cURL / Mailing Lists / curl-and-php / Single Mail

curl-and-php

Re: Php cURL Security

From: Charbel Zeaiter <czeaiter_at_gmail.com>
Date: Sun, 21 Nov 2010 15:47:46 +1100

Hey guys

I have been trying to add a certificate to my cURL request using :

curl_setopt($ch, CURLOPT_SSLCERT, getcwd().CURL_NATIVE_CERT_PATH);
curl_setopt($ch, CURLOPT_SSLCERTPASSWD, NATIVE_CERT_PWD);

in

$ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, API_ENDPOINT);
        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, TRUE);
        curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
        curl_setopt($ch, CURLOPT_CAINFO,
getcwd().CURL_API_CERT_FRONTEND_PATH);
        curl_setopt($ch, CURLOPT_SSLCERT, getcwd().CURL_NATIVE_CERT_PATH);
        curl_setopt($ch, CURLOPT_SSLCERTPASSWD, NATIVE_CERT_PWD);
        curl_setopt($ch, CURLOPT_HEADER, FALSE);
        curl_setopt($ch, CURLOPT_POST, TRUE);
        curl_setopt($ch, CURLOPT_POSTFIELDS, $nvpStr);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);

I have been using OpenSSL to generate a certificate, but when I load it , I
keep getting this error message.
(I have tried to do this using a certificate in PEM and CRT format.)

" unable to set private key file: 'C:\wamp\www/control/master/native.pem'
type PEM "
&
" unable to set private key file: 'C:\wamp\www/control/master/native.crt'
type PEM "

Can anyone please tell me what i am doing wrong, or if i have left anything
out ? I have looked at different sites on how to create a self signed
certificate,
but so far, cURL is giving these error messages, unless there is a special
way to do this ,
due to this quote from a previous message which i do not understand.

"however you will have to use the proper functions of curl to work it out as
it will throw error because it is non standard."

Appreciate any aid, thank you

On Thu, Nov 18, 2010 at 7:17 PM, Deepesh Malviya <deep0mal_at_gmail.com> wrote:

> Yeah, I agree with Tom, that needs to be changed from farse to true.
> However, if you are making both CURLOPT_SSL_VERIFYPEER and
> CURLOPT_SSL_VERIFYHOST as true. you have to point CURLOPT_CAINFO correctly.
>
> Thanks,
> Deepesh
> http://voidweb.com
>
> On Wed, Nov 17, 2010 at 9:21 PM, Tom Worster <fsb_at_thefsb.org> wrote:
>
>> even if ssl/tls is active on both the https client and server, there are
>> still issues with Charbel's code which does not prevent impostors from
>> obtaining the data.
>>
>> to prevent that, CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST must be
>> TRUE, the server's authentic CA cert must be obtained and CURLOPT_CAINFO
>> must point to it.
>>
>> (i assume also that a sensible value will be given for CURLOPT_URL.)
>>
>>
>>
>> On 11/17/10 10:00 AM, "Deepesh Malviya" <deep0mal_at_gmail.com> wrote:
>>
>> >Hi Charbel,
>> >
>> >When the peoples are talking about using https, it is in following two
>> >ways
>> >1. The server which is initiating curl should also be on https.
>> >2. The server which you are calling through curl is also https
>> >
>> >The first very basic step would be enable ssl on both of these
>> >servers. This you can do by purchasing ssl certificate from any ssl
>> >providers like verisign etc or you can generate the self signed
>> >certificates on your server. The former will cost you a good money
>> >however the latter would be kinda free, however you will have to use
>> >the proper functions of curl to work it out as it will throw error
>> >because it is non standard.
>> >
>> >After, you have installed the certificate, you can call with the same
>> >code which you have written adding two more lines as shown in end
>> >
>> >
>> >$ch = curl_init();
>> > curl_setopt($ch, CURLOPT_URL, "URL");
>> > curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
>> > curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
>> > curl_setopt($ch, CURLOPT_HEADER, false);
>> > curl_setopt($ch, CURLOPT_POST, TRUE);
>> > curl_setopt($ch, CURLOPT_POSTFIELDS, $String);
>> > curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
>> >curl_setopt($ch, CURLOPT_SSLCERT, 'path to the certificate on the calling
>> >server');
>> >curl_setopt($ch, CURLOPT_SSLCERTPASSWD, 'password of the ssl certificate
>> >if any');
>> >$result = curl_exec($ch);
>> >
>> >These two lines will prevent the others to see the data you are sending.
>> >
>> >Thanks,
>> >
>> >
>> >On Wed, Nov 17, 2010 at 10:50 AM, Charbel Zeaiter
>>
>> ><shadow_meld_at_hotmail.com> wrote:
>> >
>> >Hi
>> >
>> >I need help.
>> >I have been looking all over the Internet and
>> > posting questions in forums, but so far i have just been confused and
>> >lost due to conflicting posts and poor documentation.
>> >
>> >I am using
>> >cURL as a php extension in order to post sensitive data to a server. My
>> >question is, how secure is this, can anyone intercept, read or change
>> >the data in transmission?
>> >On some posts people have told me to use https, but i have no idea how
>> >to do this or where to start. I realize i might need to use SSL
>> >certificates but i am unsure of many things,
>> >
>> >is it as simple as posting the data to a HTTPs URL "https://www.
>> ><https://www./>....", or using the curl set options:
>> >
>> >curl_setopt - CURLOPT_SSLCERT
>> >OR
>> >curl_setopt - CURLOPT_SSLCERTPASSWD
>> >
>> >?
>> >
>> >so far my request consists of :
>> >
>> > $ch = curl_init();
>> > curl_setopt($ch, CURLOPT_URL, "URL");
>> > curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
>> > curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
>> > curl_setopt($ch, CURLOPT_HEADER, false);
>> >
>> > curl_setopt($ch, CURLOPT_POST, TRUE);
>> > curl_setopt($ch, CURLOPT_POSTFIELDS, $String);
>> > curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
>> >
>> >
>> >Any advice will be greatly appreciated . thank you .
>> >
>> >
>> >_______________________________________________
>> >http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-and-php
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >--
>> >_Deepesh
>>
>> >_______________________________________________
>> >http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-and-php
>>
>>
>> _______________________________________________
>> http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-and-php
>>
>
>
>
> --
> _Deepesh
>
> _______________________________________________
> http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-and-php
>
>

-- 
Kind Regards.
Charbel Zeaiter
M: 0400287429
E: czeaiter_at_gmail.com

_______________________________________________
http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-and-php
Received on 2010-11-21