-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello dear list,
I realise this is probably not the best place to ask this kind of
questions, but after doing my howmeworks on google and php.net, I can't
find a decent solution to a development problem I thought would be
common. If this is strictly off topic, feel free to let me know.
I am currently interfacing a client's ecommerce website (let's call it
C) with an online payment gateway (let's call it G). The communication
between C and G is done over ssl, using Soap. The payment gateway's
support team provided us a sample php script responsible to connect to
G, make the payment etc. It lacks any kind of security checks, and in
particular doesn't verify G's SSL certificate, nor does it verify that
the certificate actually comes from a certification authority that we do
in fact trust. Internal experiments showed that if presented a fake self
signed certificate using the domain name of the gateway, the web app of
C doesn't realize the subterfuge and proceeds to the payment, which is
indeed quite anoying from a security point of view.
C is a php webapp running on php 5.2.9 under apache 2.x, here is the
full httpd banner:
Apache/2.2.11 (Ubuntu) PHP/5.2.9 mod_ssl/2.2.11 OpenSSL/0.9.8g Server
The code provided by the gateway's support team to perform the
connection to G looks like this:
$client = new SoapClient( $this->WSDL_SOAP, $this->header_soap);
$doWebPaymentResponse =
$client->doWebPayment($doWebPaymentRequest);
return util::responseToArray($doWebPaymentResponse);
It is lacking any type of authentication of the payment gateway, which
is not acceptable.
So in a nutshell, my problem is : can I get acces to the x509
certificate used by SoapClient ? Is there an api to then verify the
whole authority certification chain up to the root certificates I may
decide to trust automagically, or shall I use the openssl api ?
Note: I have been suggested to rely on SoapClient like above to perform
the payment, while opening a second socket (possibly using libcurl, or
even using the binary openssl itself) which would only verify the SSL
certification chain "in parallel". This seems quite a bad solution to me
since it is not verifying anything on the connection made by SoapClient
: imho there will be a race condition however I implement it ;(
Note2: I _did_ try to get the payment gateway's team to provide us the
necessary php code, but they don't seem interrested in making things
work in a secure way :(
In case SoapClient couldn't be used for this purpose, what is the
suggested way to extend it's capabilities (hooking/patching/writing an
apache module) ?
Thanks for your time,
- --
Jonathan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkpTUMcACgkQK/YAm7PYybkkHgCfdbuhceR6BDdONspDN7CyZNEk
Z4IAmgPopaVgui/Ils/FraDXNhIEkUC8
=t1Gv
-----END PGP SIGNATURE-----
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
