[PHP] php ssl connection timeout issue
Hi, I am having trouble connecting to https sites using php's builtin ssl functions. I tried: file_get_contents('https://securesite') fsockopen('ssl://securesite', 443, $errno, $errstr,20) and same errors every time: SSL: connection timeout Failed to enable crypto Call to openssl_error_string() returns no error. Curl worked both within php and as standalone client. The strange thing is that the connection seemed to be dropped immediately upon contact with the server, i.e., the call to the above functions failed immediately, which I think contradicts the "timeout" error. Any tips on the cause of this issue or how to debug this is appreciated. Regards, Jerry.
[PHP] PHP, SSL and private keys
Hi, I would like to give my users the possibility to authenticate through a private certificate to confirm their identity. I'm not really sure where to start. Has anyone seen a website explaining this? Some pointers would be very welcome. Thanks! Evert -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP / SSL
This is what I got back so far from RC5 where there are crypto experts. And as the guy from GMDI? i forgot, something like that .nl, pointed out, it also matters whether it's SSL2 or SSL3 40bit encryption if I'm not mistaken. Hope you can do something with this info. Appearantly, like stated below, it is less work to crack RC5 40 bits (which SSL probably uses) than it is to crack DES. Since DES can be cracked within 22 hours on distributed.net and that power can be compared with like $ 100.000 I ESTIMATE somebody with like 40.000 bucks can crack it in reasonable time. I guess the big question is this, if it gets cracked, who are they gonna hold responcible. If they are gonna hold you responcible I'd certainly think twice about this :-) Kind regards & happy holidays -- Forwarded Message -- Subject: Re: [RC5] Re: [PHP] PHP / SSL | for distributed.net OffTopic!!! Date: Fri, 21 Dec 2001 08:12:36 -0500 From: "Jeff Gilchrist" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> - Original Message - From: "TD - Sales International Holland B.V." <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Friday, December 21, 2001 12:34 PM Subject: [RC5] Re: [PHP] PHP / SSL | for distributed.net OffTopic!!! > > sorry this is OT but we would like to know what is more secure. > 40bit SSL or 56bit DES. The reason I'm asking is since DES has > been cracked under 22 hours 40bit SSL looks really insecure to me. > > Thanks in advance, sorry for the OT > First, you have to realise that SSL is not a crypto algorithm, it is a transport layer, so when you are talking about 40bit SSL you are most likely talking about 40bit RC5 encryption which is used in SSL. You can also have 56bit DES encryption in SSL, or a number of other algorithms if your SSL client/server supports it. Either way, using a 40bit key is MUCH less secure than using a 56bit key. Every time you increase the key length by a bit, it doubles the amount of possible keys to search through to crack it by brute force. A 56bit key has 65536 times more possible keys than a 40bit key. A 128bit key has 309485009821345068724781056 times more possible keys than a 40bit key. Remember with a brute-force attack you have to check all the keys to see if it is the correct one so the more possible keys there are, the longer it will take and the more work is involved. You should not use either 40bit or 56bit SSL since both are not considered secure. You should use 128bit SSL instead. There is no reason to use 40 or 56bit SSL any more since web servers and web browsers that support 128bit SSL are easily found. Modules like mod_ssl for Apache support 128bit encryption algorithms using the openssl library. If you only have the choice between 40bit SSL or 56bit SSL, then go for the 56bit version. Your traffic will not be securely protected but it is much more work to break DES than it is 40bit RC5 in SSL. Regards, Jeff. --- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] PHP / SSL
- Original Message - From: "TD - Sales International Holland B.V." <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Friday, December 21, 2001 12:34 PM Subject: [RC5] Re: [PHP] PHP / SSL | for distributed.net > > sorry this is OT but we would like to know what is more secure. > 40bit SSL or 56bit DES. The reason I'm asking is since DES has > been cracked under 22 hours 40bit SSL looks really insecure to me. > > Thanks in advance, sorry for the OT > First, you have to realise that SSL is not a crypto algorithm, it is a transport layer, so when you are talking about 40bit SSL you are most likely talking about 40bit RC5 encryption which is used in SSL. You can also have 56bit DES encryption in SSL, or a number of other algorithms if your SSL client/server supports it. Either way, using a 40bit key is MUCH less secure than using a 56bit key. Every time you increase the key length by a bit, it doubles the amount of possible keys to search through to crack it by brute force. A 56bit key has 65536 times more possible keys than a 40bit key. A 128bit key has 309485009821345068724781056 times more possible keys than a 40bit key. Remember with a brute-force attack you have to check all the keys to see if it is the correct one so the more possible keys there are, the longer it will take and the more work is involved. You should not use either 40bit or 56bit SSL since both are not considered secure. You should use 128bit SSL instead. There is no reason to use 40 or 56bit SSL any more since web servers and web browsers that support 128bit SSL are easily found. Modules like mod_ssl for Apache support 128bit encryption algorithms using the openssl library and work great with PHP. If you only have the choice between 40bit SSL or 56bit SSL, then go for the 56bit version. Your traffic will not be securely protected but it is much more work to break DES than it is 40bit RC5 in SSL. Regards, Jeff. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] Fwd: REJECTED: Re: [PHP] PHP / SSL
sorry it was rejected the first time so there might be some garbage in it Whow, I'd have to check that :-) any crypto people here? :-) bitwise 56 is > 40. Mathematically it would take a lot less time to brute force 40 bit than it would 56 bit. 40 bit = (2^40) 1.0995116278e+12 (1.099.511.627.800 possible options) 56 bit = (2^56) 7.2057594038e+16 (72.057.594.038.000.000 possible options) I'm am no crypto expert whatsoever, but it looks to me like you're done a lot faster if you only have to test for only 1.099.511.627.800 keys than for 72.057.594.038.000.000. The 56bit keys were cracked under 22 hours several times far as I know. Ofcourse this is also a quesion of luck. You might be a real lucky ass and get the correct key the first try. Then again you might be an unlucky ass and get the key at the last one to try. Once again, I'm NO crypto expert whatsoever. But it appears to me that 40bit encryption can't have more keys than that fit in 40 bits? Then again, maybe they mix several alghorythms I'd have to check.. I'm also sending this to distributed.net mailing lists. There are some crypto experts there, maybe they can shed some light on it. > Hang on, correct me if I'm wrong, but isn't 56bit DES significantly > different from 40-bit SSL (which uses a 40bit key for the public key > crypto and something like a 3000bit key for the symmetric cipher used for > the actual data transfer). > > What I mean is, DES is significantly weaker than the weakest part of > standard 40bit SSL yes? > > If I'm wrong, arent a lot of people putting a lot of confidence in > something that really isnt secure (i.e. all SSL sessions...)?? --- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] PHP / SSL
I am sorry to say. But it is bullshit wot you are saying. I am quite sure that a 256 bit encryption can cracked (brute force way) by the big players (US, MS, etc) within a reasonable time say 2 or 3 months! And yes you can buy computers or clusters for 100.000 $. And they are 100 more likely 1000 times as fast as a PII 266. But if you take a look at the distributed.net project. They are working for the past 4 years to hack (bruteforce) the rc5-64. The distributed.net combined power is 90.427 MKeys/sec (that are 17.000 Athlon 1400 PC). This is an average the current power is 196.231 MKeys/sec (36.720 Atlon 1400). And keep in mind that distributed.net project is a bruteforce attempt on 64 Bit encryption! So is a 256 bit encryption safe? Yes. and No. Yes: it is quite safe for a bruteforce attempt, it will take about 30 years for distributed.net. No: Most "secure" encryption methods have sort cuts to hack the code, atleast for DES, Blowfish and several other popular encryption methods. So what should we use? Banking companies demand a 128 bit encryption (in the Netherlands, other countries don't know). For my CMS I am satisfied with an 40 bit encryption. It is a matter of a risk/cost evalution. How much risk is there and if an anomaly occurs how much does it cost me? My advise always use atleast 40(128 is better :) ) bit SSL3 encryption, because SSL2 and lower have some bugs which make it possible to steal a session between users and server. Jerry -Original Message- From: TD - Sales International Holland B.V. [mailto:[EMAIL PROTECTED]] Sent: Friday, December 21, 2001 7:05 PM To: Jon Farmer; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [PHP] PHP / SSL On Thursday 20 December 2001 15:37, Jon Farmer stuffed this into my mailbox: 256 bit encryption should be crackable by not too much more people than Microsoft, the US government, China and perhaps some others with shitloads of money that CAN dissapear (within reasonable time). Else there will be questions. Personally I found it hard to believe as well. But I'm told that you can have the same power for like $ 100.000,- by buying the best price/performance now. Make no mistake, those machines only need a mainboard, cpu, cooler, powersupply and a network card. Even better, we're thinking about x86 hardware (you and me) be appearantly there is hardware on the market that was specifically crafted to decrypt stuff brute force. One of those would probably match like a 100 or maybe even a 1000 of the P-II 266 distributed.net has. Now if you're sure you can make $ 200.000,- by the credit card numbers/other info you gain from cracking it, it is already worth the effort. Btw, an Athlon 1400 does 5,3 MKeys per SECOND (RC5-64)!! and those are damn cheap... > > I urge you strongly to advise against that. Although it might be possible > > to > > > downgrade your encryption to 40bit I'd like to make you aware of the fact > > that DES which is 56 bit encryption if I'm not mistaken was cracked > > several > > > times by brute force in UNDER 22 hours by the distributed.net people > > (www.distributed.net). Therefore I would NOT consider 40 bits encryption > > safe > > > and I feel obligated to make you aware of that. You are warned now :-) so > > do > > > as you please. > > Erm, yeah true but by their own admission they used the equivalant of > 16 PII 266Mhz machines to accomplish this. If you think someone is > going to want your data and has those kinda resources available then yeah > go for higher. However if thats your worry where are you going to stop in > the length of your key? If your that paranoid then it shouldn't be using > public networks in the first place!! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] The information contained in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any form of disclosure, production, distribution or any action taken or refrained from in reliance on it, is prohibited and may be unlawful. Please notify the sender immediately. The content of the email is not legally binding unless confirmed by letter bearing two authorized signatures. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] PHP / SSL
On Thursday 20 December 2001 15:37, Jon Farmer stuffed this into my mailbox: 256 bit encryption should be crackable by not too much more people than Microsoft, the US government, China and perhaps some others with shitloads of money that CAN dissapear (within reasonable time). Else there will be questions. Personally I found it hard to believe as well. But I'm told that you can have the same power for like $ 100.000,- by buying the best price/performance now. Make no mistake, those machines only need a mainboard, cpu, cooler, powersupply and a network card. Even better, we're thinking about x86 hardware (you and me) be appearantly there is hardware on the market that was specifically crafted to decrypt stuff brute force. One of those would probably match like a 100 or maybe even a 1000 of the P-II 266 distributed.net has. Now if you're sure you can make $ 200.000,- by the credit card numbers/other info you gain from cracking it, it is already worth the effort. Btw, an Athlon 1400 does 5,3 MKeys per SECOND (RC5-64)!! and those are damn cheap... > > I urge you strongly to advise against that. Although it might be possible > > to > > > downgrade your encryption to 40bit I'd like to make you aware of the fact > > that DES which is 56 bit encryption if I'm not mistaken was cracked > > several > > > times by brute force in UNDER 22 hours by the distributed.net people > > (www.distributed.net). Therefore I would NOT consider 40 bits encryption > > safe > > > and I feel obligated to make you aware of that. You are warned now :-) so > > do > > > as you please. > > Erm, yeah true but by their own admission they used the equivalant of > 16 PII 266Mhz machines to accomplish this. If you think someone is > going to want your data and has those kinda resources available then yeah > go for higher. However if thats your worry where are you going to stop in > the length of your key? If your that paranoid then it shouldn't be using > public networks in the first place!! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] PHP / SSL
