I want to connect to an https host using PHP cURL, but I don't want to use the certificate returned by the host or its CA path.
As I have the certificate locally, I'd like to use the local file instead of the certificate returned by the host and not rely on the CAs.
I’ve studied and searched and tried a number of things, but nothing is working except the normal default path, which gets the certificate from the host and follows the CA path.
Changing the existing host certificate is not an option.
I'm not sure if I understand you. Either I got your question wrong or you have a fundamental misunderstanding regarding SSL.
You have to use the host's certificate (which is a public key), otherwise the host won't understand what you're sending.
Related
My college downloaded cert-name.crt file from external host. Now we need to connect to web service platform, obviously using their SSL certificate. We are a bit confused by OpenSSL documentation. Research didn't help either. All we get is 'Could not connect to host' PHP exception. Just to clear things, interface worked perfectly fine over unsecured HTTP. We use pure Soap library. As an act of desperation we also tried to connect with host without verification by disabling verify_peer variable in SoapClient stream context. Please help, we are under pressure.
To get your started:
By default, PHP looks for the CA file on UNIX systems in, make sure it is readable by the PHP invoker (user via cli, Apache user, etc..), and place the .crt file here:
/etc/pki/CA
Ok, I'm sure someone is going to tell me this is a really dumb idea but please humor me.
I have a php site that is hosted using Lighttpd. I have multiple domains that resolve to my website (for example...mysite.com and mysite2.com). These sites need to use https.
When either mysite.com or mysite2.com are requested I want my php page to respond with the correct certificate. So, to clarify, when the browser gets the response from my php page it will not complain about the certificate because it will use the correct certificate.
Is this possible? How?
Thanks!
EV
By the time PHP is running the SSL handshake has already been completed by your web server, so there's no way it can do anything about the certificate.
If you're using name-based virtual hosting but you still want to use different SSL certificates, you can leverage on SNI (an extension on SSL and TLS) which is supported by most browsers and web servers (requires OpenSSL >= 0.9.8), including Lighttpd.
Currently setting up a backup solution that sends a database dump and some other files from a Wordpress network to a NAS on my LAN, via WebDAV. I have installed PHP WebDAV on my web server and the basic code to get that that to work is:
webdav_connect('http://webdav.example.com/dav', 'davuser', 'davpassword');
webdav_put('/your/nice/thing.txt', $data);
webdav_close();
The issue is, my NAS requires this connection to be done via HTTPS, so in a web browser you'd see a warning which you can ignore, but PHP gives the following warning and the code fails:
Warning: webdav_put() [function.webdav-put]: Server certificate verification failed: certificate issued for a different hostname, issuer is not trusted in /var/www/vhosts/blah/blah/blah.php on line 5
Is there a way in which I can ask PHP to ignore this, or will I need to obtain an SSL certificate? The domain name used for accessing the WebDAV service on my NAS is one provided by Dynamic DNS if that makes a difference.
Is there a way in which I can ask PHP to ignore this, or will I need to obtain an SSL certificate?
I don't know which HTTP Layer PHP WebDAV uses (which extension are you using?), but often it's possible to configure the underlying layer to ignore certificate errors.
If you need certificate verification for security reasons, you should obtain a valid certificate.
Just for completeness as I don't like leaving things un-answered. I've decided to access my WebDAV service via SMEStorage. They provide an API which developers can use for this sort of thing:
http://smestorage.com/?p=static&page=for_developers
I'm having trouble installing a SSL certificate on a subdomain within Plesk 10.
I don't seem to have an option to add the SSL certificate to a subdomain only. If i add the cert to the base domain will the subdomain share the same certificate?
Has anyone managed to install a cert on a subdomain using plesk 10?
SSL certificates affect all Connections made to the IP it is bound to, there is no way to bind a certificate to a subdomain or a specific folder because the SSL Setup has to be made before the URL is given to the server process.
You either need to use the same SSL certificate for all domains on your server or you need a new IP and use it only for the subdomain that needs to be protected. (I believe there was a SSL Configuration Link in IP management or something...)
Multiple Certificates on a single IP is now possible using SNI:
http://download1.parallels.com/Plesk/PP10/10.2.0/Doc/en-US/online/plesk-administrator-guide/index.htm?fileName=68308.htm
http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI
So, I'm trying to consume a webservice using something like this:
$client = new SoapClient("some.wsdl", array('local_cert' => "cert_key.pem"));
I've done this successfully in the past with other web services that required a cert & key concatenated into the local_cert file. Now, I'm trying to consume a service that also relies on a trusted CA. This is a J2EE (Axis) webservice I'm consuming and every time I try to get opinions from the team hosting that service, they tell me that it must be a PHP issue...
The response I get from the SoapClient call is always a cannot connect. I used to be getting SSL errors, but then I realized I was using the wrong server cert, so now I at least know that I am on the right path of creating an SSL call.
What I don't know is how to make sure the CA cert gets included in that local_cert file. I have my server cert, my server cert key, and the CA cert, but is there an order in which I concatenate them in local_cert? Am I completely missing something?
Thanks in advance
Neither IIS nor Apache, from my experience, require a CA file to authenticate a client certificate for web services. You need only specify the PEM file (and install it in the local store on IIS). I would say that your code looks good. When SSL fails for some authentication reason, you will typically get Forbidden messages. Errors that say you can't connect might involve ports not being open, such as port 443 for SSL.