Sslurp is a simple library which aims to make properly dealing with SSL in PHP suck less.

Related tags

Miscellaneous Sslurp
Overview

Sslurp

v1.0 by Evan Coury

Build Status

Introduction

Dealing with SSL properly in PHP is a pain in the ass and completely insecure by default. Sslurp aims to make it easier to use SSL in PHP safely and securely. Sslurp can be used as a stand-alone library, CLI tool, or a ZF2 module.

Note: Sslurp requires PHP with OpenSSL support. This is standard in most Linux distributions' PHP packages, otherwise you need to compile PHP using --with-openssl[=DIR].

Features / Usage

Root CA bundle management

Sslurp provides CLI and OOP interfaces for generating a trusted root Certificate Authority (CA) bundle using certdata.txt from the source tree of Mozilla's Network Security Services (NSS) libraries and keeping it up-to-date. The resulting root CA bundle includes the certificates vetted according to the Mozilla Root Certificate Program — the same root CA bundle trusted by cURL, Firefox, Chrome, and many other applications, libraries, languages, and operating systems.

Sslurp takes additional steps to protect against MITM attacks while fetching certdata.txt from Mozilla's source tree, ensuring that the generated bundle is truly authentic. When connecting to Mozilla's mxr.mozilla.org domain to fetch the updated certdata.txt, Sslurp forces the use of verified SSL. Sslurp uses the following process to establish the initial trust of the SSL certificate on mxr.mozilla.org:

  • Check the SSL_CERT_FILE environment variable (used by OpenSSL). If the value is the path to a readable file and valid certificate bundle, Sslurp will use it.
  • If the SSL_CERT_FILE is not set or points to a non-existent / invalid certificate bundle, Sslurp will search several known/expected locations for the root CA bundle and use the first valid bundle found.
  • If a valid bundle is not found in any of the expected paths, Sslurp will finally fall back to using a bundled, pre-verified copy of the root CA's public key which established trust for the mxr.mozilla.org certificate (Equifax Secure Certificate Authority at least until November 2013).

As if that's not enough, Sslurp additionally makes use of public key pinning to further authenticate the authenticity of communications with Mozilla's mxr.mozilla.org domain. If the public key pin for mxr.mozilla.org changes before the expiration date of the current certificate, Sslurp will being to throw an exception, and refuse to update the root CA bundle. If the public key pin changes within the final month or after the expiration date of their current certificate (November, 2013), Sslurp will begin throwing a PHP notice encouraging you to update your copy of Sslurp to get the latest pin.

You are STRONGLY ENCOURAGED to be using the latest version of Sslurp at all times.

CLI root CA bundle updater

./bin/update-ca-bundle is a handy command-line tool for fetching, building, and subsequently updating a root CA bundle in PEM format for use with PHP's OpenSSL support, curl, libcurl, php_curl, etc. The output generated is fully compatible with the mk-ca-bundle.pl which is used to generate cURL's trusted bundle.

Sslurp Root CA Bundle Updater

Usage:
 bin/update-ca-bundle [--stdout]
 bin/update-ca-bundle -o[output_file]

Options
 -o      	Path/filename to the file to (over)write the updated root CA bundle. Defaults to ca-bundle.pem
 --stdout	Do not write file, send output to stdout instead.

Using Sslurp as a library

In addition to the CLI tool, Sslurp can be used as a library through the OOP interface. The source is the API documentation.

<?php
require_once 'vendor/Sslurp/autoload_register.php';

$bundle = new \Sslurp\CaRootPemBundle('ca-bundle.pem');

if ($bundle->isLatest()) {
    echo 'Your CA root bundle is up to date!' . PHP_EOL;
} else {
    echo 'WARNING! Your CA root bundle is out of date!' . PHP_EOL
       . 'Local CA root bundle is version ' . $bundle->getVersion() . '. '
       . 'Latest version available from Mozilla is ' . $bundle->getMozillaCertData()->getVersion() . '.' . PHP_EOL;

    echo 'Updating...';
    $bundle->update();
    echo "\tDone!" . PHP_EOL;
}

Installation

Composer / Packagist

./composer.phar require evandotpro/sslurp

Normal

The ./bin/update-ca-bundle CLI tool will "just work" out of the box.