> I urge you strongly to advise against that. Although it might be possible to > downgrade your encryption to 40bit I'd like to make you aware of the fact > that DES which is 56 bit encryption if I'm not mistaken was cracked several > times by brute force in UNDER 22 hours by the distributed.net people > (www.distributed.net). Therefore I would NOT consider 40 bits encryption safe > and I feel obligated to make you aware of that. You are warned now :-) so do > as you please. Erm, yeah true but by their own admission they used the equivalant of 16 PII 266Mhz machines to accomplish this. If you think someone is going to want your data and has those kinda resources available then yeah go for higher. However if thats your worry where are you going to stop in the length of your key? If your that paranoid then it shouldn't be using public networks in the first place!! -- Jon Farmer Systems Programmer, Entanet www.enta.net Tel 01952 428969 Mob 07763 620378 PGP Key available, send email with subject: Send PGP Key -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] PHP / SSL
Hang on, correct me if I'm wrong, but isn't 56bit DES significantly different from 40-bit SSL (which uses a 40bit key for the public key crypto and something like a 3000bit key for the symmetric cipher used for the actual data transfer). What I mean is, DES is significantly weaker than the weakest part of standard 40bit SSL yes? If I'm wrong, arent a lot of people putting a lot of confidence in something that really isnt secure (i.e. all SSL sessions...)?? -- Shane On Thursday 20 Dec 2001 9:07 pm, TD - Sales International Holland B.V. wrote: > On Thursday 20 December 2001 14:58, you wrote: > > I urge you strongly to advise against that. Although it might be possible > to downgrade your encryption to 40bit I'd like to make you aware of the > fact that DES which is 56 bit encryption if I'm not mistaken was cracked > several times by brute force in UNDER 22 hours by the distributed.net > people (www.distributed.net). Therefore I would NOT consider 40 bits > encryption safe and I feel obligated to make you aware of that. You are > warned now :-) so do as you please. > > Kind regards, > > Ferry van Steen > > PS I'm also on distributed.net's mailing list. I once asked why it wouldn't > be safe then, since distributed.net has a huge load processing power due to > the number of people that participate. Appearantly it's fairly easy for a > lot of companies/governments/etc to EASILY!! match that computational > power. > > > Hi, > > Bit off topic this, but I thought I'd ask anyway... > > > > I've been implementing a financial reporting system, in PHP, which will > > be running on the internet. > > > > Obviously, therefore, security is an issue. The system itself implements > > a username/password login system, but I want to be able to run it using > > SSL for obvious reasons. > > > > My problem is this: The server we have (Red Hat 7.0, Apache 1.3.14-3, > > open-ssl 0.9.5a-14, mod_ssl 2.7.1-3) came with ssl preconfigured and > > ready to use. It runs at 128 bit encryption which is fine as far as I'm > > concerned. > > > > The people who will be using the system, however, have a company standard > > browser which is IE 4 and only supports 40 bit encryption. And for > > various political reasons they don't want to upgrade all the browsers. So > > what I want to know is how easy it is to "turn down" the encryption > > level, and how to go about it. > > > > Any suggestions, pointers??? All the documentation I've come across thus > > far doesn't really cover anything like this > > > > Richy > > > > > > == > > Richard Black > > Systems Programmer, DataVisibility Ltd - http://www.datavisibility.com > > Tel: 0141 435 3504 > > Email: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] PHP / SSL
On Thursday 20 December 2001 14:58, you wrote: I urge you strongly to advise against that. Although it might be possible to downgrade your encryption to 40bit I'd like to make you aware of the fact that DES which is 56 bit encryption if I'm not mistaken was cracked several times by brute force in UNDER 22 hours by the distributed.net people (www.distributed.net). Therefore I would NOT consider 40 bits encryption safe and I feel obligated to make you aware of that. You are warned now :-) so do as you please. Kind regards, Ferry van Steen PS I'm also on distributed.net's mailing list. I once asked why it wouldn't be safe then, since distributed.net has a huge load processing power due to the number of people that participate. Appearantly it's fairly easy for a lot of companies/governments/etc to EASILY!! match that computational power. > Hi, > Bit off topic this, but I thought I'd ask anyway... > > I've been implementing a financial reporting system, in PHP, which will be > running on the internet. > > Obviously, therefore, security is an issue. The system itself implements a > username/password login system, but I want to be able to run it using SSL > for obvious reasons. > > My problem is this: The server we have (Red Hat 7.0, Apache 1.3.14-3, > open-ssl 0.9.5a-14, mod_ssl 2.7.1-3) came with ssl preconfigured and ready > to use. It runs at 128 bit encryption which is fine as far as I'm > concerned. > > The people who will be using the system, however, have a company standard > browser which is IE 4 and only supports 40 bit encryption. And for various > political reasons they don't want to upgrade all the browsers. So what I > want to know is how easy it is to "turn down" the encryption level, and how > to go about it. > > Any suggestions, pointers??? All the documentation I've come across thus > far doesn't really cover anything like this > > Richy > > > == > Richard Black > Systems Programmer, DataVisibility Ltd - http://www.datavisibility.com > Tel: 0141 435 3504 > Email: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] PHP / SSL
Hi, Bit off topic this, but I thought I'd ask anyway... I've been implementing a financial reporting system, in PHP, which will be running on the internet. Obviously, therefore, security is an issue. The system itself implements a username/password login system, but I want to be able to run it using SSL for obvious reasons. My problem is this: The server we have (Red Hat 7.0, Apache 1.3.14-3, open-ssl 0.9.5a-14, mod_ssl 2.7.1-3) came with ssl preconfigured and ready to use. It runs at 128 bit encryption which is fine as far as I'm concerned. The people who will be using the system, however, have a company standard browser which is IE 4 and only supports 40 bit encryption. And for various political reasons they don't want to upgrade all the browsers. So what I want to know is how easy it is to "turn down" the encryption level, and how to go about it. Any suggestions, pointers??? All the documentation I've come across thus far doesn't really cover anything like this Richy == Richard Black Systems Programmer, DataVisibility Ltd - http://www.datavisibility.com Tel: 0141 435 3504 Email: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] PHP SSL credit card transaction
http://www.openecho.com/php/echophp-1.4.tar.gz I used this package, which requires cURL and for you to have setup a merchant account. Was really easy! As far as SSL jsut make sure you are serving the pages in SSL (https) and all is fine. You can home roll your on shopping cart like I did or you can DL any open source cart and add hooks into openecho.. I owuld check the forum they have @openecho and see if anyone has a shopping cart that you can use! GL, ccma - Original Message - From: "Daniel Guerrier" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, December 06, 2001 11:09 AM Subject: [PHP] PHP SSL credit card transaction > Can some give me a brief synopsis or direct me to some > information on how to create an ecommerce site using > php. My main question is in the area of performing a > secure credit card transaction. Do I need to use a > third party shopping or can I create my own, if I > create my own how do I integrate it with a credit > authorizer? In addition how do I implement SSL with > PHP when performing the transaction? Thanks in advance!! > > __ > Do You Yahoo!? > Send your FREE holiday greetings online! > http://greetings.yahoo.com > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > To contact the list administrators, e-mail: [EMAIL PROTECTED] > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] PHP SSL credit card transaction
Can some give me a brief synopsis or direct me to some information on how to create an ecommerce site using php. My main question is in the area of performing a secure credit card transaction. Do I need to use a third party shopping or can I create my own, if I create my own how do I integrate it with a credit authorizer? In addition how do I implement SSL with PHP when performing the transaction? Thanks in advance!! __ Do You Yahoo!? Send your FREE holiday greetings online! http://greetings.yahoo.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]