Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I’ve been looking around for a way to check if a user has connected to my website using the right (my server’s) SSL certificate in PHP. I guess my question is similar to this one,
except that I’m not implying the MITM.
I’ve looked around but didn’t find a way to get the info from the cert used in the current connection and compare it to the servers cert. This to prevent users connecting with other certs.
How would one go about doing this?
Short Answer
You don’t.
Longer Answer
This is only possible with client certificates.
Your webserver identifies you to the client, not PHP. PHP never sees this and no environment variables are sent/passed to PHP aside from
HTTPS=on. You don’t verify yourself to yourself as it would always evaluate true. The question you linked to already has the answer, and man in the middle doesn’t mean much. You are effectively asking for a solution to any and all SSL Man in the Middle attacks with a definitive PHP script.There is no such thing as being able to connect to your host with another SSL certificate, unless something Diginotar-esque happens to your Certificate Authority.
If you want assurance that they really meant to connect to your site, simply just check the host the client connected to. If they hit your IP, and requested a certificate from it, and then verified it with your CA, they will continue with the connection, and connect to
$_SERVER["SERVER_NAME"]and$_SERVER["HTTPS"] == "on"But, honestly, why are you worried about an incorrect SSL certificate? It will be flagged by the user’s PC. I’d be more worried about session decrypting.