0

Please take a look at this code:

<?php
$url = "the_source_url";  
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
$result = curl_exec($ch);
print_r($result);
?>

This page is accessed by my Android app to get a date from some source. The url returns a json data, which I print back, then, in my app, I process the data and display it. This is working fine for me right now (I'm still in the testing phase).

I read in SO that disabling the SSL (whih I did in line 6) is risky and not recommended. However, I couldn't make my script work unless I disable it.

How to make it work without disabling the SSL? Or how to eliminate the risk?

Improve this question

2 Answers 2

Reset to default
2

Disabling the certificate would make you vulnerable to man in the middle attack, You can download use the certificate 

curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, TRUE);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt ($ch, CURLOPT_CAINFO, "PATH_TO_CERTIFICATE/cert.pem");

To get the certificate follow this guide

Then click on “View Certificate”:

enter image description here

Bring up the “Details” tab of the cerficates page, and select the certificate at the top of the hierarchy. This is the CA certificate.

enter image description here

Then click “Export”, and save the CA certificate to your selected location, making sure to select the X.509 Certificate (PEM) as the save type/format.

enter image description here

Image Source : http://unitstep.net/

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

I'm using Google Places API. I couldn't find a certificate for it!
Download the certificate then use it ..
0

You need to add the option CURLOPT_SSL_VERIFYHOST and set it to false:

curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, FALSE);

This disables SSL host verification so that you can access a host which uses a self-signed certificate. If the host has a valid certificate then check @Baba's answer

Security considerations:

The connection is encrypted and can't being sniffed that easy. But you can not make sure that the the server is the server. So a hacker could sniff traffic using a man in the middle attack. If you want to get sure you'll have to go @Babas way and import the certificate from the server

Improve this answer

3 Comments

This would do what exactly?
Disables SSL host verification so that you can access a host which hasn't a signed certificate. Refer to the manual, I've linked it
Isn't that what CURLOPT_SSL_VERIFYPEER does? Which I believe is not safe in terms of security?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.