OpenSSL -- does it work at all?

zawar

From what I understand, PHP is strictly a server-side programming language. For SSL to work, some of the functionality has to necessarily reside on the client side. I wonder how we can manage that with OpenSSL functions in PHP.

Zawar

Weedpacket

[man]OpenSSL[/man]
This module uses the functions of OpenSSL for generation and verification of signatures and for sealing (encrypting) and opening (decrypting) data.

In other words, OpenSSL provides that functionality.

zawar

I am not questioning the functionality provided. My concern is that SSL is an 'on the wire' protocol whereas - as in PHP - if all the processing happens on the server side, then it is not possible to secure data at the client end. Conversely, if the server sends secure data to the client, then the client doesn't have any way (within PHP) of decrypting the data.

Consider this scenario: Server creates a public/private key pair and expects to recieve data from the client encrypted by the public key. For this the server broadcasts the public key to the client(s). How will the client encrypt the data when no PHP processing happens on the client side?

Scenario #2: Server sends encrypted data to client. The data is encrypted by the client's public key. How will the decryption happen on the client side when no PHP executes on the client side?

Hope I have made myself clear.

Zawar

mcrbids

He?

The easiest way to use openssl is to use a web address such as

https://yourserver.com/yourscript.php

Apache and your ISP take care of the SSL stuff. It usually costs $150/year for a certificate. (I can get you one for 1/2 that, though)

In this case SSL is happening between user's browser and your web server. (Usually Apache)

From the scope of PHP, SSL is almost never relevant unless you are trying to initiate a connection from your PHP script to another server. In which case, you'd better be using 4.3.x or higher.

-Ben

Weedpacket

Originally posted by zawar
Scenario #1:...

Scenario #2:...

Hope I have made myself clear.

Obviously the client has to understand SSL protocol as well if it is to use SSL when communicating with the server, just as HTTP clients and HTTP servers both have to understand HTTP in order to communicate. Whether the client does SSL or not is not the server's responsibility - if they can't or won't do SSL then that's their problem and they miss out. If you wanna talk with the natives, you gotta speak the language.

zawar

Thanks for the help guys. No offense weedpack ... I had the audacity to think of SSL as an application level protocol 😉.

Zawar

Weedpacket

Originally posted by zawar
Thanks for the help guys. No offense weedpack ... I had the audacity to think of SSL as an application level protocol 😉.

Zawar

Well, by definition, a protocol is something that has to be understood by all participants for it to work 🙂