| Topic: |
Religions > Atheism |
| User: |
"L. Raymond" |
| Date: |
08 Nov 2006 05:14:08 PM |
| Object: |
OT: Secure connection Q for server admins |
I've never administered a full web server and have no access to one to
experiment with, so I hope someone here can help me with this problem.
The short form of my question is, what determines that an HTTP
connection from one server to another will be encrypted? Is it only
when both servers are employing TSL/SSL for the connection, or only the
receiving server, or only the one sending, or if one uses it, the other
automatically will?
Specifically, my problem is I have finished writing a PHP site for a
book store which takes credit cards. We have a security certificate set
up so people can send us their credit card info safely, but when it
comes time for the script to contact the bank's secured server for
authorization, using PHP's fsockopen() function, the script will not
open a socket connection. We've established this is a problem on the
part of our hosting company because our user account hasn't been given a
high enough security setting to open the required connection (we're
using a shared security certificate along with several other clients and
the hosting company has got the security set up rather strictly).
The hosting company said they're going to fix our security so we can
make the connection, and in the mean time I've simply moved the script
which makes the connection to the main, non-secured part of the site for
testing, i.e. sending practice data and checking all possible results.
I am able to connect to the bank's secured server once this script is no
longer protected by the hosting company's security certificate. So, is
the data I'm sending being encrypted by the web server since it's
opening a connection to a secured port (not 443, but 11500), or is it
being sent normally?
Everything I've been reading tells me it's entirely up to the server
to know when to use TLS, but I haven't found anything which specifies
what it checks to make the determination. This is important because I
have no confidence in the hosting company's tech support people, and if
I wait for them to deal with it I'm afraid we'll never get the store up
and running. If I can safely send the data from the non-secured portion
of the site, that will solve everything.
--
L. Raymond
.
|
|
| User: "No 33 Secretary" |
|
| Title: Re: OT: Secure connection Q for server admins |
08 Nov 2006 06:06:15 PM |
|
|
"L. Raymond" <badaddress@mylinuxisp.com> wrote in
news:1h058f4vvu43o$.1oict27om5t2o$.dlg@40tude.net:
I've never administered a full web server and have no access to one
to
experiment with, so I hope someone here can help me with this problem.
The short form of my question is, what determines that an HTTP
connection from one server to another will be encrypted? Is it only
when both servers are employing TSL/SSL for the connection, or only
the receiving server, or only the one sending, or if one uses it, the
other automatically will?
An HTTP connection is never encrypted. An HTTP*S* connection always is.
Most web servers can do both (all can do HHTP), but they are really
different kinds of connection.
Specifically, my problem is I have finished writing a PHP site for a
book store which takes credit cards. We have a security certificate
set up so people can send us their credit card info safely, but when
it comes time for the script to contact the bank's secured server for
authorization, using PHP's fsockopen() function, the script will not
open a socket connection. We've established this is a problem on the
part of our hosting company because our user account hasn't been given
a high enough security setting to open the required connection (we're
using a shared security certificate along with several other clients
and the hosting company has got the security set up rather strictly).
The hosting company said they're going to fix our security so we can
make the connection, and in the mean time I've simply moved the script
which makes the connection to the main, non-secured part of the site
for testing, i.e. sending practice data and checking all possible
results. I am able to connect to the bank's secured server once this
script is no longer protected by the hosting company's security
certificate. So, is the data I'm sending being encrypted by the web
server since it's opening a connection to a secured port (not 443, but
11500), or is it being sent normally?
Sounds like it's not being encrypted right now. I can't help but wonder
if your script is using HTTPS at all, given how little you seem to know
about the process. (Not intended as an insult - it's not especially
simple to figure it all out sometimes.)
Everything I've been reading tells me it's entirely up to the server
to know when to use TLS, but I haven't found anything which specifies
what it checks to make the determination. This is important because I
have no confidence in the hosting company's tech support people, and
if I wait for them to deal with it I'm afraid we'll never get the
store up and running. If I can safely send the data from the
non-secured portion of the site, that will solve everything.
The type of connection is requested by the brower - the end user -
generally based on the URL you type in or click on. If you go to
http://somewhere.com/ you get a standard, unencrypted connection on port
80, unless you put in a port manally at the end of the URL). If you go
to https://somewhere.com/ (note the "s") you get an SSL encrypted
connection (on port 443). The browser notes whether it's http or https,
and requests either a standard or SSL connection, and the server
responds appropriately within its limits.
--
"What is the first law?"
"To Protect."
"And the second?"
"Ourselves."
Terry Austin
.
|
|
|
|
| User: "Mike Ruskai" |
|
| Title: Re: OT: Secure connection Q for server admins |
08 Nov 2006 08:45:41 PM |
|
|
On or about Wed, 8 Nov 2006 17:14:08 -0600 did "L. Raymond"
<badaddress@mylinuxisp.com> dribble thusly:
I've never administered a full web server and have no access to one to
experiment with, so I hope someone here can help me with this problem.
The short form of my question is, what determines that an HTTP
connection from one server to another will be encrypted? Is it only
when both servers are employing TSL/SSL for the connection, or only the
receiving server, or only the one sending, or if one uses it, the other
automatically will?
Specifically, my problem is I have finished writing a PHP site for a
book store which takes credit cards. We have a security certificate set
up so people can send us their credit card info safely, but when it
comes time for the script to contact the bank's secured server for
authorization, using PHP's fsockopen() function, the script will not
open a socket connection. We've established this is a problem on the
[snip]
From the PHP docs for fsockopen():
"As of PHP 4.3.0, if you have compiled in OpenSSL support, you may
prefix the hostname with either 'ssl://' or 'tls://' to use an SSL or
TLS client connection over TCP/IP to connect to the remote host."
A connection can't be encrypted one-way. If the client requests
encryption, or the server requires it (a fair bet with a bank
authentication web service, or whatever it is), then every bit of data
sent after negotiation will be treated as encrypted. With PHP that
has OpenSSL compiled in (which will be pretty much every copy you'll
ever see), the "low-level" socket calls will all be automatically
wrapped by the encryption library once the session is negotiated.
I have only a passing familiarity with PHP, though, so you'll want to
check the docs to see if prepending "ssl://" will require encryption
for the connect to succeed, or simply request it. There's also
probably a function to ascertain whether or not the socket is using
SSL, should the latter be the case.
--
- Mike
Ignore the Python in me to send e-mail.
.
|
|
|
| User: "L. Raymond" |
|
| Title: Re: OT: Secure connection Q for server admins |
09 Nov 2006 12:14:14 PM |
|
|
Mike Ruskai wrote:
A connection can't be encrypted one-way. If the client requests
encryption, or the server requires it (a fair bet with a bank
authentication web service, or whatever it is), then every bit of data
sent after negotiation will be treated as encrypted.
Ah, thanks, that's what I was wondering. The hosting company does
have OpenSSL installed on one of their servers so I can just make sure
it's on the one we're using. Thanks very much.
--
L. Raymond
.
|
|
|
|
|
|
Related Articles |
|
|
