Using SSL with cURL 1

[miraclemaker]

I have an SSL certificate installed on my website, I have cURL installed on the webserver with OpenSSL, now if I want to POST data securely to a third party website (to a https: address) how on earth do I get cURL to use my SSL certificate and POST encrypted data?

I've found the following commands for use with cURL:

curl_setopt ($ch, CURLOPT_SSLCERT, "privkey.pem");//Pass a string containing the filename of PEM formatted certificate

curl_setopt ($ch, CURLOPT_SSLCERTPASSWD, "pass");//Pass a string containing the password required to use the CURLOPT_SSLCERT certificate.

where do I get this PEM formatted certificate file from - and what's this about a password? If anyone could help clear this up for me it would be greatly appreciated.

Thank you very much.

 

[sleipnir214]

HTTPS can be configured at the web server to use a web-server-supplied signed certificate (from Verisign or Thawte, for example) or a web-client-supplied certificate.

You only need those CURL settings if the foreign server in question requires the use of client-supplied certificates. Otherwise, with OpenSSH installed, you only have to tell CURL the site is HTTPS.

I have a FAQ in this forum which may be helpful faq434-2502 Want the best answers? Ask the best questions:

http://www.tuxedo.org/~esr/faqs/smart-questions.html

TANSTAAFL!

 

[miraclemaker]

That's brilliant thanks.

I have read your FAQ before now but I wasn't clear on this point.

So in summary: I connect to a remote https:// site using cURL and it will be clever enough to encrypt my outgoing data using my web server SSL certificate?

Is there anything I have to set up in order for this to happen or will it take place automatically?

Thanks for your help.

 

[sleipnir214]

I think a little theory is in order.

SSL uses public-key cryptography for a server and client to exchange a temporary shared secret key securely.

When an web server administrator sets up HTTPS, he generates a public-key encryption keypair, and sends the public key to some signing authority (Verisign, Thawte, etc). The signing authority, after doing some verification of the key-user's credentials, signs the key -- verifying that the key is being presented by a valid user. The web-server administrator then sets up HTTPS using the signed public key.

When CURL (or any SSL-able client in general) connects to an HTTPS source, after some handshaking it receives the signed public key of the foreign server. Using that key, the client then creates a temporary secret key and sends that secret key to the server after encrypting it using the server's signed public key. Since only the web server can decrypt the message containing the secret key (using it's private key), only it and the web client can know what that key is.

Now the server and client have a temporary shared secret key they can both use to encrypt their communications in both directions.


Thus, CURL will not use your certificate -- you don't need a certificate of any kind on your end to commmunicate securely through HTTPS. It uses the certificate of the foreign server.
Want the best answers? Ask the best questions:

http://www.tuxedo.org/~esr/faqs/smart-questions.html

TANSTAAFL!

 

[miraclemaker]

That's great. Thanks for your help.