Community Learn Tools Library Leisure
search
English
cURL with SSL verification works, but how to verify it's encrypted?
P粉155832941
P粉155832941 2024-01-16 12:51:08
0
1
401

I own 2 websites, example.com and domain.com. Both DNS are hosted on Cloudflare. Cloudflare offers free SSL/TLS encryption on its dashboard. Both sites are set to full encryption mode that forces HTTPS rewrite. example.com is hosted on WebHostingA and domain.com is hosted on HosterB.

I want to get the content from example.com/test.php using domain.com.

Code: domain.com/get-contents.php

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, 'https://example.com/test.php');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, TRUE);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, TRUE);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 10); 
curl_setopt($ch, CURLOPT_TIMEOUT, 10);
curl_setopt($ch, CURLOPT_POST, TRUE);
curl_setopt($ch, CURLOPT_POSTFIELDS, ['username' => 'Bob']);
$response = curl_exec($ch);
var_dump($response);

Code: example.com/test.php

if (isset($_POST['username']) && ctype_alpha($_POST['username'])) {

    echo($_POST['username'] . " You got my contents!");

} else {
    echo("Nope!");
}

I am able to successfully return the content from example.com/test.php (Bob you got my content!). However, my concern is that I don't have to provide any kind of certificate in the cURL code. How do I check if content sent from domain.com is encrypted and content received from example.com is encrypted? My goal is to transfer data securely between these two websites.

P粉155832941
P粉155832941

reply all(1)
P粉505450505
P粉5054505052024-01-17 11:07:00 1 floor

First you use the https scheme, which means curl uses tls to connect. https://example.com/test.php and http://example.com/test.php are different URLs, curl itself will not change the scheme.

Second - In some cases, the server side may redirect to plain http. To make sure there are no redirects and the connection is encrypted, you can try using the curl_getinfo() function and check the CURLINFO_EFFECTIVE_URL and CURLINFO_SSL_VERIFYRESULT fields like this: 

$r = curl_getinfo($ch, CURLINFO_SSL_VERIFYRESULT);
$url = curl_getinfo($ch, CURLINFO_EFFECTIVE_URL);

$r should be 0 and $url should start with https://.

You can also use tcpdump on any of this servers to log the request and try to check the dump for any pure data. 

[server1]# tcpdump -l -n -s 0 -w dump.pcap host server2.ip.addres

You will see the connected port and log the captured data into the dump.pcap file. If one of the ports is 443 - your traffic is sent using tls. You can also analyze the dump.pcap file later in wireshark or just use the strings command.

Like +0
Add Reply
Popular Topics
More>
Popular Articles
Popular Tutorials
More>
Related Tutorials
Popular Recommendations
Latest courses
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template