Too many times have I seen this in cURL clients:
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
Why is this bad? You leave yourself totally open to man-in-the-middle attacks, and makes SSL virtually pointless. Sure the data passed between the two servers would still be encrypted, but there is no way of verifying the server you’re talking to is the server you WANT to be talking to!
My recommendation is that you verify the server is genuine by checking against the genuine CA certificate in PEM format. There are plenty of tutorials (e.g. here) on the internet to obtain the PEM certificate, so I won’t go into that here. All you need to do is change your cURL request like this:
curl_setopt($ch, CURLOPT_CAINFO, "/path/to/your/certificate"); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
Set CURLOPT_SSL_VERIFYHOST to 2 “to check the existence of a common name and also verify that it matches the hostname provided” (read: PHP Manual).
Checking against the CA certificate in this way is the proper way of verifying that the server you’re talking to is the one you expect.
December 29th, 2009 at 9:04 pm
Thanks James!
Just a quick question – when the certificate on the server expires and the CA has to re-issue the certificate, would you have to go through the process of downloading the PEM file?
January 3rd, 2010 at 5:22 pm
Hi RD – sorry for delay in reply, I’ve been on holiday. I don’t think you would have to re-download the certificate because I believe the certificate you are downloading is the CA certificate (i.e. the one signing your server’s certificate). However I think once the CA cert expires, you will need to re-download it.