cURL with SSL verification works but how do I validate that it is encrypted?-CodePudding

I own 2 websites, example.com and domain.com. Both DNS's are hosted on Cloudflare. Cloudflare offers free SSL/TLS encryption on their dashboard.. Both the websites are set to Full encryption mode with forced HTTPS rewrites. example.com is hosted on WebHostingA and domain.com is hosted on HosterB.

I want to use domain.com to get the contents from example.com/test.php.

Code on: domain.com/get-contents.php

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, 'https://example.com/test.php');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, TRUE);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, TRUE);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 10); 
curl_setopt($ch, CURLOPT_TIMEOUT, 10);
curl_setopt($ch, CURLOPT_POST, TRUE);
curl_setopt($ch, CURLOPT_POSTFIELDS, ['username' => 'Bob']);
$response = curl_exec($ch);
var_dump($response);

Code on: example.com/test.php

if (isset($_POST['username']) && ctype_alpha($_POST['username'])) {

    echo($_POST['username'] . " You got my contents!");

} else {
    echo("Nope!");
}

I am able to successfully return get the contents from example.com/test.php (Bob You got my contents!). However, my concern is that I did not have to provide any sort of certificates in the cURL code. How do I check if what I sent from domain.com was encrypted and what I received back from example.com was encrypted? My goal is to securely transfer data between these 2 websites.

CodePudding user response：

First of all you used https scheme, it means curl connected using tls. https://example.com/test.php & http://example.com/test.php are different urls and curl doesn't change the scheme by itself.

Second - in some situations there can be a redirect on the server side to plain http. To ensure that there is no redirect and the connection is encrypted, you may try to use curl_getinfo() function and check the CURLINFO_EFFECTIVE_URL and CURLINFO_SSL_VERIFYRESULT fields like that:

$r = curl_getinfo($ch, CURLINFO_SSL_VERIFYRESULT);
$url = curl_getinfo($ch, CURLINFO_EFFECTIVE_URL);

$r should be 0, $url should start with https://.

Also you can use tcpdump on any of this servers to record the request and try to check dump for any plain data.

[server1]# tcpdump -l -n -s 0 -w dump.pcap host server2.ip.addres

you will see the ports of the connection and record captured data to the dump.pcap file. If one of the ports is 443 - you traffic was sent using tls. Also you can later analyze dump.pcap file in wireshark or just using strings command.