I am trying to use fsockopen on localhost with https on Windows, using Wamp.
It is working fine on http but not on https.
I created a certificate with OpenSSL (How to install: OpenSSL + WAMP) and declared a virtual host in httpd-vhosts.conf file.
Here is the PHP code:
$fp = fsockopen("ssl://localhost", 443, $errno, $errstr, FSOCKOPEN_TIMEOUT); // same pb with ssl://www.localhost
That generates following errors:
PHP Warning: fsockopen(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
PHP Warning: fsockopen(): Failed to enable crypto
PHP Warning: fsockopen(): unable to connect to ssl://localhost:443 (Unknown error)
I also have following warning in my ssl error log file when Apache starts (I don't know if it may be related):
[ssl:warn] [pid 6008:tid 596] AH01909: localhost:443:0 server certificate does NOT include an ID which matches the server name
Do you have any idea what I did wrong?
Thank you!
Keep in mind - if you create a ssl certificate locally on your own it's normally not trusted by clients (e.g. webbrowser)
When you have followed the cert creation process you have been asked about the Common Name (CN). That should be a domain over which you are planning to serve your webpage, or, when you only use it locally it can also be localhost.
In your case you used something differnt which does not match the ServerName or ServerAlias in your apache config.
Atm I don't understand why you want connect to localhost via ssl - from a security perspective it's not really necessary.
Otherwise you could force your client (php) to not check the certificate's validity
<?php
$context = stream_context_create([
'ssl' => [
'verify_peer' => false,
'verify_peer_name' => false
]
]);
$fp = stream_socket_client("ssl://localhost", $errno, $errstr, ini_get("default_socket_timeout"), STREAM_CLIENT_CONNECT, $context);
But do that only (!) for local connections
Related
I have an instance of a php site that requires a script running behind an https link on the intranet for my company. The https link is using a self-signed cert. I have tried updating the cacert.pem to allow it but I still get the following:
Warning: require(): SSL operation failed with code 1. OpenSSL Error messages: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
If I were using cURL I would just bypass the ssl on this request but with require I cannot.
Any ideas?
I'm trying to open a TLS connection using this code:
<?php
$cafile = '/var/www/html/mosquitto/cert.pem';
$socketContext = stream_context_create(["ssl" => [
"verify_peer_name" => true,
"cafile" => $cafile
]]);
$socket = stream_socket_client("tls://xx.xx.xx.xx:8883", $errno, $errstr, 60, STREAM_CLIENT_CONNECT, $socketContext);
if (!$socket) {
print("Error: ".$errstr);
return false;
}else{
print("Connection Opened");
}
?>
Nginx error log:
2018/02/08 17:40:28 [error] 1331#1331: *658 FastCGI sent in stderr: "PHP message: PHP Warning: stream_socket_client(): SSL operation $
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed in /var/www/html/test.php on line 10
PHP message: PHP Warning: stream_socket_client(): Failed to enable crypto in /var/www/html/test.php on line 10
PHP message: PHP Warning: stream_socket_client(): unable to connect to tls://xx.xx.xx.xx:8883 (Unknown error) in /var/www/html/test.$
This is always getting in error section !$socket but without any error string. It's just Error:. How can I fix this issue? I'm speculating cert.pem file may be the issue. What file do I need to put there?
Thanks!
How can I fix this issue?
That's going to be very hard until you know what the issue is.
Clearly tackling the problem using stream_socket_client is not working and is not giving you any useful diagnostic information. You need to breakdown what this call is doing and test each part in isolation.
Does 'xx.xx.xx.xx' represent an IP address or a hostname? If it's the latter you may have issues with resolution. Try dns_get_record() If its the former, how do you expect to validate the subject of the certificate?
Can you connect on port 8883? Try fsockopen()
Is SSL working?
Can you negotiate a cypher
Is the certificate valid
is the certificate signed by a CA in your certs.pem file
You can check these from the command line with openssl s_client
Update
From your edit: certificate verify failed - see note above regarding IP address and certificate vlidation
I was trying to develop a twitter streaming application on my AWS EC2 machine. The OS platform is Ubuntu 16.04.1 LTS and I have downgraded the PHP version to 5.6.28-1+deb.sury.org~xenial+1
When I run the twitter streaming application on this server, I am getting the following errors.
Warning: fsockopen(): Peer certificate CN=`stream.twitter.com' did not match expected CN=`199.16.156.217' in /var/www/html/myapp/streamer/twitterstreamer.php on line 620
Warning: fsockopen(): Failed to enable crypto in /var/www/html/myapp/streamer/twitterstreamer.php on line 620
Warning: fsockopen(): unable to connect to ssl://199.16.156.217:443 (Unknown error) in /var/www/html/myapp/streamer/twitterstreamer.php on line 620
The same code is running without any issues in another two machines (one is AWS EC2 and the another is a godaddy server).
