PHP receive SSL certificate parameters on connect

Question

I need to control SSL certificates (subject, presense in DB, etc.) of clients that connect to our web server. Is it possible to do in PHP? Thanks.

Answer 1

Well, it is possible yes but with a little help from Curl.

Run cURL in verbose mode and send the output to PHP (pretty simple right?), then parse the output in PHP as there is the issuer name (OU=Secure Server Certification Authority == Verisign).

IE, a sample Curl call:

>> curl -I -v https://login.yahoo.com

Would return this parsable output:

* About to connect() to login.yahoo.com:443
* Connected to login1.login.vip.dcn.yahoo.com (216.109.127.60) port 443
* SSL connection using EDH-RSA-DES-CBC3-SHA
* Server certificate:
* subject: /C=US/ST=California/L=Santa Clara/O=Yahoo/OU=Yahoo/CN=login.yahoo.com
* start date: 2003-02-08 00:00:00 GMT
* expire date: 2004-02-08 23:59:59 GMT
* common name: login.yahoo.com (matched)
* issuer: /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
> HEAD / HTTP/1.1
User-Agent: curl/7.10.2 (i386-redhat-linux-gnu) libcurl/7.10.2 OpenSSL/0.9.6b ipv6 zlib/1.1.3
Host: login.yahoo.com
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*

HTTP/1.0 200 OK

Another option would be to use stunnel to proxy your HTTPS query and that way let PHP "think" that it's using a standard HTTP query and that it should return every single byte of the output.

Answer 2

PHP has no hands in this. SSL is handled by the webserver only. Apache can be configured to pass some information along in the CGI environment however.

See the manual on SSLOptions and the available list of SSL_* environment variables. What you wanted to read out is probably:

print $_SERVER['SSL_CLIENT_S_DN'];