Sslurp can easily be used in any existing project, framework, or library.

To use Sslurp as a library in your project, the easiest method is to simply include the autoload_register.php file:

require_once 'vendor/Sslurp/autoload_register.php';

Alternatively, if you project supports loading classmap arrays, you may fetch the classmap without registering an additional SPL autoloader:

$classmap = include 'vendor/Sslurp/autoload_classmap.php';
// Register $classmap with your project's existing classmap autoloader

If you have an existing SPL autoloader that allows adding a callable to a stack instead of directly registering the classmap array, you have the option of simply getting a closure which can autoload the Sslurp classes:

$sslurpLoader = include 'vendor/Sslurp/autoload_function.php';
// $sslurpLoader is a closure that can be registered with an existing autoloader

To-Do

  • Paranoia level 1000 - Test environment for the ability to call the OpenSSL executable, and if possible, make use of OCSP to further verify the validity of the mxr.mozilla.org domain.

License

Sslurp is released under the BSD license. See the included LICENSE file.

The generated root CA bundle file is simply a converted version of the original and as such, it is licensed under the same licenses as the Mozilla source: MPL v2.0, GPL v2.0 or LGPL 2.1. See nss/COPYING for details.

You might also like...
This module aims to validate if the pilot made his flights online on the IVAO and VATSIM networks

SMPirepValidator This module aims to validate if the pilot made his flights online on the IVAO and VATSIM networks SMPirepValidator v.1.0 for phpVMS (

This project aims to facilitate the management of websites monitored by the blackbox exporter, via a web UI.

This project aims to facilitate the management of websites monitored by the blackbox exporter, via a web UI. The UI would allow to add/remove sites, groups, and even add different fields in the prometheus database.

actionMaster is a new faction plugin that aims at flexibility and customization of the plugin by the user and the developers.

FactionMaster is a new faction plugin that aims at flexibility and customization of the plugin by the user and the developers. It includes all the basic functionality of a faction plugin and data storage in MySQL or SQLITE. This is done by adding an extension system and a translation system. FactionMaster has a will of accessibility to the players and especially not to have to remember a lot of commands to play, all is done via interface.

Project that aims to create a website for a gym, where the clients and employees can access their data, buy in the gym store and check the gym activities.

Gym_Management_Project Project that aims to create a website for a gym, where the clients and employees can access their data, buy in the gym store an

🐋 This project aims to broaden knowledge of system administration by using Docker: virtualizing several Docker images, creating them in a new personal virtual machine.

🐋 This project aims to broaden knowledge of system administration by using Docker: virtualizing several Docker images, creating them in a new personal virtual machine.

This repository aims to build a fairly complete CI/CD example using GitHub workflows and actions.
This repository aims to build a fairly complete CI/CD example using GitHub workflows and actions.

CI/CD example This repository aims to build a fairly complete CI/CD example using GitHub workflows and actions. Keep in mind that the toolset used in

Shortest Path - have a function ShortestPath (strArr) take strArr which will be an array of strings which models a non-looping Graph.

Have the function ShortestPath(strArr) take strArr which will be an array of strings which models a non-looping Graph

This library uses GD and EXIF (optional) PHP extensions so make sure you have them installed.

simple and fast image processing class that can downscale, compress and convert images using php-gd native functions

EasyRdf is a PHP library designed to make it easy to consume and produce RDF.

EasyRdf EasyRdf is a PHP library designed to make it easy to consume and produce RDF. It was designed for use in mixed teams of experienced and inexpe

Comments
  • Mozilla

    Mozilla

    PHP Notice: WARNING: mxr.mozilla.org certificate pin may be out of date. If you continue to see this message after updating Sslurp, please file an issue at https://github.com/EvanDotPro/Sslurp/issues.

    opened by tasselchof 0
  • Update certdata.txt source location

    Update certdata.txt source location

    The current source for certdata.txt is rather old, not having received an update since 2012-12-29. According to Mozilla's CA Store page, the most recent public version is available in the mozilla-central tree (last updated 2015-04-20, at time of writing).

    This is a simple change on the surface, however the new location does not have the old CVS revision embedded in the file. Changing the location builds the most recent certificate bundle from the CLI, but tests fail due to not being able to determine the certdata.txt version number.