All the ports in the current EC2 machine is open now and the SSL version is OpenSSL/1.0.2g the openssl section is having the following value.
openssl section - phpinfo
Can someone help me to find where the exact issue is ?
The issue is resolved with the clue fro the first error.
Warning: fsockopen(): Peer certificate CN='stream.twitter.com' did not match expected CN='199.16.156.217' in /var/www/html/myapp/streamer/twitterstreamer.php on line 620
In PHP 5.6.x, the value of openssl VERIFY_PEER is true by default. The system will first fetch the certificate from the peer and matches with ours. In my application, I was connecting with the IP and the URL in the fetched certificate is stream.twitter.com. This was the issue.
Changing IP in the fsockopen to stream.twitter.com solved my issue.
PHP versions prior to 5.6, the default value of VERIFY_PEER is false and this is why the same code running on my other instances.
I am trying to read a remote website offering some JSON objects using file_get_contents. The connection should be encrypted so I try connecting using HTTPS.
<?php
$arrContextOptions=array(
"ssl"=>array(
"cafile" => "api.crt",
"verify_peer"=> true,
"verify_peer_name"=> true
),
);
$context = stream_context_create($arrContextOptions);
$jsonObjects = file_get_contents('https://example.com', false, $context);
?>
However, the connection fails with the following error:
PHP Warning: file_get_contents(): SSL operation failed with code 1. OpenSSL Error messages:
error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:reason(1112) in api-read.php on line 13
PHP Warning: file_get_contents(): Failed to enable crypto in api-read.php on line 13
PHP Warning: file_get_contents(https://example.com): failed to open stream: operation failed in api-read.php on line 13
The sources I found so far mentioned different possible causes.
Using wrong protocol versions. AFAIK you can only disallow certain protocols using the cipher option. PHP should support SSLv2, SSLv3 and TLSv1.0, correct? I verified by using curl on the command line that the remote machine accepts connections using SSLv3.
CN mismatch The CN mentioned in the certificate is the IP address I am connecting to.
So far I could not solve the issue or find any helpful information. I am running out of ideas. Any suggestions?
I'm trying to use php function fsockopen on a smtp server using ssl on port 465 on my local server with apache.
It works well with php command line but I get a SSL error when the script is running in my browser.
php.ini
extension=php_openssl.dll line is not commented
phpinfo through Apache
Loaded Configuration File : D:\localhost\php-5.4.11\php.ini
openssl
OpenSSL support enabled
OpenSSL Library Version OpenSSL 0.9.8x 10 May 2012
OpenSSL Header Version OpenSSL 0.9.8x 10 May 2012
phpinfo with command line
Loaded Configuration File => D:\localhost\php-5.4.11\php.ini
openssl
OpenSSL support => enabled
OpenSSL Library Version => OpenSSL 0.9.8x 10 May 2012
OpenSSL Header Version => OpenSSL 0.9.8x 10 May 2012
My script
$smtp = fsockopen('ssl://in.mailjet.com', 465, $errno, $errstr, 30);
$response = fgets($smtp, 4096);
if(empty($smtp)){
echo $response;
return false;
}
echo $response . '<br/>';
fclose($smtp);
Output under apache
Warning: fsockopen(): SSL: crypto enabling timeout in XXX on line 2
Warning: fsockopen(): Failed to enable crypto in XXX on line 2
Warning: fsockopen(): unable to connect to ssl://in.mailjet.com:465 (Unknown error) in XXX on line 2
Output with command line
220 srv12.mailjet.com ESMTP Mailjet
<br/>
Platform: I'm using PHP 5.4.11 / Apache 2.2.22 (Win32) on Windows 8 64
-- Edit --
I've tried using TLS as suggested:
$smtp = fsockopen('tls://in.mailjet.com', 567, $errno, $errstr, 30);
And I get
E_WARNING: fsockopen(): in XXX on line XXX
Error message is blank and $errno = (int) 0 and $errstr = (string) ''
I updated my Apache version from 2.2 to 2.4 and it works now.
I've followed this tutoriel : http://lifeofageekadmin.com/how-install-apache-2-4-php-5-4-and-mysql-5-5-21-on-windows-7/ to get the new Apache version.
I was having a similar problem with a contact form which uses captcha, getting the error
fsockopen(): unable to connect to ssl://mail.google.com:443
This is on a FreeBSD vm, with Joomla installed.
Searching, I found http://php.net/manual/en/function.fsockopen.php which mentioned certificate validation.
Installed the FreeBSD port ca_root_nss which includes certificate validation for Root certificates from certificate authorities included in the Mozilla NSS library.