cURL transfer

Started by anri, Aug 12, 2022, 02:39 AM

Previous topic - Next topic

anriTopic starter

I need to transfer important files from one website to another. It was decided to choose cURL because of its versatility. It is important to make sure that the recipient site receives exactly what I sent.

The transfer takes place over SSL, a key is sent along with the files, which is stored only on the sending website and on the receiving site. Whether the files are intercepted is not important, it is important that the recipient site does not accept fake files. In no case. What can be done to secure the process?
  •  

Rimmon

Sign the request.
Something like that: there is a secret key that must be known to both the sender and the recipient. Then, for instance, in the Authorization header we pass a signature calculated as sha256(request_body + secret).

The receiving server verifies that the signature matches the certain file. In addition to the request body and key, you can use any other data to generate a signature, the hashing algorithm can also be replaced.
  •  

Executive Modcar

For curl, the contents of the pem file should be approximate like this:

-----BEGIN CERTIFICATE-----
MIICoTCCAgoCAUUwDQYJKoZIhvcNAQEEBQewfsAwgaQxCzAJBgNVBAYTAlJVMQwwCgYD
-----END CERTIFICATE-----

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,BAD99sd68972692C9D

DqcMvBR7c6podfhYPgPzLy+W4WrCR9pZZuSBxiuhIlfgOLWqFNeQfUZSJ7R4PeJrz+
-----END RSA PRIVATE KEY-----

Accessing the page:
URL of the authorization page
FILE_PEM_FORMAT - full path to the certificate
PASSWORD - the password of the certificate (if installed)

$ch = curl_init();
$url = 'URL';
curl_setopt( $ch, CURLOPT_URL, URL);
curl_setopt ( $ch , CURLOPT_SSL_VERIFYPEER, 0 );
curl_setopt ( $ch , CURLOPT_SSL_VERIFYHOST, 0 );
curl_setopt ( $ch , CURLOPT_SSLCERT, FILE_PEM_FORMAT );
curl_setopt ( $ch , CURLOPT_SSLCERTPASSWD, PASSWORD );
echo curl_exec($ch);
  •