cURL / Mailing Lists / curl-and-php / Single Mail

curl-and-php

Re: Php cURL Security

From: Charbel Zeaiter <czeaiter_at_gmail.com>
Date: Mon, 22 Nov 2010 16:11:34 +1100

Many thanks :)

I added two extra options of :

curl_setopt($ch, CURLOPT_SSLKEY, getcwd()."privateKey.pem");
curl_setopt($ch, CURLOPT_SSLKEYPASSWD, getcwd()."XXXXXX");

and it worked. I just needed to specify the private key for my certificate.

On Mon, Nov 22, 2010 at 1:54 AM, Tom Worster <fsb_at_thefsb.org> wrote:

> i've never done it so i don't know. but in your position i'd probably try
> to do in php the equivalent of this:
> http://curl.haxx.se/libcurl/c/simplessl.html
>
>
> On 11/20/10 11:47 PM, "Charbel Zeaiter" <czeaiter_at_gmail.com> wrote:
>
> >Hey guys
> >
> >I have been trying to add a certificate to my cURL request using :
> >
> >curl_setopt($ch, CURLOPT_SSLCERT, getcwd().CURL_NATIVE_CERT_PATH);
> >curl_setopt($ch, CURLOPT_SSLCERTPASSWD, NATIVE_CERT_PWD);
> >
> >in
> >
> >$ch = curl_init();
> > curl_setopt($ch, CURLOPT_URL, API_ENDPOINT);
> > curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, TRUE);
> > curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
> > curl_setopt($ch, CURLOPT_CAINFO,
> >getcwd().CURL_API_CERT_FRONTEND_PATH);
> > curl_setopt($ch, CURLOPT_SSLCERT, getcwd().CURL_NATIVE_CERT_PATH);
> > curl_setopt($ch, CURLOPT_SSLCERTPASSWD, NATIVE_CERT_PWD);
> > curl_setopt($ch, CURLOPT_HEADER, FALSE);
> > curl_setopt($ch, CURLOPT_POST, TRUE);
> > curl_setopt($ch, CURLOPT_POSTFIELDS, $nvpStr);
> > curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
> >
> >
> >I have been using OpenSSL to generate a certificate, but when I load it ,
> >I keep getting this error message.
> >(I have tried to do this using a certificate in PEM and CRT format.)
> >
> >" unable to set private key file: 'C:\wamp\www/control/master/native.pem'
> >type PEM "
> >&
> >" unable to set private key file: 'C:\wamp\www/control/master/native.crt'
> >type PEM "
> >
> >Can anyone please tell me what i am doing wrong, or if i have left
> >anything out ? I have looked at different sites on how to create a self
> >signed certificate,
> >but so far, cURL is giving these error messages, unless there is a
> >special way to do this ,
> >due to this quote from a previous message which i do not understand.
> >
> >"however you will have to use the proper functions of curl to work it out
> >as it will throw error because it is non standard."
> >
> >
> >Appreciate any aid, thank you
> >
> >
> >On Thu, Nov 18, 2010 at 7:17 PM, Deepesh Malviya <deep0mal_at_gmail.com>
> >wrote:
> >
> >Yeah, I agree with Tom, that needs to be changed from farse to true.
> >However, if you are making both CURLOPT_SSL_VERIFYPEER and
> >CURLOPT_SSL_VERIFYHOST as true. you have to point CURLOPT_CAINFO
> >correctly.
> >
> >Thanks,
> >
> >Deepesh
> >http://voidweb.com
> >
> >On Wed, Nov 17, 2010 at 9:21 PM, Tom Worster <fsb_at_thefsb.org> wrote:
> >
> >
> >even if ssl/tls is active on both the https client and server, there are
> >
> >still issues with Charbel's code which does not prevent impostors from
> >obtaining the data.
> >
> >to prevent that, CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST must be
> >TRUE, the server's authentic CA cert must be obtained and CURLOPT_CAINFO
> >must point to it.
> >
> >(i assume also that a sensible value will be given for CURLOPT_URL.)
> >
> >
> >
> >
> >On 11/17/10 10:00 AM, "Deepesh Malviya" <deep0mal_at_gmail.com> wrote:
> >
> >
> >>Hi Charbel,
> >>
> >>When the peoples are talking about using https, it is in following two
> >>ways
> >>1. The server which is initiating curl should also be on https.
> >>2. The server which you are calling through curl is also https
> >>
> >>The first very basic step would be enable ssl on both of these
> >>servers. This you can do by purchasing ssl certificate from any ssl
> >>providers like verisign etc or you can generate the self signed
