Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Rob Allen:
SSL certificate verification on PHP 5.6
Dec 23, 2014 @ 12:15:41

Rob Allen has a quick tip posted today about SSL certificate verification in PHP 5.6 and things that need to be updated thanks to recent improvements in PHP's SSL handling.

I recently updated my local OS X Zend Server installation to PHP 5.6 and when I ran composer self-update, I got this error message: "The "https://getcomposer.org/version" file could not be downloaded: SSL operation failed" [...] Googling around, I finally worked out that there have been various SSL improvements in PHP 5.6 and that the problem was that it couldn't find any OpenSSL certificates on my system. This isn't a total surprise as OS X has been moving away from using OpenSSL internally in favour of its own libraries.

To resolve the issue he found where PHP was looking for certificates (using openssl_get_cert_locations) and how a quick "brew install" of the needed OpenSSL handling resolved the issue. Then, in the php.ini file a quick update to the "openssl.cafile" path points it to the right certificate.

tagged: certificate validation ssl openssl php56 tip fix

Link: http://akrabat.com/php/ssl-certificate-verification-on-php-5-6/

SitePoint Web Blog:
HTTPS Basics
Apr 02, 2014 @ 09:06:08

If you're relatively new to web development, you might not know exactly what kinds of benefits that using an HTTPS connection might provide. In this new article from the SitePoint PHP blog, Mufleeh Sadique covers some of the basics of HTTPS and gives some reasons why to "go HTTPS" in your applications.

Hypertext Transfer Protocol Secure or Hypertext Transfer Protocol over SSL is used for secure communication over a network, or perhaps more importantly – over the Internet. You would see https:// in the URI and a lock icon in the browser when you access a page that uses HTTPS. [...] If you ever wondered whether and how to go HTTPS with your website, we’ll attempt to clear this up in this article by briefly describing what HTTPS is about, and why and how to implement it.

He's broken the rest of the article up into a few different sections. The first answers the question "why HTTPS" with a few reasons including the most important - encrypted communication. In the second section, he starts showing you how to "go HTTPS" using a self-signed certificate to start. With the certificate installed, he moves into the last part, ensuring your application is always using the HTTPS version and redirecting anything else.

tagged: https introduction why how selfsigned certificate install configure

Link: http://www.sitepoint.com/https-basics

PHPMaster.com:
Create Digital Tickets with PHP and Apple Passbook
May 30, 2013 @ 09:11:36

On PHPMaster.com today there's a new tutorial showing you how to create digital tickets using PHP and the Apple Passbook service.

Why should we PHP warriors care at all about Apple’s Passbook? Well first because Apple made this technology open (well, sort of…), second because it can be used outside iOS devices, and third because it involves a lot of well-known and loved technologies like JSON and RESTful APIs. I’d also add that it’s a very interesting piece of technology, but that’s my personal opinion. In this article I’ll show you how I built a sample web application that creates and distributes passes in the form of a “PHPMaster Membership Card”. It is not a full-featured product, but it’s a nice base to build on for more serious real world uses.

He talks about the concept of a "pass" (a digitally signed document that can be easily distributed) and the types that the Apple service lets you make. His example (sample code here) is Silm based and Idorim & Paris for the data handling. He talks some about the certificate handling that's involved and the structure of the application including the certs, application code, templates and images. He then works through the code step-by-step and explains what each part does and how it connects with Apple's service to generate the pass.

tagged: apple passbook tutorial ticket digital signed certificate

Link: http://phpmaster.com/create-digital-tickets-with-php-and-apple-passbook

Artur Ejsmont's Blog:
How to properly secure remote API calls over SSL from PHP code
Sep 19, 2011 @ 13:56:00

Artur Ejsmont has a new post with a passionate call to arms for anyone who thinks that just because their URL has "https" in it, it's secure. He presents his suggestion on how to properly secure SSL API calls for your PHP application.

Lets make something clear from the very start: JUST BECAUSE THERE IS https:// IN THE URL OF THE REMOTE SERVICE IT DOES NOT MEAN THE CONNECTION IS SECURE! I am sorry for the tone of this post but i am enraged by how popular this issue is online. If you ask why i suggest a little experiment [involving changing your hosts file and using a self-signed certificate].

