incoming traffic security checking

blackhorse

For exmaple, I have a page, secure.php, this page will only accept the access from the machine that has the domain such as "securedfriend.com".

Two approaches will be used.

1) I will detect the if the incoming traffic is from securedfriend.com, how to do that?

if (substr(trim(gethostbyaddr($_SERVER['REMOTE_ADDR']), -17)=="securedfriend.com")
{
echo ("Welcome Friend!");
....
}
else
{
echo("bye bye");
}

Is this code right?

2) Also this 3rd party site says they can also issue a certificate to us in advance and when it will communicate with the secure.php on my site, it will also send the certificate with it, I can check the certificate value to see if it matches. How does this "client certificate" approaches going to work? or there is no industry standard approach of client certificate approach, this is just their own custom approach, just give me a string with encrypted values, and then later on i will just match the values to see if it is matched the value they send to me before. (I am not their customer yet and cannot get detail tech support yet, this client certificate approach is from their online doc but without further details.)

MarkR

blackhorse wrote:
2) Also this 3rd party site says they can also issue a certificate to us in advance and when it will communicate with the secure.php on my site, it will also send the certificate with it, I can check the certificate value to see if it matches. How does this "client certificate" approaches going to work?

It is a part of HTTPS, using a client-certificate.

Consult your web server documentation for how to set up client certificate validation and stuff.

Once you've created a test certificate and used it in your own browser, look at the output of phpinfo() to see what info you can get out of the certificate (which may vary depending on your web server)

Mark

blackhorse

I am confused here. It is not we issue a certificate (which I understand about https page I set up at my site.), it is they issue me a certificate, and then when they access page on my site, i will check the certificate and know the incoming traffic is from them. It is still part of https I set up on my server?

Thanks!

MarkR

Yes, it's still your HTTPS server (which will require its own certificate). The client then provides its certificate too (optionally).

Theoretically, both of these would be signed by a third party that both of you trust, then you'd each know who the other was. Which is great.

But in practice some of these may be self-signed or signed by an unknown party, in which case it's relying on you having an out-of-band mechanism for transferring the certificate to your server so it can recognise it as trusted.

Mark