tags:

views:

46

answers:

1
+2  Q: 

How to make TLS connection from PHP in web server, and safely

Suppose I have some PHP code running inside a web server, for example, running a simple CakePHP app. From this app, I want to occasionally make a TLS connection out to some server to exchange some data. How is this typically done? (I have little experience with PHP.)

What PHP plug-ins or libraries or whatever, are recommended to accomplish TLS connections? Where are some good places to start looking? (My initial Google searches give me a huge ratio of noise to signal.)

What are the security issues involved with having the X509 private key sitting on the web server? To make a TLS connection out, I'm going to need both the X509 certificate and the corresponding private key, as perhaps PEM files, or DER files, or in a Java keystore, or whatever. Is that private key going to be sitting somewhere vulnerable under the web root? How is this typically handled? What are the security issues, specifically, of securing the private key that is to be used to make a TLS connection out? What are the best practices?

Edit: I forgot to mention that the server that the PHP app connects to requires a client certificate to be presented. The client does need the private key to connect. Also, the server I am connecting to is not an HTTP server -- I just need to read/write on a plain socket connection to the server (over the SSL/TLS connection).

+2  A: 

TLS is the proper name, however most people still call it SSL. In PHP you can make this connection using CURL.

With a TLS/SSL client you only need the public key to verify a remote host. This public key is just that public, it doesn't matter if it gets leaked to an attacker. On the server side Apache has access both the public and private key. These keys are protected using normal file access privileges. Under *nix systems these keys are commonly stored somewhere in /etc/, owned by the Apache process and chmod 400 is best.

The easiest authentication method for clients would be a simple username/password. You can use SSL to authenticate both the client and server. This would require you to store the private key somewhere where your PHP app has access, ideally outside of the webroot with a chmod 400, but you could easily rename it to .php or put it in a folder with a .htaccess that contains deny from all. On the server side you can verify the clients certificate using these environmental variables.

If you just want a TLS connection and not an HTTPs. Then you can use fsockopen by setting the Context Options:

<?php 
$context = stream_context_create(); 
$result = stream_context_set_option($context, 'tls', 'local_cert', '/path/to/keys.pem'); 
$result = stream_context_set_option($context, 'tls', 'passphrase', 'pass_to_access_keys'); 

$socket = fsockopen('tls://'.$host, 443, $errno, $errstr, 30, $context); 
?>

NOTE: You maybe have to use stream_socket_client() instead of fsockopen() depending on your version of PHP.

Rook  2010-06-30 21:54:21
My client *does* need a private key because it needs to present a client certificate to the server. In that case, isn't it best to keep it entirely out of the web root, and then, a PHP script can access it but it won't be compromised by the web server (that the PHP script runs under)?Also, CURL doesn't let me send an arbitrary data stream, does it? It looks to be like CURL is only useful if I am connecting to an HTTP server, or an FTP server, which I am not. Is there a similar library that is commonly used for simple data streams?
Jim Flood  2010-07-01 18:49:27
@Jim Flood PHP must have access to the certificate, if your PHP application gets owned then so does your certificate, there is no way around this. CURL should be used for HTTPs, if you just want the layer 4 connection then you can use fsockopen(), check my updates.
Rook  2010-07-01 19:02:50
@The Rook I see what you mean about the risk to the private key since PHP has to have access. As far as fsockopen, my LAMP install has PHP5 and fsockopen no longer has "the sixth parameter", but I did find stream_socket_client which works great with local_cert, cafile, and verify_peer in 'ssl' options (not 'tls'). Could you note that in your answer? Thanks.
Jim Flood  2010-07-01 22:47:17
I'm going to go ahead and accept this answer even though the fsockopen solution does not work for PHP5. If you are reading this to solve a similar problem and you are using PHP5 then look for stream_socket_client and use that similar to how this answer uses fsockopen, and use 'ssl' in place of 'tls' in the stream_context_set_option.
Jim Flood  2010-07-13 17:11:40
@Jim Flood Cool I'm glad we figured that out.
Rook  2010-07-13 18:26:21

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases