PHP cURL: SSL
PHP cURL : Introduction | Basics | Authentication | SSL | GET & POST | GET POST SSL AUTH | CLI Set-up | CLI DtDNS Updater 1 | CLI DtDNS Updater 2
|
|
UniServer 5-Nano PHP cURL. |
https - SSL
The following provides a quick introduction to using cURL with SSL and how to create an SSL authentication test server with UniServer.
SSL Test Server
Before doing any tests we require a SSL test server. Uniform Server's default is to have SSL disabled, this forces you to generate a new certificate and key pair that is unique to your server.
- Click tray icon 3 > Advanced > Click Server certificate and Key Generator
- Press enter at all prompts (uses default values)
- Restart server (If you have been following the tutorial your are challenged for a name and password enter root root)
- Click View Secure Page or type https://localhost:446/ into browser
- Create a security exception (the certificate is self-signed hence browsers will whinge)
Note: The server does not use the standard SSL port (443) it uses port 446 hence this must be included in the URL. You can check what ports are being used by running Server Status from UniTray
SSL - remote_page.php
Copy file C:\curl_2\UniServer\www\remote_page.php To folder C:\curl_2\UniServer\ssl
Edit file copied add something like SSL or any other text this is used only to distinguish the ppage,
<?php //Gets the IP address $ip = getenv("REMOTE_ADDR") ; Echo "SSL Your IP is " . $ip; ?>
That completes setting up a SSL test server.
Background
There are two curl constants that are important to SSL
- CURLOPT_SSL_VERIFYHOST This checks certificate details Common Name matches the hostname
- CURLOPT_SSL_VERIFYPEER This checks the certificate is valid against a CA.
When connecting to a secure server it presents you with a certificate signed by a CA. With CURLOPT_SSL_VERIFYHOST enabled (default) Curl verifies whether the certificates common name matches that of the host. If certificate doesn’t match the host server the connection fails.
With CURLOPT_SSL_VERIFYPEER enabled (default) the certificate itself is verified against a set of CA certificates that are bundled with Curl connection fails if Curl cannot match against a CA.
The CA could be missing from the bundled CA in this case you add them to your system and include them using CURLOPT_CAINFO or CURLOPT_CAPATH.
Note 1:
PHP does not include the bundled CA's you have to download curl-ca-bundle.crt from the Curl website.
If this file is placed in folder C:\curl_1\UniServer\usr\local\php
You need to inform Curl where to find it by adding the following option:
curl_setopt($ch, CURLOPT_CAINFO, 'C:\curl_1\UniServer\usr\local\php\curl-ca-bundle.crt');
Note 2:
As mentioned above Curl will fail if the CA bundle cannot be found hence disable CURLOPT_SSL_VERIFYPEER as follows:
- curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
Example 7 - Download and display page
Create a new text file in folder C:\curl_1\UniServer\www and name it test7.php add the following content
Test:
|
|
Security issue, communication between our two servers curl_1 and curl_2 is over an encrypted link however connection between browser and server curl_1 is not.
The page is reserved unencrypted hence any sensitive information may be intercepted. Solution is to save page to a variable and strip any sensitive data before serving see next example.
Example 8 - Download and save page to a variable
The above example is of little use to us because the page downloaded is instantly reserved to a user.
We want to capture the page in a variable where we can manipulate it before serving to a user.
Create a new text file in folder C:\curl_1\UniServer\www and name it test8.php add the following content
|
|
Authentication SSL Test Server
Our test server curl_2 is easily converted into a SSL authentication server you don't even have to restart it.
Edit file C:\curl_2\UniServer\ssl\.htaccess
Change these four lines:
#AuthName "Uniform Server - Server Access" #AuthType Basic #AuthUserFile C:/curl_2/UniServer/htpasswd/ssl/.htpasswd #Require valid-user
To:
AuthName "Uniform Server - Server Access" AuthType Basic AuthUserFile C:/curl_2/UniServer/htpasswd/ssl/.htpasswd Require valid-user
Quick test:
Type https://localhost:446/ into your browser
- You may be requested to enter a security exception do so
- When challenged for a name and password press cancel.
A page is displayed with something like Authorization Required, this confirms authentication is enabled.
Example 9 - Download and save page to a variable
Using the above example 8 we now add name password access.
Create a new text file in folder C:\curl_1\UniServer\www and name it test9.php add the following content
|
|
Summary
Connecting to a server using https (SSL) is relatively easy using Curl.
Another powerful feature of Curl is the ability to summit data to forms covered on next page.