I'm using PHP 7.0 from ppa:ondrej/php on Ubuntu 14.04. I'm interacting with an API and would like to ensure that my PHP/CURL code is interacting with the right server and securely (without any risk of snooping, MITM, tampering, etc.).
I've done a bit of research and do not see any complete set of advice on this topic.
Here are a few things I've noticed about the default configurations:
The openssl.cafile and openssl.capath values are empty.
I believe that CURLOPT_SSL_VERIFYPEER defaults to TRUE and that a default cert bundle is provided by cURL (14.04 has cURL 7.35 and this is true since 7.10).
It appears many of the examples of "bad" ssl are things that browsers and the security world at-large consider insecure, but PHP/CURL's default configuration accepts.
Using badssl.com and a script I wrote I began testing which bad SSL configs would trigger errors and I am surprised how many of them do not trigger errors.
A few possible solutions:
- Trace down configuration options to make php/curl more strict in what it accepts. This might not be completely possible.
- Add more code in PHP to inspect the certs more closely (feels bad)
- Perhaps it's OK that PHP/CURL don't identify all of these as invalid
I'm looking for answers on any of these points :)
0 Answers