views:

225

answers:

1

I am processing credit cards using a payment gateway. To POST the data to their servers, I am using cURL in PHP. I have an SSL certificate issued to my domain, to ensure all POST'ed data is encrypted. Because the SSL certificate is already installed, do I still need to use the SSL options for cURL? If so, which of the options do I need to set given my setup?

I have tried the following code unsuccessfully:

$ch = curl_init(); 

curl_setopt($ch, CURLOPT_URL,"https://secure.paymentgateway.com/blah.php");
curl_setopt ($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"); 

curl_setopt($ch, CURLOPT_VERBOSE, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($ch, CURLOPT_CAINFO,  getcwd().'/cert/ca.crt');
curl_setopt($ch, CURLOPT_SSLCERT, getcwd().'/cert/mycert.pem');
curl_setopt($ch, CURLOPT_SSLCERTPASSWD, 'password');

curl_setopt($ch, CURLOPT_POST, $count);

curl_setopt($ch,CURLOPT_POSTFIELDS,"variables...");                 

$output = curl_exec($ch);
echo $output;
curl_close($ch);
+1  A: 

Well you already disabled the verifier(which I don't recommend)curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); This opens you for Man in the middle attacks.

Here's a simple tutorial that might help you

http://developer.paypal-portal.com/pdn/board/message?board.id=ipn&message.id=12754#M12754

Stanislav Palatnik