cURL PHP Proper SSL between private servers with self-signed certificate

1
votes

I originally had a connection between my 2 servers running with CURLOPT_SSL_VERIFYPEER set to "false" with no Common Name in the SSL cert to avoid errors. The following is the client code that connected to the server with the certificate:

curl_setopt($ch,CURLOPT_SSL_VERIFYPEER,FALSE);
curl_setopt($ch,CURLOPT_SSL_VERIFYHOST,2);

However, I recently changed this code (set it to true) and specified the computers certificate in PEM format.

curl_setopt($ch,CURLOPT_SSL_VERIFYPEER,TRUE);
curl_setopt($ch,CURLOPT_SSL_VERIFYHOST,2);
curl_setopt($ch,CURLOPT_CAINFO,getcwd().'/includes/hostcert/Hostname.crt');

This worked great on the local network from a test machine, as the certificate is signed with it's hostname for a CN. How can I setup the PHP code so it only trusts the hostname computer and maintains a secure connection.

I'm well aware you can just set CURLOPT_SSL_VERIFYHOST to "0" or "1" and CURLOPT_SSL_VERIFYPEER to "false", but these are not valid solutions as they break the SSL security.

My /etc/hosts file is as follows:

#<ip-address>   <hostname.domain.org>   <hostname>
127.0.0.1       localhost.localdomain   localhost ExampleHostName
::1             localhost.localdomain   localhost
1
phpsslcurlhttpsssl-certificate

1 Answers

2
votes

You need to generate a certificate with a valid host name, as requested by the client. If you've used machine.local for your internal name, but now want to use external clients calling it via machine.example.org, then you need the certificate you use to be valid for machine.example.org.

If you need both (since the same machine may be called with different host names), use the Subject Alternative Name extension and put multiple DNS entries in your certificate.