curl-and-php
Re: Php cURL Security
Date: Wed, 17 Nov 2010 10:51:21 -0500
even if ssl/tls is active on both the https client and server, there are
still issues with Charbel's code which does not prevent impostors from
obtaining the data.
to prevent that, CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST must be
TRUE, the server's authentic CA cert must be obtained and CURLOPT_CAINFO
must point to it.
(i assume also that a sensible value will be given for CURLOPT_URL.)
On 11/17/10 10:00 AM, "Deepesh Malviya" <deep0mal_at_gmail.com> wrote:
>Hi Charbel,
>
>When the peoples are talking about using https, it is in following two
>ways
>1. The server which is initiating curl should also be on https.
>2. The server which you are calling through curl is also https
>
>The first very basic step would be enable ssl on both of these
>servers. This you can do by purchasing ssl certificate from any ssl
>providers like verisign etc or you can generate the self signed
>certificates on your server. The former will cost you a good money
>however the latter would be kinda free, however you will have to use
>the proper functions of curl to work it out as it will throw error
>because it is non standard.
>
>After, you have installed the certificate, you can call with the same
>code which you have written adding two more lines as shown in end
>
>
>$ch = curl_init();
> curl_setopt($ch, CURLOPT_URL, "URL");
> curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
> curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
> curl_setopt($ch, CURLOPT_HEADER, false);
> curl_setopt($ch, CURLOPT_POST, TRUE);
> curl_setopt($ch, CURLOPT_POSTFIELDS, $String);
> curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
>curl_setopt($ch, CURLOPT_SSLCERT, 'path to the certificate on the calling
>server');
>curl_setopt($ch, CURLOPT_SSLCERTPASSWD, 'password of the ssl certificate
>if any');
>$result = curl_exec($ch);
>
>These two lines will prevent the others to see the data you are sending.
>
>Thanks,
>
>
>On Wed, Nov 17, 2010 at 10:50 AM, Charbel Zeaiter
><shadow_meld_at_hotmail.com> wrote:
>
>Hi
>
>I need help.
>I have been looking all over the Internet and
> posting questions in forums, but so far i have just been confused and
>lost due to conflicting posts and poor documentation.
>
>I am using
>cURL as a php extension in order to post sensitive data to a server. My
>question is, how secure is this, can anyone intercept, read or change
>the data in transmission?
>On some posts people have told me to use https, but i have no idea how
>to do this or where to start. I realize i might need to use SSL
>certificates but i am unsure of many things,
>
>is it as simple as posting the data to a HTTPs URL "https://www.
><https://www./>....", or using the curl set options:
>
>curl_setopt - CURLOPT_SSLCERT
>OR
>curl_setopt - CURLOPT_SSLCERTPASSWD
>
>?
>
>so far my request consists of :
>
> $ch = curl_init();
> curl_setopt($ch, CURLOPT_URL, "URL");
> curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
> curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
> curl_setopt($ch, CURLOPT_HEADER, false);
>
> curl_setopt($ch, CURLOPT_POST, TRUE);
> curl_setopt($ch, CURLOPT_POSTFIELDS, $String);
> curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
>
>
>Any advice will be greatly appreciated . thank you .
>
>
>_______________________________________________
>http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-and-php
>
>
>
>
>
>
>
>--
>_Deepesh
>_______________________________________________
>http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-and-php
_______________________________________________
http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-and-php
Received on 2010-11-17