Friday, January 22, 2010

cURL and SSL

cURL is a nice little extension to PHP. You can read an intro here.

I use cURL a lot. It seems that do a lot of web applications that connect to other servers for transactions (like payment gateways). You can do SSL or HTTPS requests to other web hosts without validating their certificates but you leave yourself open to man-in-the-middle attacks. While this seems unlikely if you are running out of a data center, checking the certificate validity is too easy to skip.

The one thing that you must do for this to work is tell cURL where the CA-bundle (or CURLOPT_CAINFO) is located. I am running CENTOS 5.4 and found CA info at "/etc/pki/tls/certs/ca-bundle.crt". I can enable this with the following two lines added before curl_exec();

curl_setopt($ch, CURLOPT_CAINFO, "/etc/pki/tls/certs/ca-bundle.crt");
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 1);

1 comment:

Cheap SSL Certificates said...

Great article! Thank you!

Just a quick question – when the certificate on the server expires and the CA has to re-issue the certificate, would you have to go through the process of downloading the PEM file (as shown in the illustration above)?

Thanks so much again!