> >>certificates on your server. The former will cost you a good money
> >>however the latter would be kinda free, however you will have to use
> >>the proper functions of curl to work it out as it will throw error
> >>because it is non standard.
> >>
> >>After, you have installed the certificate, you can call with the same
> >>code which you have written adding two more lines as shown in end
> >>
> >>
> >
> >>$ch = curl_init();
> >> curl_setopt($ch, CURLOPT_URL, "URL");
> >> curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
> >> curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
> >> curl_setopt($ch, CURLOPT_HEADER, false);
> >> curl_setopt($ch, CURLOPT_POST, TRUE);
> >> curl_setopt($ch, CURLOPT_POSTFIELDS, $String);
> >> curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
> >
> >>curl_setopt($ch, CURLOPT_SSLCERT, 'path to the certificate on the calling
> >>server');
> >>curl_setopt($ch, CURLOPT_SSLCERTPASSWD, 'password of the ssl certificate
> >>if any');
> >>$result = curl_exec($ch);
> >>
> >>These two lines will prevent the others to see the data you are sending.
> >>
> >>Thanks,
> >>
> >>
> >
> >>On Wed, Nov 17, 2010 at 10:50 AM, Charbel Zeaiter
> >><shadow_meld_at_hotmail.com> wrote:
> >>
> >>Hi
> >>
> >>I need help.
> >>I have been looking all over the Internet and
> >> posting questions in forums, but so far i have just been confused and
> >>lost due to conflicting posts and poor documentation.
> >>
> >>I am using
> >>cURL as a php extension in order to post sensitive data to a server. My
> >>question is, how secure is this, can anyone intercept, read or change
> >>the data in transmission?
> >>On some posts people have told me to use https, but i have no idea how
> >>to do this or where to start. I realize i might need to use SSL
> >>certificates but i am unsure of many things,
> >>
> >>is it as simple as posting the data to a HTTPs URL "https://www.
> >><https://www./>....", or using the curl set options:
> >>
> >>curl_setopt - CURLOPT_SSLCERT
> >>OR
> >>curl_setopt - CURLOPT_SSLCERTPASSWD
> >>
> >>?
> >>
> >>so far my request consists of :
> >>
> >> $ch = curl_init();
> >> curl_setopt($ch, CURLOPT_URL, "URL");
> >> curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
> >> curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
> >> curl_setopt($ch, CURLOPT_HEADER, false);
> >>
> >> curl_setopt($ch, CURLOPT_POST, TRUE);
> >> curl_setopt($ch, CURLOPT_POSTFIELDS, $String);
> >> curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
> >>
> >>
> >>Any advice will be greatly appreciated . thank you .
> >>
> >>
> >>_______________________________________________
> >>http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-and-php
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >
> >
> >>--
> >>_Deepesh
> >>_______________________________________________
> >>http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-and-php
> >
> >
> >_______________________________________________
> >http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-and-php
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >--
> >_Deepesh
> >
> >_______________________________________________
> >http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-and-php
> >
> >
> >
> >
> >
> >
> >
> >--
> >
> >Kind Regards.
> >Charbel Zeaiter
> >M: 0400287429
> >E: czeaiter_at_gmail.com
> >_______________________________________________
> >http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-and-php
>
>
> _______________________________________________
> http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-and-php
>

-- 
Kind Regards.
Charbel Zeaiter
M: 0400287429
E: czeaiter_at_gmail.com

_______________________________________________
http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-and-php
Received on 2010-11-22

This message: [ Message body ]
Previous message: Tom Worster: "Re: Php cURL Security"
In reply to: Tom Worster: "Re: Php cURL Security"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]