1

I'm working on an open source PHP application. The application may need to connect to my server, to transfer sensitive data. I have SSL installed on my server and I think I have set it up properly, but I'm hoping someone here can confirm.

The application will be used on other users servers, so it will be server to server communication.

I will treat users servers as clients when connecting to my server. My server will never connect to their server, so they don't need SSL on their end (right?).

I use cURL to make the calls (to my server) and POST data during the connection. So I cURL to a https address.

Now I thought that is it. Once I cURL a https address, everything is secure. I can send whatever I like (Credit card numbers, passwords, etc etc) securely, without worrying about the middle man. End of story.

But after reading around, I've noticed that some people are doing other stuff in their cURL session - Like including a certificate (.crt file):

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($ch, CURLOPT_CAINFO, getcwd() . "/CAcerts/BuiltinObjectToken-EquifaxSecureCA.crt");

Is that safe for open source? Should I do it too? Or am I safe with what I've got?

Improve this question

2 Answers 2

Reset to default
1

Depending on the system you're installing cURL on, it may or may not have enough information to verify an SSL certificate (this can be improved by linking intermediate and root certificates into your website certificate). You can also read it here: http://curl.haxx.se/docs/sslcerts.html

It sometimes makes sense to ship a bundle explicitly, especially since cURL tends to get shipped with old certificate bundles. You can download a more recent one here (which is taken from the Firefox source code): http://curl.haxx.se/docs/caextract.html

If your software will exclusively talk to your own server, you could also ship a bundle containing only your own public certificate. This would allow you to use self signed certificates which is free :)

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Well I use other methods to verify who is connecting to my server, so I don't think requiring a public certificate from the client is necessary. So other than that, am I okay to begin POSTing what I want? Through a simple cURL to https? Thanks xD
No, I meant your server can use a self signed certificate :) the client, as you correctly mentioned, doesn't need any cert of their own. You can try without a bundle first, see how that goes.
Is it in any way insecure doing it without sending any certificates? and just using https over cURL or is a bundle a must?
It always uses a bundle anyway, whether it's the shipped one or the one you supply. It's needed to verify the peer so if it can't do that with the shipped bundle it's up to you to supply a better one :)
0

You attach your client certificate along CURL calls if the server at the other end has specifically provided you with them and are not accepting any connection from other clients than the ones who have those client certificates.

If you are talking about a website here, you dont even need to worry about that here.

But if you are talking about some service providers which you access for any secured resources, and if they require you to produce client certificates, they will issue them for you and tell you explicitely to use them.

For an example, we have a system which only private members can access. We have an RPC endpoint where other members send request to. And since we only allow access to our members (private NOT public like websites) we issue them client certificates and explicitely direct them to attach those along with their service calls.

Improve this answer

1 Comment

So I'm okay with what I've got? - as I'm not looking to make connections private.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.