search

Home  >  Q&A  >  body text

cURL with SSL verification works, but how to verify it's encrypted?

I own 2 websites, example.com and domain.com. Both DNS are hosted on Cloudflare. Cloudflare offers free SSL/TLS encryption on its dashboard. Both sites are set to full encryption mode that forces HTTPS rewrite. example.com is hosted on WebHostingA and domain.com is hosted on HosterB.

I want to get the content from example.com/test.php using domain.com.

Code: domain.com/get-contents.php

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, 'https://example.com/test.php');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, TRUE);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, TRUE);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 10); 
curl_setopt($ch, CURLOPT_TIMEOUT, 10);
curl_setopt($ch, CURLOPT_POST, TRUE);
curl_setopt($ch, CURLOPT_POSTFIELDS, ['username' => 'Bob']);
$response = curl_exec($ch);
var_dump($response);

Code: example.com/test.php

if (isset($_POST['username']) && ctype_alpha($_POST['username'])) {

    echo($_POST['username'] . " You got my contents!");

} else {
    echo("Nope!");
}

I am able to successfully return the content from example.com/test.php (Bob you got my content!). However, my concern is that I don't have to provide any kind of certificate in the cURL code. How do I check if content sent from domain.com is encrypted and content received from example.com is encrypted? My goal is to transfer data securely between these two websites.

P粉155832941P粉155832941347 days ago434

reply all(1)I'll reply

  • P粉505450505

    P粉5054505052024-01-17 11:07:00

    First you use the https scheme, which means curl uses tls to connect. https://example.com/test.php and http://example.com/test.php are different URLs, curl itself will not change the scheme.

    Second - In some cases, the server side may redirect to plain http. To make sure there are no redirects and the connection is encrypted, you can try using the curl_getinfo() function and check the CURLINFO_EFFECTIVE_URL and CURLINFO_SSL_VERIFYRESULT fields like this: 

    $r = curl_getinfo($ch, CURLINFO_SSL_VERIFYRESULT);
$url = curl_getinfo($ch, CURLINFO_EFFECTIVE_URL);

    $r should be 0 and $url should start with https://.

    You can also use tcpdump on any of this servers to log the request and try to check the dump for any pure data. 

    [server1]# tcpdump -l -n -s 0 -w dump.pcap host server2.ip.addres

    You will see the connected port and log the captured data into the dump.pcap file. If one of the ports is 443 - your traffic is sent using tls. You can also analyze the dump.pcap file later in wireshark or just use the strings command.

    reply
    0
  • Cancelreply