Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:44753
Return-Path: <endrazine@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 39278 invoked from network); 7 Jul 2009 13:42:37 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 7 Jul 2009 13:42:37 -0000
Authentication-Results: pb1.pair.com header.from=endrazine@gmail.com; sender-id=pass; domainkeys=bad
Authentication-Results: pb1.pair.com smtp.mail=endrazine@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.219.213 as permitted sender)
DomainKey-Status: bad
X-DomainKeys: Ecelerity dk_validate implementing draft-delany-domainkeys-base-01
X-PHP-List-Original-Sender: endrazine@gmail.com
X-Host-Fingerprint: 209.85.219.213 mail-ew0-f213.google.com  
Received: from [209.85.219.213] ([209.85.219.213:55458] helo=mail-ew0-f213.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id E7/54-17523-CC0535A4 for <internals@lists.php.net>; Tue, 07 Jul 2009 09:42:37 -0400
Received: by ewy9 with SMTP id 9so702969ewy.23
        for <internals@lists.php.net>; Tue, 07 Jul 2009 06:42:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:received:received:message-id:date:from
         :user-agent:mime-version:to:subject:x-enigmail-version:content-type
         :content-transfer-encoding;
        bh=0LD0Z2ubutzWBkmIqbnkFuq0FTAHYsFhVoW1fMg9w1I=;
        b=ea8/Gtb0+oQI4UWcRe3xruujC2MR1pVuZc7notv3mIp8n/UBmJqI1oLwcGWX3G7lH0
         w6orsFRkNNXo3Eg2d5YvLQ6p4SkfEY1oWzs7P8RtoB501T7QIlU1c+5b0KYHgN3D0asj
         EPysm9lNspiQQXfVQa5asO/OQzy30CfMfgvao=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=message-id:date:from:user-agent:mime-version:to:subject
         :x-enigmail-version:content-type:content-transfer-encoding;
        b=JSD1tyRur/mxU2kKPb3l6YMW0sy346Ad2alg2Ccly7Yul5CNAY8qJIlcCeTaYVVCjD
         XzYAlZfGuVNQgWeo+1eT0zam5d+BNPUBbnvOrYlFNJkt0h7Knkazdwc9+BGlPcqgh7Zc
         kHHJq5Dq0Y0PR9BTQZlt+JhfyGOx3pUJUcw9Y=
Received: by 10.210.78.16 with SMTP id a16mr6525913ebb.1.1246974153513;
        Tue, 07 Jul 2009 06:42:33 -0700 (PDT)
Received: from ?192.168.0.15? (anj75-1-82-226-210-32.fbx.proxad.net [82.226.210.32])
        by mx.google.com with ESMTPS id 24sm4127246eyx.3.2009.07.07.06.42.32
        (version=TLSv1/SSLv3 cipher=RC4-MD5);
        Tue, 07 Jul 2009 06:42:33 -0700 (PDT)
Message-ID: <4A5350C7.5060600@gmail.com>
Date: Tue, 07 Jul 2009 15:42:31 +0200
User-Agent: Thunderbird 2.0.0.21 (X11/20090409)
MIME-Version: 1.0
To: PHP internals <internals@lists.php.net>
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Soap over SSL and 
From: endrazine@gmail.com (endrazine)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello dear list,

I realise this is probably not the best place to ask this kind of
questions, but after doing my howmeworks on google and php.net, I can't
find a decent solution to a development problem I thought would be
common. If this is strictly off topic, feel free to let me know.

I am currently interfacing a client's ecommerce website (let's call it
C) with an online payment gateway (let's call it G). The communication
between C and G is done over ssl, using Soap. The payment gateway's
support team provided us a sample php script responsible to connect to
G, make the payment etc. It lacks any kind of security checks, and in
particular doesn't verify G's SSL certificate, nor does it verify that
the certificate actually comes from a certification authority that we do
in fact trust. Internal experiments showed that if presented a fake self
signed certificate using the domain name of the gateway, the web app of
C doesn't realize the subterfuge and proceeds to the payment, which is
indeed quite anoying from a security point of view.

C is a php webapp running on php 5.2.9 under apache 2.x, here is the
full httpd banner:

Apache/2.2.11 (Ubuntu) PHP/5.2.9 mod_ssl/2.2.11 OpenSSL/0.9.8g Server


The code provided by the gateway's support team to perform the
connection to G looks like this:


$client = new SoapClient( $this->WSDL_SOAP, $this->header_soap);
                    $doWebPaymentResponse =
$client->doWebPayment($doWebPaymentRequest);
                    return util::responseToArray($doWebPaymentResponse);


It is lacking any type of authentication of the payment gateway, which
is not acceptable.

So in a nutshell, my problem is : can I get acces to the x509
certificate used by SoapClient ? Is there an api to then verify the
whole authority certification chain up to the root certificates I may
decide to trust automagically, or shall I use the openssl api ?

Note: I have been suggested to rely on SoapClient like above to perform
the payment, while opening a second socket (possibly using libcurl, or
even using the binary openssl itself) which would only verify the SSL
certification chain "in parallel". This seems quite a bad solution to me
since it is not verifying anything on the connection made by SoapClient
: imho there will be a race condition however I implement it ;(

Note2: I _did_ try to get the payment gateway's team to provide us the
necessary php code, but they don't seem interrested in making things
work in a secure way :(

In case SoapClient couldn't be used for this purpose, what is the
suggested way to extend it's capabilities (hooking/patching/writing an
apache module) ?


Thanks for your time,

- --
Jonathan


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkpTUMcACgkQK/YAm7PYybkkHgCfdbuhceR6BDdONspDN7CyZNEk
Z4IAmgPopaVgui/Ils/FraDXNhIEkUC8
=t1Gv
-----END PGP SIGNATURE-----