cURL / Mailing Lists / curl-and-php / Single Mail

curl-and-php

RE: Php cURL Security‏

From: Charbel Zeaiter <czeaiter_at_gmail.com>
Date: Thu, 18 Nov 2010 15:56:47 +1100

Thank you so much for your help guys, I am extremely happy, with your posts,
due to the fact i have been looking for a good answer for a while now on
outside forums.

I went and implemented the host and peer verification options.
e.g.

       $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, API_ENDPOINT);
        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, TRUE);
        curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
        curl_setopt($ch, CURLOPT_CAINFO, getcwd().CURL_CERT_FRONTEND_PATH);
        curl_setopt($ch, CURLOPT_HEADER, FALSE);
        curl_setopt($ch, CURLOPT_POST, TRUE);
        curl_setopt($ch, CURLOPT_POSTFIELDS, $nvpStr);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);

I also read something about getting my own SSL, since i am in development at
the moment i will use openSSL to generate my own cert and use the
cert and password options in my cURL request. I just want to confirm is this
is fine/indented advice, to implement

curl_setopt($ch, CURLOPT_SSLCERT, 'path to the certificate on the calling');
&
curl_setopt($ch, CURLOPT_SSLCERTPASSWD, 'password of the ssl certificate');

using openSSL for now ?

Thank you. :)

> Date: Wed, 17 Nov 2010 10:51:21 -0500
> Subject: Re: Php cURL Security
> From: fsb_at_thefsb.org
> To: curl-and-php_at_cool.haxx.se
>
> even if ssl/tls is active on both the https client and server, there are
> still issues with Charbel's code which does not prevent impostors from
> obtaining the data.
>
> to prevent that, CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST must be
> TRUE, the server's authentic CA cert must be obtained and CURLOPT_CAINFO
> must point to it.
>
> (i assume also that a sensible value will be given for CURLOPT_URL.)
>
>
>
> On 11/17/10 10:00 AM, "Deepesh Malviya" <deep0mal_at_gmail.com> wrote:
>
> >Hi Charbel,
> >
> >When the peoples are talking about using https, it is in following two
> >ways
> >1. The server which is initiating curl should also be on https.
> >2. The server which you are calling through curl is also https
> >
> >The first very basic step would be enable ssl on both of these
> >servers. This you can do by purchasing ssl certificate from any ssl
> >providers like verisign etc or you can generate the self signed
> >certificates on your server. The former will cost you a good money
> >however the latter would be kinda free, however you will have to use
> >the proper functions of curl to work it out as it will throw error
> >because it is non standard.
> >
> >After, you have installed the certificate, you can call with the same
> >code which you have written adding two more lines as shown in end
> >
> >
> >$ch = curl_init();
> > curl_setopt($ch, CURLOPT_URL, "URL");
> > curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
> > curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
> > curl_setopt($ch, CURLOPT_HEADER, false);
> > curl_setopt($ch, CURLOPT_POST, TRUE);
> > curl_setopt($ch, CURLOPT_POSTFIELDS, $String);
> > curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
> >curl_setopt($ch, CURLOPT_SSLCERT, 'path to the certificate on the calling
> >server');
> >curl_setopt($ch, CURLOPT_SSLCERTPASSWD, 'password of the ssl certificate
> >if any');
> >$result = curl_exec($ch);
> >
> >These two lines will prevent the others to see the data you are sending.
> >
> >Thanks,
> >
> >
> >On Wed, Nov 17, 2010 at 10:50 AM, Charbel Zeaiter
> ><shadow_meld_at_hotmail.com> wrote:
> >
> >Hi
> >
> >I need help.
> >I have been looking all over the Internet and
> > posting questions in forums, but so far i have just been confused and
> >lost due to conflicting posts and poor documentation.
> >
> >I am using
> >cURL as a php extension in order to post sensitive data to a server. My
> >question is, how secure is this, can anyone intercept, read or change
> >the data in transmission?
> >On some posts people have told me to use https, but i have no idea how
> >to do this or where to start. I realize i might need to use SSL
> >certificates but i am unsure of many things,
> >
> >is it as simple as posting the data to a HTTPs URL "https://www.
> ><https://www./>....", or using the curl set options:
> >
> >curl_setopt - CURLOPT_SSLCERT
> >OR
> >curl_setopt - CURLOPT_SSLCERTPASSWD
> >
> >?
> >
> >so far my request consists of :
> >
> > $ch = curl_init();
> > curl_setopt($ch, CURLOPT_URL, "URL");
> > curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
> > curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
> > curl_setopt($ch, CURLOPT_HEADER, false);
> >
> > curl_setopt($ch, CURLOPT_POST, TRUE);
> > curl_setopt($ch, CURLOPT_POSTFIELDS, $String);
> > curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
> >
> >
> >Any advice will be greatly appreciated . thank you .
> >
> >
> >_______________________________________________
> >http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-and-php
> >
> >
> >
> >
> >
> >
> >
> >--
> >_Deepesh
> >_______________________________________________
> >http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-and-php
>
>
> _______________________________________________
> http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-and-php

-- 
Kind Regards.
Charbel Zeaiter
M: 0400287429
E: czeaiter_at_gmail.com

_______________________________________________
http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-and-php
Received on 2010-11-18