzzle tries to find your CA bundle in thefollowing order:

  • Check if openssl.cafile is set in your php.ini file.
  • Check if curl.cainfo is set in your php.ini file.
  • Check if /etc/pki/tls/certs/ca-bundle.crt exists (Red Hat, CentOS,Fedora; provided by the ca-certificates package)
  • Check if /etc/ssl/certs/ca-certificates.crt exists (Ubuntu, Debian;provided by the ca-certificates package)
  • Check if /usr/local/share/certs/ca-root-nss.crt exists (FreeBSD;provided by the ca_root_nss package)
  • Check if /usr/local/etc/openssl/cert.pem (OS X; provided by homebrew)
  • Check if C:\windows\system32\curl-ca-bundle.crt exists (Windows)
  • Check if C:\windows\curl-ca-bundle.crt exists (Windows)
    The result of this lookup is cached in memory so that subsequent callsin the same process will return very quickly. However, when sending onlya single request per-process in something like Apache, you should considersetting the openssl.cafile environment variable to the path on diskto the file so that this entire process is skipped.

If you do not need a specific certificate bundle, then Mozilla provides acommonly used CA bundle which can be downloadedhere(provided by the maintainer of cURL). Once you have a CA bundle available ondisk, you can set the "openssl.cafile" PHP ini setting to point to the path tothe file, allowing you to omit the "verify" request option. Much more detail onSSL certificates can be found on thecURL website.