curl-and-php
Re: Php cURL Security
Date: Thu, 18 Nov 2010 13:47:48 +0530
Yeah, I agree with Tom, that needs to be changed from farse to true.
However, if you are making both CURLOPT_SSL_VERIFYPEER and
CURLOPT_SSL_VERIFYHOST as true. you have to point CURLOPT_CAINFO correctly.
Thanks,
Deepesh
http://voidweb.com
On Wed, Nov 17, 2010 at 9:21 PM, Tom Worster <fsb_at_thefsb.org> wrote:
> even if ssl/tls is active on both the https client and server, there are
> still issues with Charbel's code which does not prevent impostors from
> obtaining the data.
>
> to prevent that, CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST must be
> TRUE, the server's authentic CA cert must be obtained and CURLOPT_CAINFO
> must point to it.
>
> (i assume also that a sensible value will be given for CURLOPT_URL.)
>
>
>
> On 11/17/10 10:00 AM, "Deepesh Malviya" <deep0mal_at_gmail.com> wrote:
>
> >Hi Charbel,
> >
> >When the peoples are talking about using https, it is in following two
> >ways
> >1. The server which is initiating curl should also be on https.
> >2. The server which you are calling through curl is also https
> >
> >The first very basic step would be enable ssl on both of these
> >servers. This you can do by purchasing ssl certificate from any ssl
> >providers like verisign etc or you can generate the self signed
> >certificates on your server. The former will cost you a good money
> >however the latter would be kinda free, however you will have to use
> >the proper functions of curl to work it out as it will throw error
> >because it is non standard.
> >
> >After, you have installed the certificate, you can call with the same
> >code which you have written adding two more lines as shown in end
> >
> >
> >$ch = curl_init();
> > curl_setopt($ch, CURLOPT_URL, "URL");
> > curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
> > curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
> > curl_setopt($ch, CURLOPT_HEADER, false);
> > curl_setopt($ch, CURLOPT_POST, TRUE);
> > curl_setopt($ch, CURLOPT_POSTFIELDS, $String);
> > curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
> >curl_setopt($ch, CURLOPT_SSLCERT, 'path to the certificate on the calling
> >server');
> >curl_setopt($ch, CURLOPT_SSLCERTPASSWD, 'password of the ssl certificate
> >if any');
> >$result = curl_exec($ch);
> >
> >These two lines will prevent the others to see the data you are sending.
> >
> >Thanks,
> >
> >
> >On Wed, Nov 17, 2010 at 10:50 AM, Charbel Zeaiter
> ><shadow_meld_at_hotmail.com> wrote:
> >
> >Hi
> >
> >I need help.
> >I have been looking all over the Internet and
> > posting questions in forums, but so far i have just been confused and
> >lost due to conflicting posts and poor documentation.
> >
> >I am using
> >cURL as a php extension in order to post sensitive data to a server. My
> >question is, how secure is this, can anyone intercept, read or change
> >the data in transmission?
> >On some posts people have told me to use https, but i have no idea how
> >to do this or where to start. I realize i might need to use SSL
> >certificates but i am unsure of many things,
> >
> >is it as simple as posting the data to a HTTPs URL "https://www.
> ><https://www./>....", or using the curl set options:
> >
> >curl_setopt - CURLOPT_SSLCERT
> >OR
> >curl_setopt - CURLOPT_SSLCERTPASSWD
> >
> >?
> >
> >so far my request consists of :
> >
> > $ch = curl_init();
> > curl_setopt($ch, CURLOPT_URL, "URL");
> > curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
> > curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
> > curl_setopt($ch, CURLOPT_HEADER, false);
> >
> > curl_setopt($ch, CURLOPT_POST, TRUE);
> > curl_setopt($ch, CURLOPT_POSTFIELDS, $String);
> > curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
> >
> >
> >Any advice will be greatly appreciated . thank you .
> >
> >
> >_______________________________________________
> >http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-and-php
> >
> >
> >
> >
> >
> >
> >
> >--
> >_Deepesh
> >_______________________________________________
> >http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-and-php
>
>
> _______________________________________________
> http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-and-php
>
-- _Deepesh
_______________________________________________
http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-and-php
Received on 2010-11-18