Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Sameer Borate:
Switching WordPress to HTTPS
Sep 14, 2017 @ 09:19:38

On his site Sameer Borate gives you a quick tutorial on how to migrate your WordPress site to HTTPS to help secure the communications between it and your users.

Finally, after much deliberation, I decided to move my blog to https. For the past few months I had encountered articles pointing that google gives a higher ranking for sites served over https. I had decided against https as I was afraid it may slow down by blog. However, the [a message about Chrome's HTTP/HTTPS support] from google forced me to take the issue seriously and finally move to https.

[...] Luckily during the same time Godaddy was offering SSL certificates at a discounted price. So taking this as a sign I bought the SSL certificate and moved my blog to HTTPS. Surprisingly installing SSL on Godaddy was a breeze. There was no configuration involved and the SSL certificate was applied within a few minutes.

He assumes that you know how to get the certificate installed, so that part isn't covered. He does cover the shift of the WordPress site over including changes that'll need to be made to web server and WordPress application configurations. He ends the post briefly talking about any speed difference he saw with the site (hint: not much).

tagged: wordpress https secure certificate settings tutorial configuration

Link: https://www.codediesel.com/wordpress/switching-wordpress-https/

Freek Van der Herten:
Validating SSL certificates with PHP
Jul 28, 2016 @ 10:45:56

In a new post to his site Freek Van der Herten shares some code he's worked up to validate SSL certificates in PHP to ensure they're correct when accessing a remote site.

With vanilla PHP it’s possible to check of if the SSL certificate of a given site is valid. But it’s kinda madness to do it.

He starts with the code required to do it including:

..then on to parsing the certificate and its "valid time" timestamps. He stops it with the above steps, however, and advocates that you instead try out this package (one developed by him) to make the validation a two-line process. He also describes some of the other methods the package includes to get things like the issuer, domain and any additional domains it covers. Be aware that if you're planning on using it you'll need OpenSSL support in your PHP installation as it's required for the connection and validation.

tagged: package certificate ssl validate openssl example

Link: https://murze.be/2016/07/validating-ssl-certificates-php/

Using Let's Encrypt SSL With Your WordPress Project
May 24, 2016 @ 12:53:11

The TutsPlus.com site has posted a tutorial for the WordPress users out there about using Let's Encrypt and SSL certificates to easily secure your installation.

For years, purchasing, renewing, installing and managing SSL certificates overwhelmed me with expense and complexity. Now, Let's Encrypt makes it fairly simple and free.

Let’s Encrypt is an emerging, free, automated, and open certificate authority brought to you by a California public benefit corporation called the Internet Security Research Group—it also has nonprofit status. [...] In this tutorial, I'll walk you through installing Let's Encrypt on a few of my websites, including my WordPress consulting website, http://lookahead.io, soon to be https://.

You'll need a be a bit comfortable working at the command line to use the Let's Encrypt client, but they walk you through each step of the process explaining everything along the way. They start with a basic list of features the Let's Encrypt service provides and the requirements you'll need to get started. Screenshots of the setup wizard are included and the "one small difference" you'll need to make when using it with WordPress. They link to the SSL Labs site to help you verify the certificate is working as expected and finish with setting up the auto-renewal of the certificate via a simple cron job.

tagged: wordpress letsencrypt install setup configure ssl certificate free

Link: http://code.tutsplus.com/tutorials/using-lets-encrypt-ssl-with-your-wordpress-project--cms-22303

Niklas Keller:
Let's Encrypt with PHP
Mar 16, 2016 @ 13:05:32

The introduction of the LetsEncrypt free SSL certificate service has made making your site SSL only a much easier process than ever before. They've made it even easier by allowing automation around certificate setup and renewal. In this post to his site Niklas Keller shows you how to use a PHP implementation of a tool to setup/refresh your certificates automatically.

Let’s Encrypt, the free and automated CA, started late last year into their public beta. They offer a pretty comprehensive client to automate the process of getting SSL clients and installing them. It will soon be moved to a new home at EFF.

If you’re already using PHP and don’t need / want the automatic installation of your free certificates or don’t want to install Python, here’s a client for you. kelunik/acme-client is able to issue and renew certificates using your already running webserver (e.g. Nginx or Apache). It’s using the http-01 challenge to prove your domain ownership / control to Let’s Encrypt.

He shows how to use the client to set up a new LetsEncrypt account (if you don't already have one) and issue a certificate through a few command line calls. He then shows how to automate the process to check your certificate expiration and load the updated certificates. He also includes an example of the command to revoke a certificate, just in case.

tagged: letsencrypt ssl certificate client acme example refresh issue revoke

Link: http://blog.kelunik.com/2016/03/13/letsencrypt-php-client.html

Rob Allen:
SSL certificate verification on PHP 5.6
Dec 23, 2014 @ 12:15:41

Rob Allen has a quick tip posted today about SSL certificate verification in PHP 5.6 and things that need to be updated thanks to recent improvements in PHP's SSL handling.

I recently updated my local OS X Zend Server installation to PHP 5.6 and when I ran composer self-update, I got this error message: "The "https://getcomposer.org/version" file could not be downloaded: SSL operation failed" [...] Googling around, I finally worked out that there have been various SSL improvements in PHP 5.6 and that the problem was that it couldn't find any OpenSSL certificates on my system. This isn't a total surprise as OS X has been moving away from using OpenSSL internally in favour of its own libraries.

