How to find out SSL certificate is installed on a server? (Using PHP)

Question

How to find out the site is on SSL or not on SSL? I'm working on a WP plugin for live transactions and it is important for plugin to check that the site (on which plugin is installed) is using SSL or not & I have to show a warning message on checkout page, if the site is not on SSL.

I guess this question is related http://stackoverflow.com/questions/4503135/php-get-site-url-protocol-http-vs-https — Web Developer, Apr 05 '12 at 11:42
This is basically how the script is queried through the HTTPS protocol, If script is requested by HTTPS then $_SERVER['HTTPS'] is set and is equal to 'on'. But I'm trying to figure out that SSL is installed on server where site is live. I found php script http://uniapple.net/blog/?p=539#comment-2705 and I tested but not sure that it works in all aspect?Thanks — Irfan, Apr 05 '12 at 12:38

score 3 · Accepted Answer · answered Apr 05 '12 at 11:43

3

You can check the $_SERVER['HTTPS'] variable.

answered Apr 05 '12 at 11:43

user254875486

11,190
7
36
65

score 1 · Answer 2 · answered Apr 05 '12 at 12:14

function is_exist_ssl($domain){
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "https://".$domain);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt ($ch, CURLOPT_HEADER, 0);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_exec($ch);

if(!curl_error($ch)){
$info = curl_getinfo($ch);
if($info['http_code'] == 200){
return true;
}
return false;
}else{
return false;
}
}

usage:

$domain = 'uniapple.net';

if(is_exist_ssl($domain)){
echo "SSL is enabled!";
}else{
echo "No SSL"; 
}

//usage ::
if(!isset($_SERVER['REDIRECT_HTTPS']) || $_SERVER['REDIRECT_HTTPS'] != 'on'){
if(is_exist_ssl($domain)){
header('location : https://'.$domain);
}
}

Andre Gagnon · Answer 3 · 2019-03-11T16:39:56.527

1

Since this question is old, and the answers are a bit outdated, I thought I'd chime in!

I saw you were asking about a WordPress Plugin. WordPress has an is_ssl() function to check if a page is using ssl since WordPress 2.6.

Here's an example:


if ( is_ssl() ) {
  print_r('SSL is running!');
} else {
  print_r('Please install an ssl certificate!');
}

edited Mar 11 '19 at 16:39

answered Jun 14 '17 at 14:52

Andre Gagnon

58
1
5

score 0 · Answer 4 · answered Apr 05 '12 at 11:51

0

If it's an HTTPS request the 'HTTPS' value in the superglobal $_SERVER array will be set and will be set to 'on'. If it is not an HTTPS request it will not be set.

So to test if it's an HTTPS request in PHP you could do this:

    if( isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on' ) {
        ...
    }

Alternatively you could set it as a constant if you need to know if it's an HTTPS request several times in your code like so:

define('IS_HTTPS_REQUEST', isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on');

answered Apr 05 '12 at 11:51

Sandeep Manne

6,030
5
39
55

@Lex,This is basically how the script is queried through the HTTPS protocol, If script is requested by HTTPS then $_SERVER['HTTPS'] is set and is equal to 'on'. But I'm trying to figure out that SSL is installed on server where site is live. I found php script http://uniapple.net/blog/?p=539#comment-2705 and I tested but not sure that it works in all aspect?Thanks – Irfan Apr 05 '12 at 12:34
the code you are referring is using curl which may not be available in shared hosting check this http://stackoverflow.com/questions/9852937/php-curl-proxy-not-work-with-godaddy-shared-hosting, and code what I given you can use when you plugin installed and it started responding to requests, you can ask wordpress to give ssl url and show warning that your plugin wont work if ssl is not there and if the request came without ssl(check using above code) show error message – Sandeep Manne Apr 05 '12 at 12:39

score 0 · Answer 5 · edited May 23 '17 at 12:04

There are a number of solutions to this problem described in this question. If you're using Apache Httpd and you can narrow down the path to a certain prefix, you could use SSLRequireSSL within a Location directive. Alternatively, you can check $_SERVER['HTTPS'] in PHP, if it's defined (it may depend on the web server, but it usually is).

More importantly, don't focus too much on checking the page you're serving is served over HTTPS. It is the responsibility of the client to check that, because, by the time it reaches the server, it's too late: it may have already been intercepted by a MITM attacker (who may even make the request over HTTPS even if the genuine client did not). I've put a longer explanation about this problem in this answer. From a UI point of view, you should make it clear that the user will enter a "secure" section and it's up to them to check that the subsequent requests will be over HTTPS.

It's not necessarily a bad thing to check that your server is indeed running over HTTPS, but it doesn't help much from a security point of view. What really matters is that all the links to that secure section must use https:// (and must not rely on automatic URL rewriting to do so).

How to find out SSL certificate is installed on a server? (Using PHP)

5 Answers5