-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello dear list,
I realise this is probably not the best place to ask this kind of
questions, but after doing my howmeworks on google and php.net, I can't
find a decent solution to a development problem I thought would be
common. If this is strictly off topic, feel free to let me know.
I am currently interfacing a client's ecommerce website (let's call it
C) with an online payment gateway (let's call it G). The communication
between C and G is done over ssl, using Soap. The payment gateway's
support team provided us a sample php script responsible to connect to
G, make the payment etc. It lacks any kind of security checks, and in
particular doesn't verify G's SSL certificate, nor does it verify that
the certificate actually comes from a certification authority that we do
in fact trust. Internal experiments showed that if presented a fake self
signed certificate using the domain name of the gateway, the web app of
C doesn't realize the subterfuge and proceeds to the payment, which is
indeed quite anoying from a security point of view.
C is a php webapp running on php 5.2.9 under apache 2.x, here is the
full httpd banner:
Apache/2.2.11 (Ubuntu) PHP/5.2.9 mod_ssl/2.2.11 OpenSSL/0.9.8g Server
The code provided by the gateway's support team to perform the
connection to G looks like this:
$client = new SoapClient( $this->WSDL_SOAP, $this->header_soap);
$doWebPaymentResponse =
$client->doWebPayment($doWebPaymentRequest);
return util::responseToArray($doWebPaymentResponse);
It is lacking any type of authentication of the payment gateway, which
is not acceptable.
So in a nutshell, my problem is : can I get acces to the x509
certificate used by SoapClient ? Is there an api to then verify the
whole authority certification chain up to the root certificates I may
decide to trust automagically, or shall I use the openssl api ?
Note: I have been suggested to rely on SoapClient like above to perform
the payment, while opening a second socket (possibly using libcurl, or
even using the binary openssl itself) which would only verify the SSL
certification chain "in parallel". This seems quite a bad solution to me
since it is not verifying anything on the connection made by SoapClient
: imho there will be a race condition however I implement it ;(
Note2: I did try to get the payment gateway's team to provide us the
necessary php code, but they don't seem interrested in making things
work in a secure way :(
In case SoapClient couldn't be used for this purpose, what is the
suggested way to extend it's capabilities (hooking/patching/writing an
apache module) ?
Thanks for your time,
Jonathan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkpTUMcACgkQK/YAm7PYybkkHgCfdbuhceR6BDdONspDN7CyZNEk
Z4IAmgPopaVgui/Ils/FraDXNhIEkUC8
=t1Gv
-----END PGP SIGNATURE
It is lacking any type of authentication of the payment gateway, which
is not acceptable.
I agree+++.
The problem is that PHP SOAP uses an internal "streams" library instead
of libcurl; the former lacks, the later has, client/server PKI support.
If it did use libcurl, dozens of problems over the last few years would
have magically solved themselves (pipe-line'ing, keep-alive, socket
options, PKI, etc.)
Support needs to be added to PHP for this and it's been on the
back-burner for me, but I think it is time to take it to the next level.
This being 2009, and all, perhaps a few organizations can pool resources
and sponsor the needed development.
~BAS
So in a nutshell, my problem is : can I get acces to the x509
certificate used by SoapClient ? Is there an api to then verify the
whole authority certification chain up to the root certificates I may
decide to trust automagically, or shall I use the openssl api ?
If it did use libcurl, dozens of problems over the last few years would
have magically solved themselves (pipe-line'ing, keep-alive, socket
options, PKI, etc.)
Not only this extension but pretty much everything should use curl IMHO,
it is included in all *nixes and works on windows too..
It is lacking any type of authentication of the payment gateway,
which
is not acceptable.I agree+++.
The problem is that PHP SOAP uses an internal "streams" library
instead
of libcurl; the former lacks, the later has, client/server PKI
support.
Nonsense. ext/soap has support for all of this through PHP's "https"
stream which wraps the "ssl" stream.
Please RT(F)M:
http://php.net/manual/en/soapclient.soapclient.php
http://php.net/manual/en/context.ssl.php
In short:
$c = new SoapClient(
'https://foo/bar.wsdl',
array(
'stream_context" => stream_context_create(array(
'ssl' => array(
'verify_peer' => true
)
))
)
);
There is the whole range of options related to certs, including for CA
certs etc. SoapClient itself has an option for a 'local_cert' as well.
- David
2009/7/10 David Zülke david.zuelke@bitextender.com:
It is lacking any type of authentication of the payment gateway, which
is not acceptable.I agree+++.
The problem is that PHP SOAP uses an internal "streams" library instead
of libcurl; the former lacks, the later has, client/server PKI support.Nonsense. ext/soap has support for all of this through PHP's "https" stream
which wraps the "ssl" stream.Please RT(F)M:
http://php.net/manual/en/soapclient.soapclient.php
http://php.net/manual/en/context.ssl.phpIn short:
$c = new SoapClient(
'https://foo/bar.wsdl',
array(
'stream_context" => stream_context_create(array(
'ssl' => array(
'verify_peer' => true
)
))
)
);There is the whole range of options related to certs, including for CA certs
etc. SoapClient itself has an option for a 'local_cert' as well.
- David
That's a great example. When SVN is back online, I'll add that as an example.
--
Richard Quadling
Zend Certified Engineer : http://zend.com/zce.php?c=ZEND002498&r=213474731
"Standing on the shoulders of some very clever giants!"
ZOPA : http://uk.zopa.com/member/RQuadling