Verify SSL Certificate in PHP

Hey! It aint that hard!

Verify SSL Certificate in PHP

Postby Dark Shadow » 03/10/09, 7:34 am

SOD, this might be a question you are best qualified to answer.

Anyone know of a way in PHP to verify that an SSL Cert on a site that the script is connecting to is signed by a valid CA, is current, and matches previous certs that have been collected upon connecting?

I'm thinking about the monitoring software and I'm trying to figure out if it is possible to add SSL certificate failure notifications. It would be nice to know that your Cert is about to expire, or isn't the one issued yesterday, etc... This would also be a nice feature to build into just about any PHP script that connects to an external source via SSL in order for the script to detect man-in-the-middle attacks as those generally are not able to reproduce a valid SSL cert but won't throw an error in a PHP app.

Obviously to verify that an SSL cert matches previous ones, you would need a way to save them into a database, however, I'm not even sure how in PHP you save SSL cert info. Anyone have an ideas?
Dark Shadow
Senior Member (Entitled To Root Beer)
Senior Member (Entitled To Root Beer)
 
Posts: 860
Joined: 12/09/01, 12:00 am

Postby SOD » 03/10/09, 9:27 am

So basically an interlock of sorts?
It is better to be here than there - SOD
SOD
BIG GIANT HEAD I Get Free Beer
BIG GIANT HEAD I Get Free Beer
 
Posts: 5284
Joined: 12/06/01, 12:00 am
Location: here and there

Postby Dark Shadow » 03/10/09, 9:36 am

Not sure what an interlock is (aside from the non-technical version), but sure I guess. :)

My main thought is just this:

You browse with any modern browser and a person performs a man-in-the-middle attack and hands you a spooffed SSL cert. Your browser will normally throw a fit and say that this cert is insecure. For people who visit banking websites, this usually is enough for them to freak out and wonder why, but most importantly... stop what they are doing.

For a PHP app, it doesn't throw any warning if the SSL cert is spoofed because it doesn't care and therefore you could have a PHP app connecting to a payment gateway via SSL for months and never know that someone has been performing a man-in-the-middle attack, gathering credit card numbers, etc... This is a very real threat in shared hosting enviroments but even dedicated hosting enviroments are not immune.

My thought is to make PHP apps smarter by performing SSL cert checks on all new projects and stopping checkouts if the payment gateway spits back an invalid cert, etc...
Dark Shadow
Senior Member (Entitled To Root Beer)
Senior Member (Entitled To Root Beer)
 
Posts: 860
Joined: 12/09/01, 12:00 am

Postby Dark Shadow » 03/10/09, 10:05 am

Looks like curl has a fairly simple one built in... but I'm not sure how robust it is.

http://curl.haxx.se/docs/sslcerts.html
http://curl.haxx.se/docs/caextract.html

It is also written in perl. I've got nothing against perl, but I'm far more comfortable with PHP and I would like to keep PHP coded projects as close to one language as possible. Also, although CURL is popular, I'm not sure I want to rely upon it always being there for furture projects.
Dark Shadow
Senior Member (Entitled To Root Beer)
Senior Member (Entitled To Root Beer)
 
Posts: 860
Joined: 12/09/01, 12:00 am

Postby Gerry » 03/13/09, 9:40 pm

Gerry
BIG GIANT HEAD I Get Free Beer
BIG GIANT HEAD I Get Free Beer
 
Posts: 5727
Joined: 12/04/01, 12:00 am
Location: Perth, Western Australia

Postby Dark Shadow » 03/14/09, 1:44 am

Yeah, I've been reading through every function regarding security on PHP.net. Seems possible enough, just how I'm going to go about it will be interesting.

No feedback so I guess I'm on my own on this one.
Dark Shadow
Senior Member (Entitled To Root Beer)
Senior Member (Entitled To Root Beer)
 
Posts: 860
Joined: 12/09/01, 12:00 am

Postby ketchum » 04/30/09, 8:13 am

Dark Shadow, did you get anywhere with this? It sounds like an avenue I'd like to explore.
ketchum
Member
 
Posts: 1
Joined: 04/29/09, 10:10 pm

Postby Dark Shadow » 05/06/09, 12:00 am

Yes I did, however, it has been slow going and the majority of the code I had to write myself. The trick is to dump the cert to a file and then to inspect the file for information regarding the cert. That is the only way I found it would work.
Dark Shadow
Senior Member (Entitled To Root Beer)
Senior Member (Entitled To Root Beer)
 
Posts: 860
Joined: 12/09/01, 12:00 am

Postby Gerry » 05/06/09, 4:23 pm

Doesn't this do most of what you wanted:
http://php.net/manual/en/function.opens ... urpose.php

It allows you to specify an array of public keys for trusted Certificate Authorities and checks that your certificate is valid for the purpose that you specify.
Gerry
BIG GIANT HEAD I Get Free Beer
BIG GIANT HEAD I Get Free Beer
 
Posts: 5727
Joined: 12/04/01, 12:00 am
Location: Perth, Western Australia

Postby Dark Shadow » 05/07/09, 12:28 am

It's close... very close, however I also wanted to check the following:

Does the cert expire within 7 days or is it already expired?
Is the cert the same cert which was there 24/48/72 hours ago?

Dumping the cert into a database was the only way to compare/contrast the current cert with a past cert.
Dark Shadow
Senior Member (Entitled To Root Beer)
Senior Member (Entitled To Root Beer)
 
Posts: 860
Joined: 12/09/01, 12:00 am

Postby Gerry » 05/07/09, 8:37 pm

Well this would get you the valid from and valid to dates:
http://www.php.net/manual/en/function.o ... -parse.php

and for the cert matching, well that requires you to store it in a db, retrieve it later and compare, which is not really cert related functionality so there's no cert function for it, just regular db functions. :)

Did you use the two functions I mentioned in your code, or did you use another method?
Gerry
BIG GIANT HEAD I Get Free Beer
BIG GIANT HEAD I Get Free Beer
 
Posts: 5727
Joined: 12/04/01, 12:00 am
Location: Perth, Western Australia


Return to Play With Code

Who is online

Users browsing this forum: No registered users and 3 guests

cron