Sslurp is a simple library which aims to make properly dealing with SSL in PHP suck less.
PHP Shell
Latest commit 8daf3d2 Feb 5, 2015 @EvanDotPro Merge pull request #4 from sasezaki/patch-1
add PHP 5.5, 5.6 to .travis.yml
Failed to load latest commit information.
bin update bin tool to be a bit more sensible Oct 31, 2013
data Add Equifax_Secure_CA.pem root certificate Sep 11, 2012
src/Sslurp Update pin for Jun 26, 2014
test Update test/coverage-checker Dec 6, 2012
.travis.yml add PHP 5.5, 5.6 to .travis.yml Aug 29, 2014
LICENSE Update LICENSE Jul 25, 2013
Module.php Add Module.php so Sslurp can easily be loaded as a ZF2 module. Sep 11, 2012 update bin tool to be a bit more sensible Oct 31, 2013
autoload_classmap.php Refactor API to prepare for bundle-update feature Sep 17, 2012
autoload_function.php Make autoload_function.php be php-cs-fixer friendly Sep 12, 2012
composer.json Add ext-openssl to composer.json Sep 18, 2012


v1.0 by Evan Coury

Build Status


Dealing with SSL properly in PHP is a pain in the ass and completely insecure by default. Sslurp aims to make it easier to use SSL in PHP safely and securely. Sslurp can be used as a stand-alone library, CLI tool, or a ZF2 module.

Note: Sslurp requires PHP with OpenSSL support. This is standard in most Linux distributions' PHP packages, otherwise you need to compile PHP using --with-openssl[=DIR].

Features / Usage

Root CA bundle management

Sslurp provides CLI and OOP interfaces for generating a trusted root Certificate Authority (CA) bundle using certdata.txt from the source tree of Mozilla's Network Security Services (NSS) libraries and keeping it up-to-date. The resulting root CA bundle includes the certificates vetted according to the Mozilla Root Certificate Program — the same root CA bundle trusted by cURL, Firefox, Chrome, and many other applications, libraries, languages, and operating systems.

Sslurp takes additional steps to protect against MITM attacks while fetching certdata.txt from Mozilla's source tree, ensuring that the generated bundle is truly authentic. When connecting to Mozilla's domain to fetch the updated certdata.txt, Sslurp forces the use of verified SSL. Sslurp uses the following process to establish the initial trust of the SSL certificate on

  • Check the SSL_CERT_FILE environment variable (used by OpenSSL). If the value is the path to a readable file and valid certificate bundle, Sslurp will use it.
  • If the SSL_CERT_FILE is not set or points to a non-existent / invalid certificate bundle, Sslurp will search several known/expected locations for the root CA bundle and use the first valid bundle found.
  • If a valid bundle is not found in any of the expected paths, Sslurp will finally fall back to using a bundled, pre-verified copy of the root CA's public key which established trust for the certificate (Equifax Secure Certificate Authority at least until November 2013).

As if that's not enough, Sslurp additionally makes use of public key pinning to further authenticate the authenticity of communications with Mozilla's domain. If the public key pin for changes before the expiration date of the current certificate, Sslurp will being to throw an exception, and refuse to update the root CA bundle. If the public key pin changes within the final month or after the expiration date of their current certificate (November, 2013), Sslurp will begin throwing a PHP notice encouraging you to update your copy of Sslurp to get the latest pin.

You are STRONGLY ENCOURAGED to be using the latest version of Sslurp at all times.

CLI root CA bundle updater

./bin/update-ca-bundle is a handy command-line tool for fetching, building, and subsequently updating a root CA bundle in PEM format for use with PHP's OpenSSL support, curl, libcurl, php_curl, etc. The output generated is fully compatible with the which is used to generate cURL's trusted bundle.

Sslurp Root CA Bundle Updater

 bin/update-ca-bundle [--stdout]
 bin/update-ca-bundle -o[output_file]

 -o      	Path/filename to the file to (over)write the updated root CA bundle. Defaults to ca-bundle.pem
 --stdout	Do not write file, send output to stdout instead.

Using Sslurp as a library

In addition to the CLI tool, Sslurp can be used as a library through the OOP interface. The source is the API documentation.

require_once 'vendor/Sslurp/autoload_register.php';

$bundle = new \Sslurp\CaRootPemBundle('ca-bundle.pem');

if ($bundle->isLatest()) {
    echo 'Your CA root bundle is up to date!' . PHP_EOL;
} else {
    echo 'WARNING! Your CA root bundle is out of date!' . PHP_EOL
       . 'Local CA root bundle is version ' . $bundle->getVersion() . '. '
       . 'Latest version available from Mozilla is ' . $bundle->getMozillaCertData()->getVersion() . '.' . PHP_EOL;

    echo 'Updating...';
    echo "\tDone!" . PHP_EOL;


Composer / Packagist

./composer.phar require evandotpro/sslurp


The ./bin/update-ca-bundle CLI tool will "just work" out of the box.

Sslurp can easily be used in any existing project, framework, or library.

To use Sslurp as a library in your project, the easiest method is to simply include the autoload_register.php file:

require_once 'vendor/Sslurp/autoload_register.php';

Alternatively, if you project supports loading classmap arrays, you may fetch the classmap without registering an additional SPL autoloader:

$classmap = include 'vendor/Sslurp/autoload_classmap.php';
// Register $classmap with your project's existing classmap autoloader

If you have an existing SPL autoloader that allows adding a callable to a stack instead of directly registering the classmap array, you have the option of simply getting a closure which can autoload the Sslurp classes:

$sslurpLoader = include 'vendor/Sslurp/autoload_function.php';
// $sslurpLoader is a closure that can be registered with an existing autoloader


  • Paranoia level 1000 - Test environment for the ability to call the OpenSSL executable, and if possible, make use of OCSP to further verify the validity of the domain.


Sslurp is released under the BSD license. See the included LICENSE file.

The generated root CA bundle file is simply a converted version of the original and as such, it is licensed under the same licenses as the Mozilla source: MPL v2.0, GPL v2.0 or LGPL 2.1. See nss/COPYING for details.