All geek questions in one place

How to make TLS connection with PHP on a web server and safely

Suppose I have some PHP code running inside a web server, for example, starting a simple CakePHP application. From this application, I sometimes want to connect TLS to some server to exchange some data. How is this usually done? (I have little experience with PHP.)

What PHP plugins or libraries or something else are recommended for making TLS connections? Where can I find good places? (My initial Google search queries give me a huge ratio of noise to signal.)

What are the security issues with having an X509 private key on a web server? To make a TLS connection, I will need both an X509 certificate and the corresponding private key, possibly PEM files or DER files, or a Java keystore, or something else. Will this secret key be somewhere vulnerable under the root of the website? How is this usually handled? What are the security issues, in particular, protecting the secret key that should be used to create the TLS connection? What are the best practices?

Edit: I forgot to mention that the server the PHP application is connecting to requires a client certificate. The client needs a private key to connect. In addition, the server I'm connecting to is not an HTTP server - I just need to read / write on a simple socket connection to the server (via an SSL / TLS connection).

+4
source share
1 answer

TLS is the correct name, but most people still call it SSL. In PHP, you can make this connection using CURL .

With the TLS / SSL client, you only need the public key to verify the remote host. This public key is simply public, it does not matter if it gets into the attacker. On the server side, Apache has access to both the public and private keys. These keys are protected by common file permissions. On * nix systems, these keys are usually stored somewhere in /etc/ belonging to the Apache process, and best of all, chmod 400 .

The easiest authentication method for clients is a simple username / password. You can use SSL to authenticate both the client and server. This will require you to keep the secret key somewhere where your PHP application has access, ideally outside of webroot with chmod 400 , but you can easily rename it to .php or put it in a folder with .htaccess that contains deny from all . On the server side, you can verify the client certificate using these environment variables .

If you just want to connect to TLS, not HTTP. Then you can use stream_context_set_option by setting Context Parameters :

 <?php $context = stream_context_create(); $result = stream_context_set_option($context, 'ssl', 'local_cert', '/path/to/keys.pem'); // This line is needed if your cert has a passphrase $result = stream_context_set_option($context, 'ssl', 'passphrase', 'pass_to_access_keys'); $socket = stream_socket_client('tls://'.$host.':443', $errno, $errstr, 30, STREAM_CLIENT_CONNECT, $context); ?>
+7
source

Source: https://habr.com/ru/post/1314374/

More articles:


All Articles