I'm about to develop a new website and will require a EV SSL certificate when the site is pushed to the production server. My question is during development I won't have an EV SSL certificate (although I could have a self signed cert if needed). If I develop my PHP site without an SSL cert then push it to my production server, is it likely to work or are there going to be a ton of issue surrounding this?
Also if I do develop locally with a self-signed SSL cert then push to the production server where it will have the EV SSL, is that like to cause any issues?
I just thought I'd clarify these few point before diving in and getting carried away. Are there any industry standards or best practices on how one should develop a site locally that will end up with a SSL certificate?
Note: I'm going to be using the Laravel framework if that makes any difference to answering this question.
If you are using Laravel 3, you can find a key in application/config/application.php for 'ssl'. If you set this to false (preferably in your dev or equivalent config), then when you generate a URL to a secure route with any of the URL helper methods (URL::to_secure, etc.), Laravel will automatically convert those links to http in that environment.
I do not know of a config option for this in L4, but what you could do is define your own config variable for it and use that in your helpers URL::to('foo', null, null, Config::get('app.ssl',true)). This way, you can set 'ssl' to false in your config to use it just like L3.
EDIT: I just caught Taylor in IRC and his explanation for the omission of the SSL config in L4 is because he recommends actually setting up SSL on your development environment as you had suggested. For development purposes, a self-signed cert should be fine.
Normally you shouldn't have any problems, switching from an HTTP to an HTTPS server. Using a self signed certificate for development is surely a good idea though.
There are two major points that can go wrong:
Your application builds absolute links starting with 'http://'. This problem you can prevent using a self signed certificate, or with building only relative URL's.
The security settings of the session require SSL (e.g. the cookie should be restricted to SSL only). This would more be a problem on the development environment and again this problem can be prevented with a self signed certificate.
Related
I deal a lot with self-signed SSL certificates as I deploy the systems in offline environments. The problem is that for example Chrome users has to deal with "dangerous site errors" etc, also if I want to even use GuzzleHttp library for connecting to any other service I have to setting secure to none. What's the best way to deal with it?
If you have a Selfsigned certificate this can be made trusted to the specific system that you use. If others from your office uses it then they may need to add this Selfsigned certificate as trusted by adding it to their system certificate store to make this trusted.
When it comes to office environment it is better to contact the Administrator and add the certificate to all the systems (certlm.msc in run for local machine / certmgr.msc for current user) so your colleagues won't get this dangerous site errors.
I have a SSL enabled eCommerce website which uses cURL for payment processing. Everything is running well but recently I learned about "CA Public Certification Bundle for cUrl" that its a good idea to use it for cURL connections.
If this is true than can someone tell me how or how is it better/different than using the standard SSL?
Doesn't the SSL already provide some kind of certification for all connections?
Any HTTPS client connected to an HTTPS server will get its certificate (in fact, it can be a certificate chain). This server certificate must then verified by the client to authenticate the server.
This is normally done by using a number of CA certificates that are configured on the client as trust anchors (i.e. this is what you trust in advance, before encountering the server certificate). The client tries build a chain between the last element of the server chain and one of the CA certificates in its trust anchors. If there is such a valid chain the server certificate is trusted.
A "CA certificate bundle" would be a set of trust anchors. You can build your own by looking for CAs you're willing to trust, or you can use an existing bundle. Most OSes or browser come with an existing bundle. cURL in itself doesn't but it can rely on a pre-defined location (set at compile time) or it also suggests to use the Firefox bundle (via a conversion mechanism). (You can override default setting via extra options, on the command line or via the API.)
Certificate Pinning (which you also mention) has nothing to do with a CA cert bundle. In fact, it's almost the opposite. Instead of relying on 3rd party trust anchors (the certification authorities), you explicitly "pin" a set of server certificates you know as directly trusted. They're not used to verify other certificates, instead, you compare the certificate you get with the exact certificate you're expecting for that host (or at least you compare public keys). This is more like having a reference mapping from server name to certificate (or to public key) and comparing what you get from that host with the reference you have. Of course, this can only work for a reasonably small set of certificates in practice, unlike the CA (PKI) approach which is designed to let you authenticate parties you have never encountered before (via a 3rd party: the CA).
