In-depth understanding of the SSL/TLS two-way authentication mechanism in PHP

In-depth understanding of the SSL/TLS two-way authentication mechanism in PHP

SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are used to protect network communication security agreement. In PHP, we can use the OpenSSL extension to use the SSL/TLS protocol. The SSL/TLS protocol provides a two-way authentication mechanism to ensure authentication between the client and the server and ensure communication security. This article will delve into the mechanism of SSL/TLS two-way authentication in PHP and provide some code examples.

1. Create certificate

Two-way authentication requires both parties to have their own certificates. Generally speaking, the server needs to have a public key certificate, and the client needs to generate a public/private key pair and provide the public key to the server.

The server certificate can be created through the following steps:

$sslConfig = array(
    "private_key_bits" => 2048,
    "private_key_type" => OPENSSL_KEYTYPE_RSA,
);
$sslContext = openssl_pkey_new($sslConfig);
openssl_pkey_export($sslContext, $privateKey);
$csr = openssl_csr_new(
    array(
        "commonName" => "example.com",
        "subjectAltName" => "www.example.com",
    ),
    $privateKey
);
openssl_csr_export($csr, $csrOut);
openssl_csr_sign($csr, null, $privateKey, 365);
openssl_x509_export($csr, $publicKey);

file_put_contents("server.key", $privateKey);
file_put_contents("server.csr", $csrOut);
file_put_contents("server.crt", $publicKey);

The client's public key/private key pair can be generated through the following steps:

$sslConfig = array(
    "private_key_bits" => 2048,
    "private_key_type" => OPENSSL_KEYTYPE_RSA,
);
$sslContext = openssl_pkey_new($sslConfig);
openssl_pkey_export($sslContext, $privateKey);
$csr = openssl_csr_new(
    array(
        "commonName" => "client.example.com",
    ),
    $privateKey
);
openssl_csr_export($csr, $csrOut);
openssl_csr_sign($csr, null, $privateKey, 365);
openssl_x509_export($csr, $publicKey);

file_put_contents("client.key", $privateKey);
file_put_contents("client.csr", $csrOut);
file_put_contents("client.crt", $publicKey);

2. Configuration Server

The server needs to load the public key certificate and private key, and then perform two-way authentication.

Here is a simple example:

$sslOptions = array(
    "local_cert" => "server.crt",
    "local_pk" => "server.key",
);

$sslContext = stream_context_create(array(
    "ssl" => $sslOptions,
));

The above SSL context can then be used when creating the server:

$server = stream_socket_server(
    "ssl://0.0.0.0:443",
    $errno,
    $errorMessage,
    STREAM_SERVER_BIND | STREAM_SERVER_LISTEN,
    $sslContext
);

In this example, the server will listen on the local 443 port , and use a trusted certificate for SSL communication.

3. Configuring the client

The client needs to load the public/private key pair and use its public key to shake hands with the server.

Here is a simple example:

$sslOptions = array(
    "local_cert" => "client.crt",
    "local_pk" => "client.key",
);

$sslContext = stream_context_create(array(
    "ssl" => $sslOptions,
));

The above SSL context can then be used when creating a client:

$client = stream_socket_client(
    "ssl://example.com:443",
    $errno,
    $errorMessage,
    30,
    STREAM_CLIENT_CONNECT,
    $sslContext
);

In this example, the client will connect to example .com's port 443 and use its public key to perform an SSL handshake with the server.

4. Verify two-way authentication

Once both parties successfully establish a connection and use SSL/TLS for handshake, two-way authentication can be performed.

The following is a simple example:

Server side:

$peerCertificate = openssl_x509_parse(stream_context_get_params($client)["options"]["ssl"]["peer_certificate"]);

if ($peerCertificate["subject"]["CN"] === "client.example.com") {
    // 鉴权成功
} else {
    // 鉴权失败
}

Client side:

$peerCertificate = openssl_x509_parse(stream_context_get_params($client)["options"]["ssl"]["peer_certificate"]);

if ($peerCertificate["subject"]["CN"] === "example.com") {
    // 鉴权成功
} else {
    // 鉴权失败
}

In this example, both server side and client side will Parse the other party's certificate and check that the common name (CN) in the certificate is as expected. If authentication fails, the certificate may not match or the certificate may have been tampered with.

Conclusion

By deeply understanding the SSL/TLS two-way authentication mechanism in PHP, we understand how to generate certificates, configure servers and clients, and perform two-way authentication verification. The SSL/TLS two-way authentication mechanism can ensure secure communication between the server and the client and improve the security of data transmission. In actual development, we should reasonably configure and use SSL/TLS two-way authentication according to actual needs.

The above is the detailed content of In-depth understanding of the SSL/TLS two-way authentication mechanism in PHP. For more information, please follow other related articles on the PHP Chinese website!