Tag Archives: Security

OpenId

11 Nov

OpenID is an open loosely distributed single sign on protocol. It looks at why Microsoft’s single sign on has not taken off on a large scale. Concluding that no-one wants a single company storing all details, hence create a distributed single sign-on protocol.

OpenIDs take the form of URLS:

exampleuser.livejournal.com

OpenID 1.1 Protocol Summary

OpenID specifications |http://openid.net/specs.bml

The openid protocol 1.1 specification in summary.

  • Identify the Identify Provider associated with openid submitted by the End User.
  • Agree a shared key between the Consumer and Identify Provider.
  • Redirect the End User to the Identify Provider to authenticate themselves with a password.
  • End User gets redirected back to Consumer with authentication data signed by the shared key.

(more…)

Curl and Certificates with Windows PHP

6 Nov

Curl on a Windows PHP installation does not know where to look for certificates. Hence when you try and curl a https url it fails. The default value for CURLOPT_SSL_VERIFYPEER is true which means curl will always try and validate ssl by default. I discovered this while working with an OpenID library (v1.2.3):
http://openidenabled.com/php-openid/

There is the option of disabling the verfication.


$ch=curl_init;
// set URL and other appropriate options
curl_setopt($ch,CURLOPT_SSL_VERIFYPEER, false);

But thats ignoring the problem and opening a security hole! Instead download a reputable Certificate bundle file, for example:

http://curl.haxx.se/docs/caextract.html

Then set CURLOPT_CAINFO with the location of your certificate bundle.


if( strtoupper (substr(PHP_OS, 0,3)) == 'WIN' ) {
curl_setopt($c, CURLOPT_CAINFO, 'C:/certificates/cacert.pem');
}