如何使用PHP从Web服务器进行TLS连接,并且安全 [英] How to make TLS connection from PHP in web server, and safely
问题描述
建议使用什么PHP插件或库或其他方法来完成TLS连接?哪里有好的地方开始看? (我的初始Google搜索给我一个巨大的噪声比率来发信号。)
将X509私钥放在网络服务器上涉及什么安全问题?要使TLS连接断开,我将需要同时使用X509证书和相应的私钥,也可能需要PEM文件或DER文件,或者在Java密钥库中。那个私人密钥是否会被安置在Web根目录下的弱点?这通常如何处理?什么是安全问题,特别是保护用于进行TLS连接的私钥?最好的做法是什么?
编辑:我忘了提到PHP应用程序连接的服务器需要提供客户端证书。客户端 需要私钥进行连接。另外,我正在连接的服务器是 HTTP服务器 - 我只需要在通过SSL / TLS连接的普通套接字连接上读/写。
TLS是正确的名称,但大多数人仍然称之为SSL。在PHP中,您可以进行此连接使用CURL 。
使用TLS / SSL客户端,您只需要公钥来验证远程主机。这个公钥是公开的,如果它被泄露给攻击者没关系。在服务器端Apache可以访问公钥和私钥。这些密钥使用正常的文件访问权限进行保护。在* nix系统下,这些密钥通常存储在Apache进程所拥有的 / etc / 中, chmod 400 最好。
客户端最简单的身份验证方法将是简单的用户名/密码。您可以使用SSL来验证客户端和服务器。这将需要您将私钥存储在您的PHP应用程序访问的某个地方,理想情况下,使用 chmod 400 的webroot,但您可以轻松将其重命名为.php或把它放在一个.htaccess的文件夹中,其中包含所有中的 deny。在服务器端,您可以使用这些环境变量验证客户端证书。
如果您只想要TLS连接,而不是HTTP。然后,您可以使用stream_context_set_option设置上下文选项:
<?php
$ context = stream_context_create();
$ result = stream_context_set_option($ context,'ssl','local_cert','/path/to/keys.pem');
//如果您的证书有密码
$ result = stream_context_set_option($ context,'ssl','passphrase','pass_to_access_keys'),则需要此行;
$ socket = stream_socket_client('tls://'.$host。':443',$ errno,$ errstr,30,STREAM_CLIENT_CONNECT,$ context);
?>
Suppose I have some PHP code running inside a web server, for example, running a simple CakePHP app. From this app, I want to occasionally make a TLS connection out to some server to exchange some data. How is this typically done? (I have little experience with PHP.)
What PHP plug-ins or libraries or whatever, are recommended to accomplish TLS connections? Where are some good places to start looking? (My initial Google searches give me a huge ratio of noise to signal.)
What are the security issues involved with having the X509 private key sitting on the web server? To make a TLS connection out, I'm going to need both the X509 certificate and the corresponding private key, as perhaps PEM files, or DER files, or in a Java keystore, or whatever. Is that private key going to be sitting somewhere vulnerable under the web root? How is this typically handled? What are the security issues, specifically, of securing the private key that is to be used to make a TLS connection out? What are the best practices?
Edit: I forgot to mention that the server that the PHP app connects to requires a client certificate to be presented. The client does need the private key to connect. Also, the server I am connecting to is not an HTTP server -- I just need to read/write on a plain socket connection to the server (over the SSL/TLS connection).
TLS is the proper name, however most people still call it SSL. In PHP you can make this connection using CURL.
With a TLS/SSL client you only need the public key to verify a remote host. This public key is just that public, it doesn't matter if it gets leaked to an attacker. On the server side Apache has access both the public and private key. These keys are protected using normal file access privileges. Under *nix systems these keys are commonly stored somewhere in /etc/, owned by the Apache process and chmod 400 is best.
The easiest authentication method for clients would be a simple username/password. You can use SSL to authenticate both the client and server. This would require you to store the private key somewhere where your PHP app has access, ideally outside of the webroot with a chmod 400, but you could easily rename it to .php or put it in a folder with a .htaccess that contains deny from all. On the server side you can verify the clients certificate using these environmental variables.
If you just want a TLS connection and not an HTTPs. Then you can use stream_context_set_option by setting the Context Options:
<?php
$context = stream_context_create();
$result = stream_context_set_option($context, 'ssl', 'local_cert', '/path/to/keys.pem');
// This line is needed if your cert has a passphrase
$result = stream_context_set_option($context, 'ssl', 'passphrase', 'pass_to_access_keys');
$socket = stream_socket_client('tls://'.$host.':443', $errno, $errstr, 30, STREAM_CLIENT_CONNECT, $context);
?>
这篇关于如何使用PHP从Web服务器进行TLS连接,并且安全的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