    I haven't looked at how important the version number is to the workings of the library, but either it will need to be determined via some other method or dropped completely.

    opened by rchouinard 0
  • Update Mozilla's CA and expiration timestamp

    Update Mozilla's CA and expiration timestamp

    Mozilla used DigiCert as their new CA for mxr.mozilla.org, replacing Equifax. This commit replaces the bundled Equifax certificate with DigiCert's, as well as updating the epiration timestamp for mxr.mozilla.org's new certificate. The public key pin remains the same.

    This commit also adds PHP 5.6 compatibility by replacing the context option CN_match with peer_name for PHP 5.6 environments.

    opened by rchouinard 0
  • Fatal error when I run the tests

    Fatal error when I run the tests

    First I used PR that updated the pinned version of the certificate. Then I tried running the tests on my machine php 5.5.9.

    phpunit -c test/phpunit.xml --filter testMozillaCertDataOnlineCheck2
    PHPUnit 4.4.1 by Sebastian Bergmann.
    
    Configuration read from .../Sslurp/test/phpunit.xml
    
    PHP Fatal error:  String size overflow in ..../Sslurp/src/Sslurp/MozillaCertData.php on line 138
    
    Fatal error: String size overflow in ..../Sslurp/src/Sslurp/MozillaCertData.php on line 138
    
    opened by mikeSimonson 1
Owner
Evan Coury
Evan Coury
A simple library for dealing with docx word processed documents

WordCat Limited manipulation of docx word processed documents A simple php library for manipulation of docx word processed document; in particular the

Stephen J Sullivan 0 Oct 22, 2021
Silverstripe-searchable - Adds to the default Silverstripe search by adding a custom results controller and allowing properly adding custom data objects and custom fields for searching

SilverStripe Searchable Module UPDATE - Full Text Search This module now uses Full Text Support for MySQL/MariaDB databases in version 3.* Adds more c

ilateral 13 Apr 14, 2022
PHP library for dealing with European VAT

ibericode/vat This is a simple PHP library to help you deal with Europe's VAT rules. Fetch VAT rates for any EU member state using ibericode/vat-rates

ibericode 389 Dec 31, 2022
AnsibleBoy aims to use the Asnible `facts` as data, which can then be visualized in a table format

AnsibleBoy - Ansible Frontend Hub About AnsibleBoy aims to use the Ansible facts as data, which can then be visualized as a table ToDo (note that this

Ron 23 Jul 14, 2022
This car rental project system project in PHP focuses mainly on dealing with customers regarding their car rental hours and certain transactions.

Car-Rental Online Car Rental Management System This car rental project system project in PHP focuses mainly on dealing with customers regarding their

Adarsh Kumar Singh 2 Sep 29, 2022
Opis Closure - a library that aims to overcome PHP's limitations regarding closure serialization

Opis Closure is a library that aims to overcome PHP's limitations regarding closure serialization by providing a wrapper that will make all closures serializable.

Opis 2.4k Dec 18, 2022
PHP project for tracking Azure AD App Reg secrets about to expire, and (manually) tracking SSL certificates

CertExpiry Katy Nicholson https://katystech.blog/ Setup instructions etc available at: https://katystech.blog/2021/11/certexpiry/ PHP project for trac

Katy Nicholson 5 Oct 2, 2022
Plugin to diagnose/fix ClassicPress SSL issues.

ClassicPress SSL Fix This plugin provides a way to work around the issue "cURL error 60: SSL certificate problem: certificate has expired" in ClassicP

ClassicPress Research 2 Oct 10, 2021
Magento2 + Varnish + PHP7 + Redis + SSL (cluster ready)

Docker Magento2: Varnish + PHP7 + Redis + SSL cluster ready docker-compose infrastructure Infrastructure overview Container 1: MariaDB Container 2: Re

Fabrizio Balliano 332 Dec 30, 2022
MOFHY Lite is a priceless MyOwnFreeHost Client Area for account management, ticket support system and a free ssl service

MOFHY Lite is a priceless MyOwnFreeHost Client Area for account management, ticket support system and a free ssl service. It has easy to use features much like the WHMCS Digit UI interface.

MOFHY Developers 1 Oct 21, 2022