PHPackages evandotpro/sslurp - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Utility & Helpers](/categories/utility) 4. / 5. evandotpro/sslurp ActiveLibrary[Utility & Helpers](/categories/utility) evandotpro/sslurp ================= Sslurp is a simple library which aims to make properly dealing with SSL in PHP suck less. 6635211[5 issues](https://github.com/EvanDotPro/Sslurp/issues)[4 PRs](https://github.com/EvanDotPro/Sslurp/pulls)PHP Since Feb 5Pushed 11y ago3 watchersCompare [ Source](https://github.com/EvanDotPro/Sslurp)[ Packagist](https://packagist.org/packages/evandotpro/sslurp)[ RSS](/packages/evandotpro-sslurp/feed)WikiDiscussions master Synced 3d ago READMEChangelogDependenciesVersions (1)Used By (0) Sslurp ====== [](#sslurp) v1.0 by Evan Coury [![Build Status](https://camo.githubusercontent.com/35be21c231768d5b2bb0b712d0e01cea0776dfb60e3f75f5723ec132d75cbc4f/68747470733a2f2f7365637572652e7472617669732d63692e6f72672f4576616e446f7450726f2f53736c7572702e706e673f6272616e63683d6d6173746572)](http://travis-ci.org/EvanDotPro/Sslurp) Introduction ------------ [](#introduction) Dealing with SSL properly in PHP is a pain in the ass and completely insecure by default. Sslurp aims to make it easier to use SSL in PHP safely and securely. Sslurp can be used as a stand-alone library, CLI tool, or a ZF2 module. **Note:** Sslurp requires PHP with OpenSSL support. This is standard in most Linux distributions' PHP packages, otherwise you need to compile PHP using --with-openssl\[=DIR\]. Features / Usage ---------------- [](#features--usage) ### Root CA bundle management [](#root-ca-bundle-management) Sslurp provides CLI and OOP interfaces for generating a trusted root Certificate Authority (CA) bundle using [certdata.txt](http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1) from the source tree of Mozilla's [Network Security Services (NSS) libraries](https://www.mozilla.org/projects/security/pki/nss/) and keeping it up-to-date. The resulting root CA bundle includes the certificates vetted according to the [Mozilla Root Certificate Program](http://www.mozilla.org/projects/security/certs/policy/) — the same root CA bundle trusted by cURL, Firefox, Chrome, and many other applications, libraries, languages, and operating systems. Sslurp takes additional steps to protect against MITM attacks while fetching certdata.txt from Mozilla's source tree, ensuring that the generated bundle is truly authentic. When connecting to Mozilla's mxr.mozilla.org domain to fetch the updated certdata.txt, Sslurp forces the use of verified SSL. Sslurp uses the following process to establish the initial trust of the SSL certificate on mxr.mozilla.org: - Check the SSL\_CERT\_FILE environment variable (used by OpenSSL). If the value is the path to a readable file and valid certificate bundle, Sslurp will use it. - If the SSL\_CERT\_FILE is not set or points to a non-existent / invalid certificate bundle, Sslurp will search several known/expected locations for the root CA bundle and use the first valid bundle found. - If a valid bundle is not found in any of the expected paths, Sslurp will finally fall back to using a bundled, pre-verified copy of the root CA's public key which established trust for the mxr.mozilla.org certificate (Equifax Secure Certificate Authority at least until November 2013). As if that's not enough, Sslurp *additionally* makes use of [public key pinning](http://tools.ietf.org/html/draft-ietf-websec-key-pinning-02) to further authenticate the authenticity of communications with Mozilla's mxr.mozilla.org domain. If the public key pin for mxr.mozilla.org changes before the expiration date of the current certificate, Sslurp will being to throw an exception, and refuse to update the root CA bundle. If the public key pin changes within the final month or after the expiration date of their current certificate (November, 2013), Sslurp will begin throwing a PHP notice encouraging you to update your copy of Sslurp to get the latest pin. **You are STRONGLY ENCOURAGED to be using the latest version of Sslurp at all times.** ### CLI root CA bundle updater [](#cli-root-ca-bundle-updater) [./bin/update-ca-bundle](https://github.com/EvanDotPro/Sslurp/blob/master/bin/update-ca-bundle) is a handy command-line tool for fetching, building, and subsequently updating a root CA bundle in PEM format for use with PHP's OpenSSL support, curl, libcurl, php\_curl, etc. The output generated is fully compatible with the [mk-ca-bundle.pl](https://github.com/bagder/curl/blob/master/lib/mk-ca-bundle.pl) which is used to [generate cURL's trusted bundle](http://curl.haxx.se/docs/caextract.html). ``` Sslurp Root CA Bundle Updater Usage: bin/update-ca-bundle [--stdout] bin/update-ca-bundle -o[output_file] Options -o Path/filename to the file to (over)write the updated root CA bundle. Defaults to ca-bundle.pem --stdout Do not write file, send output to stdout instead. ``` ### Using Sslurp as a library [](#using-sslurp-as-a-library) In addition to the CLI tool, Sslurp can be used as a library through the OOP interface. The [source](https://github.com/EvanDotPro/Sslurp/tree/master/src/Sslurp) *is* the API documentation. ```