The issue he spotlights is all too common - a server serves up SSL pages but doesn't actually verify the certificate in the process. He gives a bad example of how some scripts handle this issue using the CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST to turn off this verification - a very bad idea. To protect yourself from any kind of man-in-the-middle or DNS hijack issues, you should leave these on.

tagged: ssl certificate api call protect verification

Link:

Vanessa Vasile's Blog:
Simple Way to Parse an x509 Certificate with PHP
Nov 04, 2010 @ 11:19:34

In a new post to her blog, Vanessa Vasile has a reminder about a built-in PHP function that can help quite a bit when you're working with SSL certificates - openssl_x509_parse.

PHP has a nifty little function for parsing an x.509 SSL certificate into an array to easily pull out the elements: openssl_x509_parse. Essentially, all you need to do is load up the contents of the certificate, either through a file or POST value, and enclose it in the array.

She includes a code snippet that pulls in the certificate contents, calls the function and puts it into an array that's easy to loop through and get values and subvalues from the results. The PHP.net manual page doesn't have a documented list of the return values because a constant result hasn't been defined. You'll need at least PHP 5.2 to use the function.

tagged: parse x509 certificate parse tutorial

Link:

PHPBuilder.com:
Write an Ajax-driven Login Application in PHP Using SSL/TLS
Sep 09, 2010 @ 10:29:03

On the PHPBuilder.com site today there's a new tutorial posted from Octavia Anghel about creating a login for your site that's powered by Ajax and uses a bit more security than normal. It includes hooks to use the Ajax Server Secure Layer or an OpenSSL connection.

In this article you will learn how to write a login application in PHP using Ajax and SSL/TLS in two ways either using aSSL (Ajax Server Secure Layer), a library that implements a technology similar to SSL without HTTPS or a simple Ajax and OpenSSL, an open source implementation of the SSL and TLS protocols.

They start with the aSSL method and link you to a download of the tool as well as some sample code to help you get started passing data to it via the session. The second example shows the OpenSSL method, mostly consisting of checking on the server side of the certificate that's passed along with the request.

tagged: ssl tls secure certificate assl openssl ajax

Link:

Juozas Kaziukenas' Blog:
PayPal payment with encryption
Feb 23, 2009 @ 12:04:28

Juozas Kaziukenas points out a new class in his latest blog post that can be used to make secure connections over to PayPal (encrypted) using their Encrypted Website Payment method.

In my situation, PayPal is only used to pay for orders - cart and order setup is done in our shop, so I do not want to have additional problems with users changing orders numbers, amount to be paid, etc. [...] Only PayPal knows how to decrypt it, because it uses public key encryption technology (you need to upload your certificate in PayPal account).

Some sample usage code is included as is a link to the class itself. His example takes a payment transaction including the item name, amount and currency type and sends it off to the PayPal servers in a connection protected by certificates.

tagged: paypal encryption payment secure certificate gateway tutorial class

Link:

Community News:
O'Reilly Offers PHP/SQL Certificate Series
Nov 14, 2008 @ 12:03:35

The O'Reilly School of Technology now offers a series of PHP certification classes developers can attend to learn more about PHP and SQL on a variety of projects.

The PHP/SQL Programming Certificate Series is comprised of four courses covering beginning to advanced PHP programming, beginning to advanced database programming using the SQL language, database theory, and integrated Web 2.0 programming using PHP and SQL on the Unix/Linux mySQL platform.

They currently offer three courses:

Another class will be released in December 2008 - PHP/SQL 3: Seamless Web 2.0 Integration . The classes come it at a bit under $400 USD and include access to an online sandbox for testing (complete with web server, unix-shell and database installations). Completion of all four courses earns the student a certification from the University of Illinois's Professional Development department.

tagged: oreilly certificate series sql universityofillinois database logic design web20

Link:

PHP-Security.net:
X.509 PKI login with PHP and Apache
May 30, 2008 @ 17:05:59

Christopher Kunz has relaunched his php-security.net domain with a brand new blog and a new article posted today - "X.509 PKI login with PHP and Apache".

Since grid computing (that's what I'm currently doing) also is very much about Single-sign on and delegation of rights, username/password authentication schemes don't quite do it for us. Thus, a PKI (public key infrastructure) based on X.509 is employed.

He explains the acronym soup by defining the process as advanced means of "showing the web who you are". He explains some of the basics about the certificates and who good candidates for this type of authentication are. Then the tech starts - how to get Apache configured to use them and how to use them in PHP to authenticate the external user (requiring OpenSSL compiled in to access the needed functions).

tagged: x509 pki login apache certificate tutorial openssl

Link: