cURL / Mailing Lists / curl-and-php / Single Mail

curl-and-php

Re: Php cURL Security‏

From: Tom Worster <fsb_at_thefsb.org>
Date: Thu, 18 Nov 2010 09:38:14 -0500

You can get your own digital certificate (not your own SSL) and use it for
client authentication in the cURL transaction. That might be better than
whatever client authentication you are currently using. You probably need
to talk to whoever you are working with at the other end to decide if you
should go this route and if so how. In other words, don't invent your own
security requirements and just assume they are right.

You can generate your own self-signed certificate using your own
certificate authority and share the CA cert with your peers. But if you
need to authenticate yourself to strangers then you need to have your cert
signed by a public CA that can be traced to one of the well known root
CAs. That can cost good money depending which CA you get to sign the cert.

But I recommend learning what all this technology really does rather than
just doing cut and paste from web sites and forums. Years ago I read the
book by Feghhi, Feghhi and Williams and it was very clear but it's
probably out of date now.

OpenSSL is fine not only for now. It's a very widely trusted SSL
implementation.

On 11/17/10 11:56 PM, "Charbel Zeaiter" <czeaiter_at_gmail.com> wrote:

>Thank you so much for your help guys, I am extremely happy, with your
>posts, due to the fact i have been looking for a good answer for a while
> now on outside forums.
>
>I went and implemented the host and peer verification options.
>e.g.
>
> $ch = curl_init();
> curl_setopt($ch, CURLOPT_URL, API_ENDPOINT);
> curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, TRUE);
> curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
> curl_setopt($ch, CURLOPT_CAINFO,
>getcwd().CURL_CERT_FRONTEND_PATH);
> curl_setopt($ch, CURLOPT_HEADER, FALSE);
> curl_setopt($ch, CURLOPT_POST, TRUE);
> curl_setopt($ch, CURLOPT_POSTFIELDS, $nvpStr);
> curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
>
>I
> also read something about getting my own SSL, since i am in development
> at the moment i will use openSSL to generate my own cert and use the
>cert and password options in my cURL request. I just want to confirm is
>this is fine/indented advice, to implement
>
>curl_setopt($ch, CURLOPT_SSLCERT, 'path to the certificate on the
>calling');
>&
>curl_setopt($ch, CURLOPT_SSLCERTPASSWD, 'password of the ssl
>certificate');
>
>using openSSL for now ?
>
>
>Thank you. :)
>
>> Date: Wed, 17 Nov 2010 10:51:21 -0500
>> Subject: Re: Php cURL Security
>> From: fsb_at_thefsb.org
>> To: curl-and-php_at_cool.haxx.se
>>
>> even if ssl/tls is active on both the https client and server, there are
>> still issues with Charbel's code which does not prevent impostors from
>> obtaining the data.
>>
>> to prevent that, CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST must
>>be
>> TRUE, the server's authentic CA cert must be obtained and CURLOPT_CAINFO
>> must point to it.
>>
>> (i assume also that a sensible value will be given for CURLOPT_URL.)
>>
>>
>>
>> On 11/17/10 10:00 AM, "Deepesh Malviya" <deep0mal_at_gmail.com> wrote:
>>
>> >Hi Charbel,
>> >
>> >When the peoples are talking about using https, it is in following two
>> >ways
>> >1. The server which is initiating curl should also be on https.
>> >2. The server which you are calling through curl is also https
>> >
>> >The first very basic step would be enable ssl on both of these
>> >servers. This you can do by purchasing ssl certificate from any ssl
>> >providers like verisign etc or you can generate the self signed
>> >certificates on your server. The former will cost you a good money
>> >however the latter would be kinda free, however you will have to use
>> >the proper functions of curl to work it out as it will throw error
>> >because it is non standard.
>> >
>> >After, you have installed the certificate, you can call with the same
>> >code which you have written adding two more lines as shown in end
>> >
>> >
>> >$ch = curl_init();
>> > curl_setopt($ch, CURLOPT_URL, "URL");
>> > curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
>> > curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
>> > curl_setopt($ch, CURLOPT_HEADER, false);
>> > curl_setopt($ch, CURLOPT_POST, TRUE);
>> > curl_setopt($ch, CURLOPT_POSTFIELDS, $String);
>> > curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
>> >curl_setopt($ch, CURLOPT_SSLCERT, 'path to the certificate on the
>>calling
>> >server');
>> >curl_setopt($ch, CURLOPT_SSLCERTPASSWD, 'password of the ssl
>>certificate
>> >if any');
>> >$result = curl_exec($ch);
>> >
>> >These two lines will prevent the others to see the data you are
>>sending.
>> >
>> >Thanks,
>> >
>> >
>> >On Wed, Nov 17, 2010 at 10:50 AM, Charbel Zeaiter
>> ><shadow_meld_at_hotmail.com> wrote:
>> >
>> >Hi
>> >
>> >I need help.
>> >I have been looking all over the Internet and
>> > posting questions in forums, but so far i have just been confused and
>> >lost due to conflicting posts and poor documentation.
>> >
>> >I am using
>> >cURL as a php extension in order to post sensitive data to a server. My
>> >question is, how secure is this, can anyone intercept, read or change
>> >the data in transmission?
>> >On some posts people have told me to use https, but i have no idea how
>> >to do this or where to start. I realize i might need to use SSL
>> >certificates but i am unsure of many things,
>> >
>> >is it as simple as posting the data to a HTTPs URL "https://www.
>> ><https://www./>....", or using the curl set options:
>> >
>> >curl_setopt - CURLOPT_SSLCERT
>> >OR
>> >curl_setopt - CURLOPT_SSLCERTPASSWD
>> >
>> >?
>> >
>> >so far my request consists of :
>> >
>> > $ch = curl_init();
>> > curl_setopt($ch, CURLOPT_URL, "URL");
>> > curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
>> > curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
>> > curl_setopt($ch, CURLOPT_HEADER, false);
>> >
>> > curl_setopt($ch, CURLOPT_POST, TRUE);
>> > curl_setopt($ch, CURLOPT_POSTFIELDS, $String);
>> > curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
>> >
>> >
>> >Any advice will be greatly appreciated . thank you .
>> >
>> >
>> >_______________________________________________
>> >http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-and-php
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >--
>> >_Deepesh
>> >_______________________________________________
>> >http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-and-php
>>
>>
>> _______________________________________________
>> http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-and-php
>
>--
>
>Kind Regards.
>Charbel Zeaiter
>M: 0400287429
>E: czeaiter_at_gmail.com
>_______________________________________________
>http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-and-php

_______________________________________________
http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-and-php
Received on 2010-11-18