cURL / Mailing Lists / curl-and-php / Single Mail

curl-and-php

Re: Php cURL Security

From: Tom Worster <fsb_at_thefsb.org>
Date: Sun, 21 Nov 2010 09:54:37 -0500

i've never done it so i don't know. but in your position i'd probably try
to do in php the equivalent of this:
http://curl.haxx.se/libcurl/c/simplessl.html

On 11/20/10 11:47 PM, "Charbel Zeaiter" <czeaiter_at_gmail.com> wrote:

>Hey guys
>
>I have been trying to add a certificate to my cURL request using :
>
>curl_setopt($ch, CURLOPT_SSLCERT, getcwd().CURL_NATIVE_CERT_PATH);
>curl_setopt($ch, CURLOPT_SSLCERTPASSWD, NATIVE_CERT_PWD);
>
>in
>
>$ch = curl_init();
> curl_setopt($ch, CURLOPT_URL, API_ENDPOINT);
> curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, TRUE);
> curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
> curl_setopt($ch, CURLOPT_CAINFO,
>getcwd().CURL_API_CERT_FRONTEND_PATH);
> curl_setopt($ch, CURLOPT_SSLCERT, getcwd().CURL_NATIVE_CERT_PATH);
> curl_setopt($ch, CURLOPT_SSLCERTPASSWD, NATIVE_CERT_PWD);
> curl_setopt($ch, CURLOPT_HEADER, FALSE);
> curl_setopt($ch, CURLOPT_POST, TRUE);
> curl_setopt($ch, CURLOPT_POSTFIELDS, $nvpStr);
> curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
>
>
>I have been using OpenSSL to generate a certificate, but when I load it ,
>I keep getting this error message.
>(I have tried to do this using a certificate in PEM and CRT format.)
>
>" unable to set private key file: 'C:\wamp\www/control/master/native.pem'
>type PEM "
>&
>" unable to set private key file: 'C:\wamp\www/control/master/native.crt'
>type PEM "
>
>Can anyone please tell me what i am doing wrong, or if i have left
>anything out ? I have looked at different sites on how to create a self
>signed certificate,
>but so far, cURL is giving these error messages, unless there is a
>special way to do this ,
>due to this quote from a previous message which i do not understand.
>
>"however you will have to use the proper functions of curl to work it out
>as it will throw error because it is non standard."
>
>
>Appreciate any aid, thank you
>
>
>On Thu, Nov 18, 2010 at 7:17 PM, Deepesh Malviya <deep0mal_at_gmail.com>
>wrote:
>
>Yeah, I agree with Tom, that needs to be changed from farse to true.
>However, if you are making both CURLOPT_SSL_VERIFYPEER and
>CURLOPT_SSL_VERIFYHOST as true. you have to point CURLOPT_CAINFO
>correctly.
>
>Thanks,
>
>Deepesh
>http://voidweb.com
>
>On Wed, Nov 17, 2010 at 9:21 PM, Tom Worster <fsb_at_thefsb.org> wrote:
>
>
>even if ssl/tls is active on both the https client and server, there are
>
>still issues with Charbel's code which does not prevent impostors from
>obtaining the data.
>
>to prevent that, CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST must be
>TRUE, the server's authentic CA cert must be obtained and CURLOPT_CAINFO
>must point to it.
>
>(i assume also that a sensible value will be given for CURLOPT_URL.)
>
>
>
>
>On 11/17/10 10:00 AM, "Deepesh Malviya" <deep0mal_at_gmail.com> wrote:
>
>
>>Hi Charbel,
>>
>>When the peoples are talking about using https, it is in following two
>>ways
>>1. The server which is initiating curl should also be on https.
>>2. The server which you are calling through curl is also https
>>
>>The first very basic step would be enable ssl on both of these
>>servers. This you can do by purchasing ssl certificate from any ssl
>>providers like verisign etc or you can generate the self signed
>>certificates on your server. The former will cost you a good money
>>however the latter would be kinda free, however you will have to use
>>the proper functions of curl to work it out as it will throw error
>>because it is non standard.
>>
>>After, you have installed the certificate, you can call with the same
>>code which you have written adding two more lines as shown in end
>>
>>
>
>>$ch = curl_init();
>> curl_setopt($ch, CURLOPT_URL, "URL");
>> curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
>> curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
>> curl_setopt($ch, CURLOPT_HEADER, false);
>> curl_setopt($ch, CURLOPT_POST, TRUE);
>> curl_setopt($ch, CURLOPT_POSTFIELDS, $String);
>> curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
>
>>curl_setopt($ch, CURLOPT_SSLCERT, 'path to the certificate on the calling
>>server');
>>curl_setopt($ch, CURLOPT_SSLCERTPASSWD, 'password of the ssl certificate
>>if any');
>>$result = curl_exec($ch);
>>
>>These two lines will prevent the others to see the data you are sending.
>>
>>Thanks,
>>
>>
>
>>On Wed, Nov 17, 2010 at 10:50 AM, Charbel Zeaiter
>><shadow_meld_at_hotmail.com> wrote:
>>
>>Hi
>>
>>I need help.
>>I have been looking all over the Internet and
>> posting questions in forums, but so far i have just been confused and
>>lost due to conflicting posts and poor documentation.
>>
>>I am using
>>cURL as a php extension in order to post sensitive data to a server. My
>>question is, how secure is this, can anyone intercept, read or change
>>the data in transmission?
>>On some posts people have told me to use https, but i have no idea how
>>to do this or where to start. I realize i might need to use SSL
>>certificates but i am unsure of many things,
>>
>>is it as simple as posting the data to a HTTPs URL "https://www.
>><https://www./>....", or using the curl set options:
>>
>>curl_setopt - CURLOPT_SSLCERT
>>OR
>>curl_setopt - CURLOPT_SSLCERTPASSWD
>>
>>?
>>
>>so far my request consists of :
>>
>> $ch = curl_init();
>> curl_setopt($ch, CURLOPT_URL, "URL");
>> curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
>> curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
>> curl_setopt($ch, CURLOPT_HEADER, false);
>>
>> curl_setopt($ch, CURLOPT_POST, TRUE);
>> curl_setopt($ch, CURLOPT_POSTFIELDS, $String);
>> curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
>>
>>
>>Any advice will be greatly appreciated . thank you .
>>
>>
>>_______________________________________________
>>http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-and-php
>>
>>
>>
>>
>>
>>
>>
>
>
>>--
>>_Deepesh
>>_______________________________________________
>>http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-and-php
>
>
>_______________________________________________
>http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-and-php
>
>
>
>
>
>
>
>
>
>--
>_Deepesh
>
>_______________________________________________
>http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-and-php
>
>
>
>
>
>
>
>--
>
>Kind Regards.
>Charbel Zeaiter
>M: 0400287429
>E: czeaiter_at_gmail.com
>_______________________________________________
>http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-and-php

_______________________________________________
http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-and-php
Received on 2010-11-21

This message: [ Message body ]
Next message: Charbel Zeaiter: "Re: Php cURL Security"
Previous message: Charbel Zeaiter: "Re: Php cURL Security"
In reply to: Charbel Zeaiter: "Re: Php cURL Security"
Next in thread: Charbel Zeaiter: "Re: Php cURL Security"
Reply: Charbel Zeaiter: "Re: Php cURL Security"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]