Page 1 of 1

Verify SSL Certificate in PHP

Posted: 03/10/09, 7:34 am
by Dark Shadow
SOD, this might be a question you are best qualified to answer.

Anyone know of a way in PHP to verify that an SSL Cert on a site that the script is connecting to is signed by a valid CA, is current, and matches previous certs that have been collected upon connecting?

I'm thinking about the monitoring software and I'm trying to figure out if it is possible to add SSL certificate failure notifications. It would be nice to know that your Cert is about to expire, or isn't the one issued yesterday, etc... This would also be a nice feature to build into just about any PHP script that connects to an external source via SSL in order for the script to detect man-in-the-middle attacks as those generally are not able to reproduce a valid SSL cert but won't throw an error in a PHP app.

Obviously to verify that an SSL cert matches previous ones, you would need a way to save them into a database, however, I'm not even sure how in PHP you save SSL cert info. Anyone have an ideas?

Posted: 03/10/09, 9:27 am
by SOD
So basically an interlock of sorts?

Posted: 03/10/09, 9:36 am
by Dark Shadow
Not sure what an interlock is (aside from the non-technical version), but sure I guess. :)

My main thought is just this:

You browse with any modern browser and a person performs a man-in-the-middle attack and hands you a spooffed SSL cert. Your browser will normally throw a fit and say that this cert is insecure. For people who visit banking websites, this usually is enough for them to freak out and wonder why, but most importantly... stop what they are doing.

For a PHP app, it doesn't throw any warning if the SSL cert is spoofed because it doesn't care and therefore you could have a PHP app connecting to a payment gateway via SSL for months and never know that someone has been performing a man-in-the-middle attack, gathering credit card numbers, etc... This is a very real threat in shared hosting enviroments but even dedicated hosting enviroments are not immune.

My thought is to make PHP apps smarter by performing SSL cert checks on all new projects and stopping checkouts if the payment gateway spits back an invalid cert, etc...

Posted: 03/10/09, 10:05 am
by Dark Shadow
Looks like curl has a fairly simple one built in... but I'm not sure how robust it is.

http://curl.haxx.se/docs/sslcerts.html
http://curl.haxx.se/docs/caextract.html

It is also written in perl. I've got nothing against perl, but I'm far more comfortable with PHP and I would like to keep PHP coded projects as close to one language as possible. Also, although CURL is popular, I'm not sure I want to rely upon it always being there for furture projects.

Posted: 03/13/09, 9:40 pm
by Gerry

Posted: 03/14/09, 1:44 am
by Dark Shadow
Yeah, I've been reading through every function regarding security on PHP.net. Seems possible enough, just how I'm going to go about it will be interesting.

No feedback so I guess I'm on my own on this one.

Posted: 04/30/09, 8:13 am
by ketchum
Dark Shadow, did you get anywhere with this? It sounds like an avenue I'd like to explore.

Posted: 05/06/09, 12:00 am
by Dark Shadow
Yes I did, however, it has been slow going and the majority of the code I had to write myself. The trick is to dump the cert to a file and then to inspect the file for information regarding the cert. That is the only way I found it would work.

Posted: 05/06/09, 4:23 pm
by Gerry
Doesn't this do most of what you wanted:
http://php.net/manual/en/function.opens ... urpose.php

It allows you to specify an array of public keys for trusted Certificate Authorities and checks that your certificate is valid for the purpose that you specify.

Posted: 05/07/09, 12:28 am
by Dark Shadow
It's close... very close, however I also wanted to check the following:

Does the cert expire within 7 days or is it already expired?
Is the cert the same cert which was there 24/48/72 hours ago?

Dumping the cert into a database was the only way to compare/contrast the current cert with a past cert.

Posted: 05/07/09, 8:37 pm
by Gerry
Well this would get you the valid from and valid to dates:
http://www.php.net/manual/en/function.o ... -parse.php

and for the cert matching, well that requires you to store it in a db, retrieve it later and compare, which is not really cert related functionality so there's no cert function for it, just regular db functions. :)

Did you use the two functions I mentioned in your code, or did you use another method?