To resolve the issue he found where PHP was looking for certificates (using openssl_get_cert_locations) and how a quick "brew install" of the needed OpenSSL handling resolved the issue. Then, in the php.ini file a quick update to the "openssl.cafile" path points it to the right certificate.

tagged: certificate validation ssl openssl php56 tip fix

Link: http://akrabat.com/php/ssl-certificate-verification-on-php-5-6/

SitePoint Web Blog:
HTTPS Basics
Apr 02, 2014 @ 09:06:08

If you're relatively new to web development, you might not know exactly what kinds of benefits that using an HTTPS connection might provide. In this new article from the SitePoint PHP blog, Mufleeh Sadique covers some of the basics of HTTPS and gives some reasons why to "go HTTPS" in your applications.

Hypertext Transfer Protocol Secure or Hypertext Transfer Protocol over SSL is used for secure communication over a network, or perhaps more importantly – over the Internet. You would see https:// in the URI and a lock icon in the browser when you access a page that uses HTTPS. [...] If you ever wondered whether and how to go HTTPS with your website, we’ll attempt to clear this up in this article by briefly describing what HTTPS is about, and why and how to implement it.

He's broken the rest of the article up into a few different sections. The first answers the question "why HTTPS" with a few reasons including the most important - encrypted communication. In the second section, he starts showing you how to "go HTTPS" using a self-signed certificate to start. With the certificate installed, he moves into the last part, ensuring your application is always using the HTTPS version and redirecting anything else.

tagged: https introduction why how selfsigned certificate install configure

Link: http://www.sitepoint.com/https-basics

Create Digital Tickets with PHP and Apple Passbook
May 30, 2013 @ 09:11:36

On PHPMaster.com today there's a new tutorial showing you how to create digital tickets using PHP and the Apple Passbook service.

Why should we PHP warriors care at all about Apple’s Passbook? Well first because Apple made this technology open (well, sort of…), second because it can be used outside iOS devices, and third because it involves a lot of well-known and loved technologies like JSON and RESTful APIs. I’d also add that it’s a very interesting piece of technology, but that’s my personal opinion. In this article I’ll show you how I built a sample web application that creates and distributes passes in the form of a “PHPMaster Membership Card”. It is not a full-featured product, but it’s a nice base to build on for more serious real world uses.

He talks about the concept of a "pass" (a digitally signed document that can be easily distributed) and the types that the Apple service lets you make. His example (sample code here) is Silm based and Idorim & Paris for the data handling. He talks some about the certificate handling that's involved and the structure of the application including the certs, application code, templates and images. He then works through the code step-by-step and explains what each part does and how it connects with Apple's service to generate the pass.

tagged: apple passbook tutorial ticket digital signed certificate

Link: http://phpmaster.com/create-digital-tickets-with-php-and-apple-passbook

Artur Ejsmont's Blog:
How to properly secure remote API calls over SSL from PHP code
Sep 19, 2011 @ 13:56:00

Artur Ejsmont has a new post with a passionate call to arms for anyone who thinks that just because their URL has "https" in it, it's secure. He presents his suggestion on how to properly secure SSL API calls for your PHP application.

Lets make something clear from the very start: JUST BECAUSE THERE IS https:// IN THE URL OF THE REMOTE SERVICE IT DOES NOT MEAN THE CONNECTION IS SECURE! I am sorry for the tone of this post but i am enraged by how popular this issue is online. If you ask why i suggest a little experiment [involving changing your hosts file and using a self-signed certificate].

The issue he spotlights is all too common - a server serves up SSL pages but doesn't actually verify the certificate in the process. He gives a bad example of how some scripts handle this issue using the CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST to turn off this verification - a very bad idea. To protect yourself from any kind of man-in-the-middle or DNS hijack issues, you should leave these on.

tagged: ssl certificate api call protect verification


Vanessa Vasile's Blog:
Simple Way to Parse an x509 Certificate with PHP
Nov 04, 2010 @ 11:19:34

In a new post to her blog, Vanessa Vasile has a reminder about a built-in PHP function that can help quite a bit when you're working with SSL certificates - openssl_x509_parse.

PHP has a nifty little function for parsing an x.509 SSL certificate into an array to easily pull out the elements: openssl_x509_parse. Essentially, all you need to do is load up the contents of the certificate, either through a file or POST value, and enclose it in the array.

She includes a code snippet that pulls in the certificate contents, calls the function and puts it into an array that's easy to loop through and get values and subvalues from the results. The PHP.net manual page doesn't have a documented list of the return values because a constant result hasn't been defined. You'll need at least PHP 5.2 to use the function.

tagged: parse x509 certificate parse tutorial


Write an Ajax-driven Login Application in PHP Using SSL/TLS
Sep 09, 2010 @ 10:29:03

On the PHPBuilder.com site today there's a new tutorial posted from Octavia Anghel about creating a login for your site that's powered by Ajax and uses a bit more security than normal. It includes hooks to use the Ajax Server Secure Layer or an OpenSSL connection.

In this article you will learn how to write a login application in PHP using Ajax and SSL/TLS in two ways either using aSSL (Ajax Server Secure Layer), a library that implements a technology similar to SSL without HTTPS or a simple Ajax and OpenSSL, an open source implementation of the SSL and TLS protocols.

They start with the aSSL method and link you to a download of the tool as well as some sample code to help you get started passing data to it via the session. The second example shows the OpenSSL method, mostly consisting of checking on the server side of the certificate that's passed along with the request.

tagged: ssl tls secure certificate assl openssl ajax