How is it better/different than using the standard SSL?
Doesn't the SSL already provide some kind of certification for all connections?
Using a CA certificate bundle isn't different than using "standard SSL", it is what's commonly used for SSL/TLS connections. You often don't see it because that CA bundle is often supplied with your client (or with the OS).
Note that strictly speaking, this is orthogonal to SSL/TLS itself, which mainly just says you should authenticate the server. Certificate verification (the PKI way, via CA certificates) is defined in a different specification, also complemented by a specification on how to verify the name in the certificate (and the HTTPS specification of course).
Found a great answer here. The comment above really helped. The exact keyword I was looking for was "Certificate Pinning".
I am doing a CAS integration with a project that I am doing with my university. The final integration should be made with symfony2, however first I need to make the example code working.
I finally get working the example_simple.php example with phpCAS 1.3.2 , however the directive:
phpCAS::setNoCasServerValidation();
is the enabled one. I think I should use instead:
phpCAS::setCasServerCACert($cas_server_ca_cert_path);
However when I enable this second one (and disable the other) then the authorization does not work anymore. Here is the relevant output line error of the log:
could not open URL 'https://cas_server.fi/cas/serviceValidate?service=http%3A%2F%2Flocalhost%2Fphpcas2%2Fdocs%2Fexamples%2Fexample_simple.php&ticket=ST-115606-M1Omd1cHWzbLbmxa1nYV-cas' to validate (CURL error #60: SSL certificate problem: unable to get local issuer certificate) [Client.php:2763]
The cas server provided me two .crt files:
MYCASRootCA.crt
MYCASLinuxSUBCA.crt
And they are suppose to be installed in my system (Ubuntu 13.10). They are in different places, such a /etc/ssl/certs/MYCASLinuxSUBCA.pem but also:
/usr/share/ca-certificates/lut/MYCASRootCA.crt
/usr/share/ca-certificates/lut/MYCASLinuxSUBCA.crt
So assuming that the variable $cas_server_ca_cert_path has to have one of these .crt files or .pem dirs (such a /usr/share/ca-certificates/lut/MYCASLinuxSUBCA.crt) I cannot make it work. What I am doing it wrong? My client-server (no the cas server) is in my localhost. Is it a problem? Should I avoid use setCasServerCACert command? Why is it happening?
I've also tried to use the curl-ca-bundle.crt certificate provided by my XAMP instalation (Xampp 1.8.3).
I am a little bit lost with certificates as you can see.
I read about problems with phpCAS and recent Ubuntu versions in https://github.com/Jasig/phpCAS/issues?state=open. However I cannot make this working with the master code, even without certification (by default).
Any ideas would be appreciated...
I have found the solution asking in the github library: https://github.com/Jasig/phpCAS/issues/119
The reason is that the curl binary used by PHP in my xampp installation is different from the system's curl binary. The system one has access to /etc/ssl/certs/ certificates, but the xampp curl does not have (unless you don't indicate it, of course). By default, it searches in a special certificate-bundle-file.
Finally I have found the real certificate for my cas-server and I am using it, however maybe you want to use other proposed solution at the end of the discussion thread if you are having a similar problem.
I was looking at this question and, to try to find the mistake, went to the PHP manual where I seen those 2 options :
CURLOPT_SSH_PRIVATE_KEYFILE The file name for your private key. If
not used, libcurl defaults to $HOME/.ssh/id_dsa if the HOME
environment variable is set, and just "id_dsa" in the current
directory if HOME is not set. If the file is password-protected, set
the password with CURLOPT_KEYPASSWD.
CURLOPT_SSLKEY The name of a file containing a private SSL key.
OP of that question uses a CURLOPT_SSH_PUBLIC_KEYFILE so I guess it should uses a CURLOPT_SSH_PRIVATE_KEYFILE instead of a CURLOPT_SSLKEY, but I don't really know the difference between those options.
So here comes my question :
What is the difference between CURLOPT_SSLKEY and
CURLOPT_SSH_PRIVATE_KEYFILE ?
