curl support for client authentication

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
surya_prakash
Forum Newbie
Posts: 1
Joined: Thu Jun 04, 2009 3:24 am

curl support for client authentication

Post by surya_prakash »

Hi,
All

I need to fetch monitoring data from a website by logging into it by using curl.It is working fine if client authentication is not enabled. If Client authentication is enabled i am not able to to login into the website .Client authentication in the sense my website is giving access to only the users who have client certificates installed on their machines.

i enabled the following options still in vain

Code: Select all

 
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, TRUE);
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, TRUE);
curl_setopt($curl, CURLOPT_CAPATH,'/usr/local/apache/conf/ssl.crt');
curl_setopt($curl, CURLOPT_CAINFO,'ca.crt');
 
Location of my Root CA certificate is /usr/local/apache/conf/ssl.crt

thanks
prakash
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: curl support for client authentication

Post by kaisellgren »

Ah, client certificates. I love them. :)

Hmmh, does cURL give you any errors?

The way client certificate system works is that you "install" the certificate on your computer/browser and then when you try to connect to the target site, the website requests the client for the certificate through TLS and if the client submits the right certificate, he gets logged in.

I don't think you have chosen the right certificate, have you? "/usr/local/apache/conf/ssl.crt" is not the client certificate, is it?

I'm not following you, why would you need to provide CA details? It should be enough to send the client certificate alone (that you do not seem to be doing).

EDIT: Maybe you should play around with CURLOPT_SSLCERT and the relatives.
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Re: curl support for client authentication

Post by Weirdan »

kaisellgren wrote:I'm not following you, why would you need to provide CA details? It should be enough to send the client certificate alone (that you do not seem to be doing).
You need to provide CA certificate storage path to curl for it to be able to check identity of the host it connects to. SSL authentication works in both directions (I guess you knew it, just got confused).
kaisellgren wrote:EDIT: Maybe you should play around with CURLOPT_SSLCERT and the relatives.
CURLOPT_SSLKEY might be also required.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: curl support for client authentication

Post by kaisellgren »

Weirdan wrote:You need to provide CA certificate storage path to curl for it to be able to check identity of the host it connects to.
Oh, yeah. Of course, the handshake. :crazy:

Which was one of the weaknesses in SSLv2. :P
Post Reply