November 22nd, 2005
The leaves are falling and the turkeys are running but don't lose your head and miss November's general meeting at New York PHP!
This month we're proud to present New York PHP authors Chris Snyder and Michael Southwell, who teamed up to write
Pro PHP Security from Apress. We also have special guest Matteo Rinaudo, CCNA, from Italy.
Join us as they share their insight gained while writing the book on making SSL, Apache and PHP a happy family, and Matteo's introduction of internationalization toolset,
OASI.
Snyder and Southwell write:
Setting up an SSL-enabled web server is relatively easy using Apache's mod_ssl... so easy, in fact, that an understanding of how SSL and certificates work to ensure the privacy and integrity of HTTPS communication is not even a requirement. It just works, as is shown by the little gold lock in the browser.
But as we found out in the course of writing Pro PHP Security, correctly configuring an HTTPS server to be truly secure requires a working knowledge of the tools and techniques of public-key encryption, and a general understanding of what happens during the various phases of the SSL protocol (now better known as TLS).
The bonus for getting your hands dirty and really grokking SSL, as a PHP developer, is that you will end up with more than just a production-ready secure server. Thanks to PHP's OpenSSL module, your applications have the ability to sign and/or encrypt messages, including database fields, files, emails, XML values, and so on. You can also verify the integrity of signed messages, and decrypt messages that have been encrypted using your public certificate. And you can use PHP to script the creation and maintenance of keys and certificates on the command line.
Our goal, then, in sixty minutes or less, is to:
- Give you a comprehensive re-introduction to SSL/TLS, and do a quick walkthough of what's going on between server and client during the all-important handshake phase. Then we'll take a close look at the Apache configuration directives for mod_ssl.
- Show you how to use PHP to assist in the generation, verification, and day-to-day maintenance of RSA keys and certificates.
- Walk through PHP code for signing, verification, encryption, and decryption of arbitrary values, using those keys and certificates.
Then we'll open the meeting to discussion of some of the ways that NYPHP community members use SSL and/or Public Key Encryption in their applications, and of the tradeoffs between creating your own CA and paying for a commercial signature.
Once the discussion turns into a gripe session about commercial certificate authorities and patents, we'll close the meeting with a book raffle and head to TGI Fridays for beverages and grub.
OASI
OASI is a recursive acronym and stands for "Oasi's A Serviceable Implement". It is a framework which allows PHP web developers to write internationalized web pages. By means of a control panel, you can add, modify, delete user created custom languages, defining items like language name, charset, text direction and so on. This information will be stored into a MySQL database. In the control panel also, you can add the internationalized text (already translated by humans or by the supplied 'google-plugin'.
Internationalized contents are bound to user defined needles which will be passed as arguments in the PHP script page to the method which retrieves the internationalized text according to the session language in use (changeable by means of a text box).
Thanks to IBM for providing a great presentation space with seating for plenty.
As a service to our community, New York PHP community meetings are always free and open to the public.