How to use PHP's OpenSSL functions? How does SSL work genera

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

How to use PHP's OpenSSL functions? How does SSL work genera

Post by kaisellgren »

Hi,

My topic title was too long, so it ended with a broken word. The correct ending is "How does SSL work in general?".

Anyway. I've tried to setup a SSL protected PHP page, with trials and errors. Nothing seem to have worked. Actually, I haven't managed to do much as I am no SSL expert (hopefully soon I am closer to it :]).

I do not understand the basics behind keys, signs, and other functions that PHP uses: http://fi.php.net/manual/en/ref.openssl.php

Can someone help me on this? I would like to start with at least a little code, starting from scratch does not seem like a good choice for me right now...

The PHP OpenSSL functions barely have any examples or user comments, and Googling for help is hard, too. =/
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: How to use PHP's OpenSSL functions? How does SSL work genera

Post by Christopher »

To have SSL encrypted pages you need to configure your webserver to deliver pages using HTTPS. What webserver are you using?
(#10850)
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: How to use PHP's OpenSSL functions? How does SSL work genera

Post by kaisellgren »

arborint wrote:To have SSL encrypted pages you need to configure your webserver to deliver pages using HTTPS. What webserver are you using?
I have Apache 2.2, PHP, MySQL, SMTP, PostgreSQL, Oracle and SQL Server running on my personal computer at home, but my VPS (virtual private server, root access, ssh, etc) has also Apache, but not sure which version. I did install OpenSSL with the VDS Manager program they have and I tried setuping everything correctly and I used this code:

Code: Select all

<?php
function forceSSLConnection(){
      if ($_SERVER['SERVER_PORT'] != "443") {
         $url = "https://".$_SERVER['SERVER_NAME'].$_SERVER['PHP_SELF'].($_SERVER['QUERY_STRING'] ? '?'.$_SERVER['QUERY_STRING'] : '');
          header("Location: $url");
          echo "Your browser does not support automatic redirection. <a href='$url'>Click here</a>";
          die();
      }
   }
forceSSLConnection();
echo <<<HTML
<form method="post">
<input type="text" />
</form>
HTML;
?>
Just a test. And I got a page reporting that the SSL was not proper, it couldn't be trusted T_T

I have 2 own IPs btw, not shared...
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: How to use PHP's OpenSSL functions? How does SSL work genera

Post by Christopher »

Apache needs mod_ssl or similar installed so it can serve pages with HTTPS. What exactly do "SSL was not proper" and "it couldn't be trusted T_T" mean? Is that the error message?
(#10850)
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: How to use PHP's OpenSSL functions? How does SSL work genera

Post by kaisellgren »

arborint wrote:Apache needs mod_ssl or similar installed so it can serve pages with HTTPS. What exactly do "SSL was not proper" and "it couldn't be trusted T_T" mean? Is that the error message?
Let me tell you what I have done so far.

I am developing a script and I would *need* to allow SSL protected login script.

I have applied OpenSSL extension and installed the app. It runs fine, I have created the following for dveloping reasons: cacert.pem, key.pem, cert.pem. I do not know what each of them are for, but I think they all are needed.

I have not yet done that SSL thing for Apache, though. I'll do it right away.

I was playing with this code:

Code: Select all

$data = 'this should be safe';
 
$fp = fopen('cert.pem','r'); // is in the same dir right now
$cert = fread($fp,8192);
fclose($fp);
$pk = openssl_get_publickey($cert);
 
openssl_seal($data,$sealed,$envkeys,array($pk));
 
openssl_free_key($pk);
And the $sealed now has the sealed data... but if I output it to client, the client sees just the sealed data, how can i make the browser to decrypt it? This is the point I do not follow ... help?

EDIT: I have now Apache running with mod_ssl. What should I do next?
Post Reply