Send data securely via curl

nimasdj · July 28, 2015, 11:36am

Thanks,

I did read user comments and I see I should be careful about error constants difference in php and in their website, I am going to test them as you said too, I like to create an array to map CURLE_* constants with English error message, but if you know there is already such array that I can just copy/paste I appreciate it.
So if a user doesn’t have ssl installed and wants to use paypal ipn, he should set CURLOPT_SSL_VERIFYPEER to false to avoid error 35, but still with this set to false he can send data to httpS://paypal to use ipn and get no error from paypal part? right?
No if I understood everything correctly, that .pem file that cURL needs it to be installed is actually a CA store to validate target server’s ssl, just like what browers do? right?

StarLion · July 28, 2015, 12:00pm

http://curl.haxx.se/libcurl/c/libcurl-errors.html
Let’s be a bit more specific here - when you’re using cURL, the ‘user’ has nothing to do with it. It’s your web SERVER talking to a remote web SERVER. If the user’s webserver doesnt have SSL installed, they will not be able to communicate via SSL at all. The client server would request a SSL url, Paypal’s server would send an SSL handshake, the client server would say “I dont know what this is” and the whole thing would fall apart. That said, find me a web server that doesn’t have SSL installed.
generally, a pem file is a public certificate, only. while it should refer to the issuing authority, that doesn’t mean it itself is the authority. Part of the SSL Handshake is that the Server hands the Client it’s public certificate (along with other data), which the Client can then validate based on the information contained within, by checking it’s own CA store. If the client server can’t validate the certificate using it’s CA store, it will fail the VERIFYPEER check. You can set VERIFYPEER to false (it’s set to 1 by default), which will prevent this failure, but it also opens the possibility of man-in-the-middle attacks, because you’re not actually checking to see if the certificate is valid. (Hint: Paypal’s certificate is issued by Symantec, one of the largest CA in the world. It’s pretty safe to assume every server will have it in their CA store.)

nimasdj · July 28, 2015, 12:43pm

I tested several variants:

It doesn’t care if client server has ssl installed regardless any setting. I did not get error 35 without having ssl installed on client server.
It doesn’t care if openssl extension is installed as a separate extension regardless any setting, but “openssl” was present under curl extension without openssl extension being installed separately.
If .pem file is missing it throws error 60
If target server doesn’t have a valid ssl e.g. that wifiorg.com, it throws error 51.

Something goes wrong with these testings?

PS. how target server send an ssl handshake? how client server recognizes ssl handshake sent from target server?

nimasdj · July 28, 2015, 1:07pm

Also I see these constant difference between official site and php,

errno, official curl site => PHP
22, CURLE_HTTP_RETURNED_ERROR => CURLE_HTTP_NOT_FOUND
25, CURLE_UPLOAD_FAILED => CURLE_FTP_COULDNT_STOR_FILE
28, CURLE_OPERATION_TIMEDOUT => CURLE_OPERATION_TIMEOUTED
45, CURLE_INTERFACE_FAILED => CURLE_HTTP_PORT_FAILED
64, CURLE_USE_SSL_FAILED => CURLE_FTP_SSL_FAILED

following errors have more than one constant:
[CURLE_FTP_PARTIAL_FILE] 18
[CURLE_PARTIAL_FILE] 18
[CURLE_HTTP_NOT_FOUND] 22
[CURLE_HTTP_RETURNED_ERROR] 22
[CURLE_OPERATION_TIMEDOUT] 28
[CURLE_OPERATION_TIMEOUTED] 28
[CURLE_BAD_DOWNLOAD_RESUME] 36
[CURLE_FTP_BAD_DOWNLOAD_RESUME] 36

and constants from 65 to 89 (except 79) according to official site, are missing from php.

nimasdj · July 28, 2015, 5:45pm

As long as I tested it seems curl has nothing to do with separated openssl extension, but I guess it has its own openssl as appears under curl extension in phpinfo.
with extension_exists this is possible to check whether curl is installed, but how can I check with php whether curl has openssl or ssl support?

nimasdj · July 29, 2015, 4:12pm

the output of curl_version(); is an array like below, to check whether this curl installation is able to send data via ssl, other than checking [ssl_version] element, is it good idea to check if https is in array of [protocols] element?

