Hello again,

it seems as there is a lot confusion on my side regarding the different
options:

I found that my url really matches the url of the certificate because I
use my-domain.de.provider.com while the certificate matches on
*.provider.com.
Thats why I can connect using the option:
curl_setopt($handle, CURLOPT_SSL_VERIFYHOST,1);

CURLOPT_VERBOSE showed me the follwing message:
SSL certificate verify result: unable to get local issuer certificate
(20), continuing anyway.

Is this because I do not have a client-side certificate?
I think the connection is safe using the options above. Am I right?

Thanks and Regards
Bene

Benedikt Allkemper schrieb:
> Hello,
>
> Thanks again for your help. I have found a almost perfect solution.
> In the following my thoughts about the issue. Please correct me if
> there's something not correct.
>
>
>> I can't, not more than to use CURLOPT_VERBOSE.
>>
> Using ftps:// (and therefore as you said using a ftps-server on port
> 950) CURLOPT_VERBOSE showed that the server refused connection.
> Using Wireshark to analyse connection over port 950 in Filezilla showed
> the same result as using ftps:// with curl, so I know that my provider
> do not provide a "real" ftps-Server.
>
> To establish a connection I had to set additional options:
> curl_setopt($handle, CURLOPT_FTP_SSL, CURLOPT_FTP_SSL);
> curl_setopt($handle, CURLOPT_SSL_VERIFYHOST,1);
> curl_setopt($handle, CURLOPT_SSL_VERIFYPEER,0);
>
> I suppose that I need the following second and third option, because the
> certificate does not belong to my domain but to the domain of my provider.
> Connecting via FileZilla shows also a warning message. As far as I know
> this warning does not imply a security problem, if you trust the the
> institution which is shown in the warning (in my case the domain of my
> provider.)
>
> But I suppose such an connection is vulnerable to a
> man-in-the-middle-attack because I'm accept any certificate.
> Am I right? Any suggestion how to fix this problem? Do I have to set the
> option *"**CURLOPT_CAINFO"? What kind of parameter does this option
> excepts and how can I get this information (from my provider?)?
> Or is there a other way to say: Connect only if the certificate belongs
> to e.g. provider.net?
> *
> Regards
> Bene
>
> Daniel Stenberg schrieb:
>
>> On Thu, 17 May 2007, Benedikt Allkemper wrote:
>>
>>
>>
>>>> the exact error that happens, what libcurl says, what it returns etc
>>>>
>>>>
>>
>>
>>> Can you explain, how I can get to this information. I use curl in my php
>>> script and php doesn't output any notice, warning or error message.
>>>
>>>
>> I can't, not more than to use CURLOPT_VERBOSE. Someone should add better
>> tracing abilities to PHP/CURL. I always recommend using the curl command line
>> tool for that reason.
>>
>>
>>
>>>> whether you really want implicit SSL
>>>>
>>>>
>>> It doesn't mather to me as long as the transfer is encrypted (both login
>>> data and application data)
>>>
>>>
>> Well, it matters to you since the server most likely works with one of the
>> ways and possibly not with the one you pick at random.
>>
>>
>>
>>> Using Wireshark to analyse the traffic, I've found the following:
>>> Using ftp:// shows me a lot of packages using ftp protocol (download
>>> successful)
>>>
>>>
>> With ftp-ssl enabled? If so, what's the problem?
>>
>>
>>
>>> Using ftps:// shows me only some tcp packages (no download) It seems as
>>> there is no real attempt to connect to the ftp server using ftps://.
>>>
>>>
>> ftps:// connects to an ftps server, not to a ftp one as you ask for an
>> immediate SSL connection then and ftp servers don't do that.
>>
>> I.e ftps is usually used to port 990 and it makes use of SSL immediately.
>>
>> ftp:// with ftp-ssl enabled usually connects to port 21 to uses FTP commands
>> to negotiate switching to SSL-use.
>>
>>
>>
> _______________________________________________
> http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-and-php
>
_______________________________________________
http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-and-php
Received on 2007-05-18