If I want to send data securely via curl, I just need to set
CURLOPT_SSL_VERIFYPEER to 1 and
CURLOPT_SSL_VERIFYHOST to 2?
then if I don’t have ssl installed on client side (request sender), it doesn’t send any data at all?
or these are just checking ssl of receiver data server and not sender?
also please clarify the exact difference of these two settings as I am confused on php manual.
CURLOPT_SSL_VERIFYPEER can be set to 0/false and will send to any https site.
NOTE, with this option you could be “man in the middled”.
Sure, you would get an https connection, right through the man in the middle because he has an unsigned SSL cert and cURL was told to not check for unsigned certs.
The fix is simple though, here is a link.
Honestly, the man in the middle would, in most cases never happen. My logic is,
My server is in Atlanta and collects SalesForce leads all day.
In the evening my CRON script runs the cURL script that sends today’s leads to SalesForce.
My server opens a https connection to SalesForce, I don’t see how it would be possible to get “man in the middled”.
“CURLOPT_SSL_VERIFYHOST to 2?” I think you only get 2 options for this, true/1 or false/0. Also I have never used it.
so if client has no ssl cert installed it cannot send data to server with these settings to true?
- If I understood that link correctly, it does not have anything to do if ssl is installed on my server but curl uses its own CA bundle to secure transmission? am I right?
- openssl is a requirement to this work?
- How do I know from phpinfo() if my curl has CA bundle and I won’t get error for CURLOPT_SSL_VERIFYPEER to be true?
1 and 2 yes
3, I don’t see in phpinfo but easiest way to check is set CURLOPT_SSL_VERIFYPEER to be true and download some page contents from a https page, try http://www.irs.gov/ and see if you can download the page.
don’t forget to add
curl.cainfo=c:\php\cacert.pem
to .ini
I’m just too lazy this weekend to try.
- I am on Linux! Do you mean try to get the link you gave me with httpS:// rather than http:// ?
- As about openssl requirement for CURLOPT_SSL_VERIFYPEER to get worked, under curl extion in phpinfo I see:
SSL → Yes
SSL Version → OpenSSL/1.0.1e
aren’t these settings enough for CURLOPT_SSL_VERIFYPEER to get worked without having openssl installed as a separate extension? or do I still need to have openssl extension installed?
or if openssl extension is not installed, those settings under curl extensions will be INvalid too?
You will need OpenSSL and should appear in phpinfo in the cURL section.
1 Like
So I have to have both OpenSSL extension installed as a separate extension and also have to have it in cURL section too…
On target server how is possible to check whether the client sent data securely with CURLOPT_SSL_VERIFYPEER enabled? As you know paypal ipn throws error, if data is not sent to them securely, how is possible if data is received securely and client had that option enabled, if not throws error on target server side?
Once OpenSSL extension is installed, cURL will know it is there.
phpinfo will have a section called openssl displaying the properties.
phpinfoo will also show that its available in several different extensions.
Thanks. On target server how is possible to check whether the client sent data securely with CURLOPT_SSL_VERIFYPEER enabled? As you know paypal ipn throws error, if data is not sent to them securely, how is possible if data is received securely and client had that option enabled, if not throws error on target server side?
Debugging IPN can be difficult, however you can use this to see exactly what the error is
file_put_contents('file.txt', $data);
Where data can be the results from your cURL call and should have valuable info.
You will never be able to “talk” to https without openssl no mater what CURLOPT_SSL_VERIFYPEER is set to.
in windows it is as simple as uncommenting,
extension=php_openssl.dll
Linux would be
extension=php_openssl.so
here are a few links for linux,
http://www.serveridol.com/2010/03/30/how-do-i-enable-openssl-extension-on-php/
http://serverfault.com/questions/348613/openssl-extension-for-php-in-ubuntu
http://stackoverflow.com/questions/22230337/centos-5-10-cant-enable-php-openssl-extension
Sounds like you have openssl, just need to enable it.
sorry I was not asking how to debug ipn! I meant I am curious to know how targer server (e.g. ipn server) will know that data is not sent to it via secure channel (e.g. with CURLOPT_SSL_VERIFYPEER set to false) to throw an error?
If you cURL to paypal using https, paypal doesn’t know or care what CURLOPT_SSL_VERIFYPEER is set to.
CURLOPT_SSL_VERIFYPEER is your option.
set to false it will connect to ANY https and do its thing, no one cares.
set to true cURL will check if it is a “signed” certificate and only communicate with a server with a valid signed certificate.
Either way will work fine as far as paypal is concerned.
sorry, what is the difference of signed and un-signed certificate?
“So, if you connect to a web server that provides an SSL certificate, but it is not signed by a trusted third party, in theory this could mean that you are communicating with an imposter that is pretending to be a server belonging to a different organization.”
Lets say that somehow someone intercepted traffic from your web server and acted as a relay to paypal.com.
This is “man in the middle” and he has a self signed SSL (not signed by a trusted third party).
With CURLOPT_SSL_VERIFYPEER set to false, you would have given the man in the middle all of your data.
With CURLOPT_SSL_VERIFYPEER set to true, cURL would know that the man in the middle was not paypal.com and would not send the data.
http://superuser.com/questions/161820/why-is-an-unsigned-ssl-cert-treated-worse-than-no-ssl-cert
see self signed certs, first link is to one of my websites with a self signed cert.
https://wifigator.com/
Notice the warning!
Chrome says,
Your connection is not private
Attackers might be trying to steal your information from wifigator.com (for example, passwords, messages, or credit cards).
Why the error? Chrome wanted to make sure I was who I claimed to be but chrome could not find a certificate of trust.
https://www.globalsign.com/en/ssl-information-center/dangers-self-signed-certificates/
This error is because of domain mismatch, but if it was because of untrusted issuer, how the browser knows that issuer is trusted? Does browser have a list/database of recognized issuers?
Yes they do. Those are what the browser considers to be root authorities. For any others to be trusted there must be a chain of trust back from the current certificate through other certificates to one of the root authorities. If not then the browser will indicate that the certificate is not trusted.
Untrusted certificates can still handle the encryption part but it is then up to the person to decide whether they trust the certificate and override the untrusted message.
-
So if understood correctly CURLOPT_SSL_VERIFYPEER set to true validates target server SSL and NOT client server ssl, so if on request sender server there is no ssl installed, there is still no problem for curl to do its job with CURLOPT_SSL_VERIFYPEER set to true, but if target server has no valid ssl, then curl denies communication with that server? right?
-
So if I generate ssl certs myself, and I want browsers to recognize my certs by default without end-user being forced to install my cert in store, I have to be an authorized issuer company that browsers consider to add my info in store by default? right?
-
If I try to send data with CURLOPT_SSL_VERIFYPEER set to true to a server with no valid ssl, which error message should I get?
-
If I try to send data with CURLOPT_SSL_VERIFYPEER set to true but with http url e.g. $ch = curl_init(http://…) should I get an error too?
-
VERIFYPEER says “I’m going to use SSL to communicate with Server X. I want to make sure Server X is using a trusted certificate.” If ServerX’s SSL certification check fails, cURL will throw an error and not send the data.
-
Yes. Or more specifically, there must be a trust chain that extends back to a trusted root authority.
-
libcurl should spit out error code 51 - CURLE_PEER_FAILED_VERIFICATION. [FPHP]curl_errno[/FPHP] would give you the number associated with the last attempt.
-
This… most likely should spit error code 35 - CURLE_SSL_CONNECT_ERROR. Not entirely sure. Why dont you test it and find out?