All geek questions in one place

Code does not work without disabling SSL

Please take a look at this code:

<?php $url = "the_source_url"; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, FALSE); $result = curl_exec($ch); print_r($result); ?>

This page is available for my Android application to get the date from some source. url returns the json data that I print, and then in my application I process the data and displays it on the screen. This works great for me right now (I'm still in the testing phase).

I read in SO that disabling SSL (which I did on line 6) is risky and not recommended. However, I was not able to complete my script work unless I turned it off.

How to make it work without disabling SSL? Or how to eliminate the risk?

0
source share
2 answers

Disabling the certificate will make you vulnerable to a person in an average attack, you can download using the certificate

 curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, TRUE); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2); curl_setopt ($ch, CURLOPT_CAINFO, "PATH_TO_CERTIFICATE/cert.pem");

To get the certificate, follow this guide.

Then click "View Certificate":

enter image description here

Click the Details tab on the cerficates page and select a certificate at the top of the hierarchy. This is a CA certificate.

enter image description here

Then click β€œExport” and save the CA certificate to the location of your choice, making sure that you select the X.509 (PEM) certificate as the type / format of the save.

enter image description here

Image Source: http://unitstep.net/

+2
source

You need to add the CURLOPT_SSL_VERIFYHOST option and set it to false :

 curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, FALSE);

This disables SSL host verification so that you can access a host that uses a self-signed certificate. If the host has a valid certificate, check @Baba answer

Security questions:

The connection is encrypted and cannot be sniffed easily. But you cannot make sure that the server is a server. Thus, the hacker could sniff the movement, using the person in an average attack. If you want to make sure that you have to follow the @Babas path and import the certificate from the server

0
source

Source: https://habr.com/ru/post/1482123/

More articles:


All Articles