I’m working on an open source PHP application. The application may need to connect to my server, to transfer sensitive data. I have SSL installed on my server and I think I have set it up properly, but I’m hoping someone here can confirm.
The application will be used on other users servers, so it will be server to server communication.
I will treat users servers as clients when connecting to my server. My server will never connect to their server, so they don’t need SSL on their end (right?).
I use cURL to make the calls (to my server) and POST data during the connection. So I cURL to a https address.
Now I thought that is it. Once I cURL a https address, everything is secure. I can send whatever I like (Credit card numbers, passwords, etc etc) securely, without worrying about the middle man. End of story.
But after reading around, I’ve noticed that some people are doing other stuff in their cURL session – Like including a certificate (.crt file):
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($ch, CURLOPT_CAINFO, getcwd() . "/CAcerts/BuiltinObjectToken-EquifaxSecureCA.crt");
Is that safe for open source? Should I do it too? Or am I safe with what I’ve got?
Depending on the system you’re installing cURL on, it may or may not have enough information to verify an SSL certificate (this can be improved by linking intermediate and root certificates into your website certificate). You can also read it here: http://curl.haxx.se/docs/sslcerts.html
It sometimes makes sense to ship a bundle explicitly, especially since cURL tends to get shipped with old certificate bundles. You can download a more recent one here (which is taken from the Firefox source code): http://curl.haxx.se/docs/caextract.html
If your software will exclusively talk to your own server, you could also ship a bundle containing only your own public certificate. This would allow you to use self signed certificates which is free 🙂