PHP cURL: SSL

From The Uniform Server Wiki
Jump to navigation Jump to search

 

MPG UniCenter

UniServer 5-Nano
PHP cURL.

https - SSL

The following provides a quick introduction to using cURL with SSL and how to create an SSL authentication test server with UniServer.

SSL Test Server

Before doing any tests we require a SSL test server. Uniform Server's default is to have SSL disabled, this forces you to generate a new certificate and key pair that is unique to your server.

  • Click tray icon 3 > Advanced > Click Server certificate and Key Generator
  • Press enter at all prompts (uses default values)
  • Restart server (If you have been following the tutorial your are challenged for a name and password enter root root)
  • Click View Secure Page or type https://localhost:446/ into browser
  • Create a security exception (the certificate is self-signed hence browsers will whinge)

Note: The server does not use the standard SSL port (443) it uses port 446 hence this must be included in the URL. You can check what ports are being used by running Server Status from UniTray

Top

SSL - remote_page.php

Copy file C:\curl_2\UniServer\www\remote_page.php To folder C:\curl_2\UniServer\ssl

Edit file copied add something like SSL or any other text this is used only to distinguish the ppage,

<?php
  //Gets the IP address
  $ip = getenv("REMOTE_ADDR") ;
  Echo "SSL Your IP is " . $ip;
?> 

That completes setting up a SSL test server.

Top

Background

There are two curl constants that are important to SSL

  • CURLOPT_SSL_VERIFYHOST This checks certificate details Common Name matches the hostname
  • CURLOPT_SSL_VERIFYPEER This checks the certificate is valid against a CA.

When connecting to a secure server it presents you with a certificate signed by a CA. With CURLOPT_SSL_VERIFYHOST enabled (default) Curl verifies whether the certificates common name matches that of the host. If certificate doesn’t match the host server the connection fails.

With CURLOPT_SSL_VERIFYPEER enabled (default) the certificate itself is verified against a set of CA certificates that are bundled with Curl connection fails if Curl cannot match against a CA.

The CA could be missing from the bundled CA in this case you add them to your system and include them using CURLOPT_CAINFO or CURLOPT_CAPATH.

Note 1:

PHP does not include the bundled CA's you have to download curl-ca-bundle.crt from the Curl website.

If this file is placed in folder C:\curl_1\UniServer\usr\local\php

You need to inform Curl where to find it by adding the following option:

curl_setopt($ch, CURLOPT_CAINFO, 'C:\curl_1\UniServer\usr\local\php\curl-ca-bundle.crt');

Note 2:

Top

As mentioned above Curl will fail if the CA bundle cannot be found hence disable CURLOPT_SSL_VERIFYPEER as follows:

  • curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

Top

Example 7 - Download and display page

Create a new text file in folder C:\curl_1\UniServer\www and name it test7.php add the following content

<?php
 $ch=curl_init();
 curl_setopt($ch,CURLOPT_URL,'https://localhost:446/remote_page.php');
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);   // no verify
 curl_exec($ch);
 curl_close($ch);
?>

Test:

  • Run servers
  • Type http://localhost/test7.php into your browser
  • Result: SSL Your IP is 127.0.0.1 - Displayed

 
Using Example 2:

  • Replace http with https - If using a standard SSL connection (port 443) thats all you need to change for the URL
  • However we are running our test server on port 446 and this needs adding to the URL
  • We are using a sell-signed certificate hence can not check against a CA, in addition we have no CA bundle hence the need to disable VERIFYPEER by setting it to false.

Security issue, communication between our two servers curl_1 and curl_2 is over an encrypted link however connection between browser and server curl_1 is not.

The page is reserved unencrypted hence any sensitive information may be intercepted. Solution is to save page to a variable and strip any sensitive data before serving see next example.

Top

Example 8 - Download and save page to a variable

The above example is of little use to us because the page downloaded is instantly reserved to a user.

We want to capture the page in a variable where we can manipulate it before serving to a user.

Create a new text file in folder C:\curl_1\UniServer\www and name it test8.php add the following content

<?php
$ch=curl_init();
curl_setopt($ch,CURLOPT_URL,'https://localhost:446/remote_page.php');
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);   // no verify
curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,5);
curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
$buffer = curl_exec($ch);
curl_close($ch);

print "TEST 8 ".$buffer;
?>

Test:

  • Run servers
  • Type http://localhost/test8.php into your browser
  • Result: TEST 8 Your IP is 127.0.0.1 - displayed.
  • Initialize Curl and save memory location in variable $ch
  • Set the Curl URL option to the URL we wish to work with change http to htts and include port number.
  • Diasable VERIFYPEER by setting it to false
  • Set the Curl TIMEOUT option to 5 Seconds. If page fails to load give-up after 5 seconds
  • Set RETURNTRANSFER to 1. This forces the output of curl_exec() to be a string and not to reserve page.
  • Run Curl curl_exec(), downloads page from external server converts it to a string which is saved in variable $buffer
  • Close Curl
  • Print the variable $buffer

Top

Authentication SSL Test Server

Our test server curl_2 is easily converted into a SSL authentication server you don't even have to restart it.

Edit file C:\curl_2\UniServer\ssl\.htaccess

Change these four lines:

#AuthName "Uniform Server - Server Access"
#AuthType Basic
#AuthUserFile C:/curl_2/UniServer/htpasswd/ssl/.htpasswd
#Require valid-user

To:

AuthName "Uniform Server - Server Access"
AuthType Basic
AuthUserFile C:/curl_2/UniServer/htpasswd/ssl/.htpasswd
Require valid-user

Quick test:

Type https://localhost:446/ into your browser

  • You may be requested to enter a security exception do so
  • When challenged for a name and password press cancel.

A page is displayed with something like Authorization Required, this confirms authentication is enabled.

Top

Example 9 - Download and save page to a variable

Using the above example 8 we now add name password access.

Create a new text file in folder C:\curl_1\UniServer\www and name it test9.php add the following content

<?php
 $ch=curl_init();
 curl_setopt($ch,CURLOPT_URL,'https://localhost:446/remote_page.php');
curl_setopt($ch, CURLOPT_USERPWD, "root:root");
 curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);   // no verify
 curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,5);
 curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
 $buffer = curl_exec($ch);
 curl_close($ch);

 print "TEST 9 ".$buffer;
?>

Test:

  • Run servers
  • Type http://localhost/test9.php into your browser
  • Result: TEST 9 Your IP is 127.0.0.1 - displayed.
  • Initialize Curl and save memory location in variable $ch
  • Set the Curl URL option to the URL we wish to work with change http to htts and include port number.
  • Set name/password using CURLOPT_USERPWD (UniServer default is root root)
  • Diasable VERIFYPEER by setting it to false
  • Set the Curl TIMEOUT option to 5 Seconds. If page fails to load give-up after 5 seconds
  • Set RETURNTRANSFER to 1. This forces the output of curl_exec() to be a string and not to reserve page.
  • Run Curl curl_exec(), downloads page from external server converts it to a string which is saved in variable $buffer
  • Close Curl
  • Print the variable $buffer

Top

Summary

Connecting to a server using https (SSL) is relatively easy using Curl.

Another powerful feature of Curl is the ability to summit data to forms covered on next page.

Top