Array
(
    [version_number] => 466432
    [age] => 3
    [features] => 4029
    [ssl_version_number] => 0
    [version] => 7.30.0
    [host] => i386-pc-win32
    [ssl_version] => OpenSSL/1.0.1e
    [libz_version] => 1.2.7
    [protocols] => Array
        (
            [0] => dict
            [1] => file
            [2] => ftp
            [3] => ftps
            [4] => gopher
            [5] => http
            [6] => https
            [7] => imap
            [8] => imaps
            [9] => ldap
            [10] => pop3
            [11] => pop3s
            [12] => rtsp
            [13] => scp
            [14] => sftp
            [15] => smtp
            [16] => smtps
            [17] => telnet
            [18] => tftp
        )
)

StarLion · July 29, 2015, 5:38pm

Well you’d be looking for https, not http. But that should allways exist. Again, find a webserver package that doesnt include SSL in some form. It may take you some time.

nimasdj · July 29, 2015, 6:23pm

find a webserver package that doesnt include SSL in some form. It may take you some time.

lorenw · July 29, 2015, 6:46pm

This may answer your questions.
http://curl.haxx.se/docs/faq.html#curl_1_SSL_is_disabled_https

“If you get this output when trying to get anything from a https:// server, it means that the instance of curl/libcurl that you’re using was built without (SSL) support for this protocol.”

https requires some sort of support for SSL
http works right out of the box with cURL, no need to check anything.

nimasdj · July 29, 2015, 7:45pm

is it possible to check with php, whether ssl is supported with current curl extension?

lorenw · July 30, 2015, 12:00am

is it possible to check with php, whether ssl is supported with current curl extension?

Yes, phpinfo, if it is a one off, parse phpinfo with regex. ( preg_match() )

Too lazy to write it, print_r($out) will tell you what matches ($out may be $matches, depending what you read).

nimasdj · July 30, 2015, 7:22am

Finally I found the way, and wrote what I discovered here: http://stackoverflow.com/questions/5773516/how-to-check-if-curl-has-support-for-ssl/31712010#31712010

I am not sure if it is good idea to go with curl_version()[‘ssl_version’], (e.g. if (stripos(curl_version()['ssl_version'], "openssl") !== false) { ) as curl says here http://curl.haxx.se/docs/faq.html#Does_curl_work_build_with_other it may use other ssl library than OpenSSL (which does not have anything to do with that separated openssl extension, curl has its own openssl library) so as described here http://curl.haxx.se/libcurl/c/curl_version_info.html it appears better to go with CURL_VERSION_SSL bitmask check rather than curl_version()[‘ssl_version’]. Note that not all of those constants stated on official cURL website are available in php, but only these four constants:
[CURL_VERSION_IPV6] => 1
[CURL_VERSION_KERBEROS4] => 2
[CURL_VERSION_SSL] => 4
[CURL_VERSION_LIBZ] => 8

I tested this on Windows by disabling “openssl” extension in php.ini and noticed curl has nothing to do with that separated openssl extension but it has its own openssl, in other word, disabling openssl extension does not affect on $v[‘ssl_version’];. So if you want to check if curl has support for ssl, you should not rely on existence of that separated openssl extension and above I explained you should not rely on curl_version()[‘ssl_version’] neither. The only reliable way is CURL_VERSION_SSL bitmask checking:

if (!curl_version()['features'] & CURL_VERSION_SSL) {
    echo "SSL is not supported with this cURL installation.";
}

system · October 29, 2015, 2:28pm

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.