Implementing PHP cURL Verifypeer Option in Applications Requiring SSL Certificate Verification

Number: IN11-003
Date: 20 December 2011

Purpose

The goal of this Information Note is to raise awareness of a common but potentially insecure implementation of the PHP cURL option used to verify SSL certificates.

Assessment

The PHP Hypertext Preprocessor is a flexible server-side scripting language. It allows developers to dynamically generate HTML pages. PHP implements a number of standard code libraries including Client URL (cURL or libcurl). The cURL library provides a set of functions that allows establishing connections using various communication protocols including HTTPS. This library is also responsible for implementing security features such as the validation of SSL certificates when establishing HTTPS connections. The cURL library is commonly used by web application developers, particularly in electronic commerce and payment processing applications, to establish secure connections between systems hosted on different network segments, such as connections to third-party payment card processing services.

Within the PHP cURL library, the curl_setopt function allows for the setting of a number of run-time options, including the configuration of how SSL certificates will be verified against relevant Certificate Authorities. The option CURLOPT_SSL_VERIFYPEER defines whether the library will attempt trust validation of SSL certificates when establishing secure connections. When enabled cURL will attempt to verify the remote server's certificate against one or more trusted Certificate Authorities as defined by either of the configuration options CURLOPT_CAINFO or CURLOPT_CAPATH. The CURLOPT_SSL_VERIFYPEER option is enabled by default, and on certain platforms a list of Certificate Authorities is predefined. Unfortunately, this validation framework is often disabled entirely by developers setting the CURLOPT_SSL_VERIFYPEER option to "0" or "false". When peer verification is disabled, SSL certificates are not trust-validated by cURL. Failure of the application to properly validate SSL certificates provides opportunity for a number of man-in-the-middle attack scenarios, potentially leading to interception and modification of data in transit.

The cURL functions are often used for server-to-server communications, and as a result, application operators, such as merchants in electronic commerce, may not be aware that their applications are transacting using potentially unsecured communications channels.

Because software packages are generally provided in source-code, the developer and site operator should ensure security features are enabled according to the sensitivity and expectation of privacy of the data transmitted.

Suggested Action

CCIRC recommends that operators of web applications that implement TLS/SSL connections for transmitting sensitive information using the PHP cURL library verify that the CURLOPT_SSL_VERIFYPEER option is set to boolean value True, or integer value 1, and ensure failure to return a successful verification results in a failed connection error rather than establishment of an untrusted and unsecured connection. Searching application source code directory for the entries similar to the following will provide indications of the settings used in your cURL implementation:

Examples:

CCIRC recommends that transaction processing organizations review and ensure that their distributed PHP APIs enforce proper implementation of certificate verification by affiliated merchants and partners accordingly.

Where possible, it is recommended that developers of secure applications PIN certificate validation against the specific CA certificate that will be used. This can be achieved using the CURLOPT_CAINFO option and distributing the associated public CA certificate alongside program code in the same software package. Consult the reference material below for detailed implementation instructions.

CCIRC recommends that operators of web applications regularly verify availability of updates and patches for their software packages, as well as test and deploy these in a timely manner, accordingly.

Credit

CCIRC would like to thank Kevin McArthur from StormTide Digital Studios Inc. and Tamir Israel from Canadian Internet Policy and Public Interest Clinic (CIPPIC) for their research and contribution to this product.

References

Note to Readers

In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.

Please note, CCIRC PGP key has recently been updated.
http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/_fl/CCIRCPublicPGPKey.txt

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: ps.communications-communications.sp@canada.ca

Date modified: