0

I have a SSL enabled eCommerce website which uses cURL for payment processing. Everything is running well but recently I learned about "CA Public Certification Bundle for cUrl" that its a good idea to use it for cURL connections.

If this is true than can someone tell me how or how is it better/different than using the standard SSL?

Doesn't the SSL already provide some kind of certification for all connections?

jww
  • 97,681
  • 90
  • 411
  • 885
Manish Pradhan
  • 1,141
  • 10
  • 28

2 Answers2

2

Any HTTPS client connected to an HTTPS server will get its certificate (in fact, it can be a certificate chain). This server certificate must then verified by the client to authenticate the server.

This is normally done by using a number of CA certificates that are configured on the client as trust anchors (i.e. this is what you trust in advance, before encountering the server certificate). The client tries build a chain between the last element of the server chain and one of the CA certificates in its trust anchors. If there is such a valid chain the server certificate is trusted.

A "CA certificate bundle" would be a set of trust anchors. You can build your own by looking for CAs you're willing to trust, or you can use an existing bundle. Most OSes or browser come with an existing bundle. cURL in itself doesn't but it can rely on a pre-defined location (set at compile time) or it also suggests to use the Firefox bundle (via a conversion mechanism). (You can override default setting via extra options, on the command line or via the API.)

Certificate Pinning (which you also mention) has nothing to do with a CA cert bundle. In fact, it's almost the opposite. Instead of relying on 3rd party trust anchors (the certification authorities), you explicitly "pin" a set of server certificates you know as directly trusted. They're not used to verify other certificates, instead, you compare the certificate you get with the exact certificate you're expecting for that host (or at least you compare public keys). This is more like having a reference mapping from server name to certificate (or to public key) and comparing what you get from that host with the reference you have. Of course, this can only work for a reasonably small set of certificates in practice, unlike the CA (PKI) approach which is designed to let you authenticate parties you have never encountered before (via a 3rd party: the CA).

How is it better/different than using the standard SSL? Doesn't the SSL already provide some kind of certification for all connections?

Using a CA certificate bundle isn't different than using "standard SSL", it is what's commonly used for SSL/TLS connections. You often don't see it because that CA bundle is often supplied with your client (or with the OS). Note that strictly speaking, this is orthogonal to SSL/TLS itself, which mainly just says you should authenticate the server. Certificate verification (the PKI way, via CA certificates) is defined in a different specification, also complemented by a specification on how to verify the name in the certificate (and the HTTPS specification of course).

Community
  • 1
  • 1
Bruno
  • 119,590
  • 31
  • 270
  • 376
-3

Found a great answer here. The comment above really helped. The exact keyword I was looking for was "Certificate Pinning".

Andy
  • 49,085
  • 60
  • 166
  • 233
Manish Pradhan
  • 1,141
  • 10
  • 28
  • The blog article you mention has nothing to do with "certificate pinning". In addition, it only talks about `CURLOPT_SSL_VERIFYPEER`, not `CURLOPT_SSL_VERIFYHOST`. [Both matter](http://stackoverflow.com/a/13742121/372643). Thankfully, both should be enabled to their secure values by default in versions of cURL that are not too old. (Since `php` is tagged in the question, this is documented [here](http://www.php.net/manual/en/function.curl-setopt.php)). – Bruno Jul 04 '14 at 20:37