Jump to content



Photo

[PHP] CURL security concerns


  • Please log in to reply
1 reply to this topic

#1 Axel

Axel

    --[Est. 1986]--

  • Joined: 05-August 03
  • Location: Milton Keynes, UK

Posted 05 February 2013 - 12:00

This is a follow up from this particular thread:

http://www.neowin.ne...age-to-another/

That's all worked fantastically. I do however have some security concerns regarding the use cURL. I've done some research and ascertained that the hosting service should ensure that the PHP installation on the server has an up to date CA root certificate bundle.


Here’s info on installing it:
http://curl.haxx.se/.../caextract.html

Apparently the path then need to be set in php.ini using something like this:

curl.cainfo=PATH/TO/FILE

But that's something for the server guys to do.

I understand there's a couple of options I need to use in my curl request to check the ssl certificate is valid before sending any sensitive data and avoid a man in the middle attack where possible. Now these are the options I have set at the moment:


$ch = curl_init('https://www.url.com/index.php');
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "POST");
curl_setopt($ch, CURLOPT_POSTFIELDS, $_POST);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

$result = curl_exec($ch);

I've found the following and wonder if the following is the correct usage if I just add them? Also what is the correct method of testing? I wanna make this as bulletrpoof as possible:

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);

Many thanks for the help!

Alex


#2 AnthonySterling

AnthonySterling

    Offering bad advice since 23-December 04.

  • Joined: 23-December 04
  • Location: North-East, UK

Posted 07 February 2013 - 21:37

Here you go. ;)

http://phpsecurity.r...L-and-TLS).html



Click here to login or here to register to remove this ad, it's free!