Well, I found the difference between SSH and SSL in this IT Security question.
Thomas Pornin answered :
SSL and SSH both provide the cryptographic elements to build a tunnel
for confidential data transport with checked integrity. For that part,
they use similar techniques, and may suffer from the same kind of
attacks, so they should provide similar security (i.e. good security)
assuming they are both properly implemented. That both exist is a kind
of NIH syndrome: the SSH developers should have reused SSL for the
tunnel part (the SSL protocol is flexible enough to accommodate many
variations, including not using certificates).
They differ on the things which are around the tunnel. SSL
traditionally uses X.509 certificates for announcing server and client
public keys; SSH has its own format. Also, SSH comes with a set of
protocols for what goes inside the tunnel (multiplexing several
transfers, performing password-based authentication within the tunnel,
terminal management...) while there is no such thing in SSL, or, more
accurately, when such things are used in SSL they are not considered
to be part of SSL (for instance, when doing password-based HTTP
authentication in a SSL tunnel, we say that it is part of "HTTPS", but
it really works in a way similar to what happens with SSH).
Conceptually, you could take SSH and replace the tunnel part with the
one from SSL. You could also take HTTPS and replace the SSL thing with
SSH-with-data-transport and a hook to extract the server public key
from its certificate. There is no scientific impossibility and, if
done properly, security would remain the same. However, there is no
widespread set of conventions or existing tools for that.
So we do not use SSL and SSH for the same things, but that's because
of what tools historically came with the implementations of those
protocols, not due to a security related difference. And whoever
implements SSL or SSH would be well advised to look at what kind of
attacks were tried on both protocols.
I am now able to answer the question without guessing :-)
I have a program written in PHP, and I'd like to make sure that login pages etc. are all served over SSL. Is there any good start to finish tutorial for doing so?
Also, does this affect my code in any way, or is it just a matter of getting a SSL cert, and setting up a server correctly?
If your html code contains absolute urls ("http://my-domain.com/...") to:
stylesheets
images
javascripts
Browsers will complain "This page contains both secure and non-secure items".
Use relative urls if you can, or link to "https://my-domain.com/..." urls.
Use free certificates
You don't have to spend money to get valid SSL certificate:
Let’s Encrypt
Let’s Encrypt is a free, automated, and open Certificate Authority.
It depends on the hosting how easy this is to setup, it could be just a checkbox.
The process is well documented on https://letsencrypt.org/
StartSSL
For more traditional certificates, you can get a "StartSSL™ Free" from StartCom.
The site also contains information on installing the certificate.
Firstly a word of warning. if you are considering using SSL its because you have something to protect. Therefore take the time to understand what you are doing every step of the way. Security (not just SSL) is a minefield even for the experienced.
I don't know of any tutorials, but there are plenty of gotcha's you have to be aware of.
Rolling your own ssl cert for testing purposes is free, but you will need to install it on your server.
Most of the time your code does not need to be any different for an ssl page or non ssl as the code itself is ssl agnostic, but as Bob says you must be careful of things like images.
Also redirects can cause popups to warn the user of redirections.
To test if the code is being called from a browser using SSL check for the SSL flag $_SERVER['HTTPS'] this should be a non empty value if SSL is being used.
$ssl_is_on = $_SERVER['HTTPS'] ? true:false;
Personally I prefer to keep my SSL code in a separate folder altogether and use apache to direct all SSL connections to that folder. that way I can be confident a script that should be protected by SSL is not called from a non SSL connection.
If you are logging them in under SSL and then redirecting them to non SSL pages you may need to account for domains and cookies
for example I always use a different domain for ssl normally https;//secure.blah.com and then redirect them to the non secure domain http;//www.blah.com so your cookie domain will need to be blah.com the default is the full domain name which means cookies for secure.blah.com won't be sent to www.blah.com and therefore your users will never be logged in.
Don't use this technique if you use a shared domain name otherwise you could have a problem with cookie information being leaked.
DC
It should not affect your code. Add modrewrite rules to your Apache config. Yes, just obtain an SSL cert (you'll need to pay to have it signed by Verisign or another certificate authority).