I'm trying to open a TLS connection using this code:
<?php
$cafile = '/var/www/html/mosquitto/cert.pem';
$socketContext = stream_context_create(["ssl" => [
"verify_peer_name" => true,
"cafile" => $cafile
]]);
$socket = stream_socket_client("tls://xx.xx.xx.xx:8883", $errno, $errstr, 60, STREAM_CLIENT_CONNECT, $socketContext);
if (!$socket) {
print("Error: ".$errstr);
return false;
}else{
print("Connection Opened");
}
?>
Nginx error log:
2018/02/08 17:40:28 [error] 1331#1331: *658 FastCGI sent in stderr: "PHP message: PHP Warning: stream_socket_client(): SSL operation $
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed in /var/www/html/test.php on line 10
PHP message: PHP Warning: stream_socket_client(): Failed to enable crypto in /var/www/html/test.php on line 10
PHP message: PHP Warning: stream_socket_client(): unable to connect to tls://xx.xx.xx.xx:8883 (Unknown error) in /var/www/html/test.$
This is always getting in error section !$socket but without any error string. It's just Error:. How can I fix this issue? I'm speculating cert.pem file may be the issue. What file do I need to put there?
Thanks!
How can I fix this issue?
That's going to be very hard until you know what the issue is.
Clearly tackling the problem using stream_socket_client is not working and is not giving you any useful diagnostic information. You need to breakdown what this call is doing and test each part in isolation.
Does 'xx.xx.xx.xx' represent an IP address or a hostname? If it's the latter you may have issues with resolution. Try dns_get_record() If its the former, how do you expect to validate the subject of the certificate?
Can you connect on port 8883? Try fsockopen()
Is SSL working?
Can you negotiate a cypher
Is the certificate valid
is the certificate signed by a CA in your certs.pem file
You can check these from the command line with openssl s_client
Update
From your edit: certificate verify failed - see note above regarding IP address and certificate vlidation
Related
In the php.ini I have:
[openssl]
openssl.cafile= /etc/ssl/cert/mydomaincabundle.crt
this line allow email from PHP with SMTP to be sent from PHP es Wordpress or PHP application as i use mydomain.ext certificate.
Now that I need use composer I discovered this line generate SSL error when PHP app like composer try to download data. The error is:
file could not be downloaded: SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Failed to enable crypto
failed to open stream: operation failed
Now trying to download from source
If i remove the php.ini line
[openssl]
openssl.cafile= /etc/ssl/cert/mydomaincabundle.crt
this issue is solved but i start to see all PHP mail fail so applications like Wordpress etc are unable to send email.
How I can have mail working and also solve the PHP SSL issue?
If i remove the openssl line with the certificate email sent with SMTP SSL will fail.
Connection: opening to ssl://domain.it:465, timeout=300, options=array ()
Connection: Failed to connect to server. Error number 2. "Error notice: stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Connection: Failed to connect to server. Error number 2. "Error notice: stream_socket_client(): Failed to enable crypto
Connection: Failed to connect to server. Error number 2. "Error notice: stream_socket_client(): unable to connect to ssl://domain.it:465 (Unknown error)
SMTP ERROR: Failed to connect to server: (0)
SMTP connect() failed. https://github.com/PHPMailer/PHPMailer/wiki/Troubleshooting
Thank you.
Solved https://github.com/composer/composer/issues/7797#issuecomment-440680491
In centos the position seems to be little bit different How to add Certificate Authority in centos7?
I found it on etc/pki/ca-trust/extracted/openssl
I am trying to use fsockopen on localhost with https on Windows, using Wamp.
It is working fine on http but not on https.
I created a certificate with OpenSSL (How to install: OpenSSL + WAMP) and declared a virtual host in httpd-vhosts.conf file.
Here is the PHP code:
$fp = fsockopen("ssl://localhost", 443, $errno, $errstr, FSOCKOPEN_TIMEOUT); // same pb with ssl://www.localhost
That generates following errors:
PHP Warning: fsockopen(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
PHP Warning: fsockopen(): Failed to enable crypto
PHP Warning: fsockopen(): unable to connect to ssl://localhost:443 (Unknown error)
I also have following warning in my ssl error log file when Apache starts (I don't know if it may be related):
[ssl:warn] [pid 6008:tid 596] AH01909: localhost:443:0 server certificate does NOT include an ID which matches the server name
Do you have any idea what I did wrong?
Thank you!
Keep in mind - if you create a ssl certificate locally on your own it's normally not trusted by clients (e.g. webbrowser)
When you have followed the cert creation process you have been asked about the Common Name (CN). That should be a domain over which you are planning to serve your webpage, or, when you only use it locally it can also be localhost.
In your case you used something differnt which does not match the ServerName or ServerAlias in your apache config.
Atm I don't understand why you want connect to localhost via ssl - from a security perspective it's not really necessary.
Otherwise you could force your client (php) to not check the certificate's validity
<?php
$context = stream_context_create([
'ssl' => [
'verify_peer' => false,
'verify_peer_name' => false
]
]);
$fp = stream_socket_client("ssl://localhost", $errno, $errstr, ini_get("default_socket_timeout"), STREAM_CLIENT_CONNECT, $context);
But do that only (!) for local connections
Warning: fsockopen(): SSL operation failed with code 1.
OpenSSL Error messages: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed in D:\vhosts\abc.com\httpdocs\system\library\mail.php on line 170
Warning: fsockopen(): Failed to enable crypto in D:\vhosts\abc.com\httpdocs\system\library\mail.php on line 170
Warning: fsockopen(): unable to connect to ssl://smtp.gmail.com:465 (Unknown error) in D:\vhosts\abc.com\httpdocs\system\library\mail.php on line 170
Notice: Error: (0) in D:\vhosts\abc.com\httpdocs\system\library\mail.php on line 179
My client's website is unable to send out email and above are the error messages when I use SMTP.
Below are the differences between test and live environments:
It works on testing environment but not on the live server. The testing environment was in linux and the live server is on Windows.
My client's email service provider is Google G Suite.
I tried the default PHP mail() and also SMTP.
Both are unable to send mail.
Any idea what is the root cause of these issues. How do I fix it? How to avoid this kind of scenarios?
I am trying to read a remote website offering some JSON objects using file_get_contents. The connection should be encrypted so I try connecting using HTTPS.
<?php
$arrContextOptions=array(
"ssl"=>array(
"cafile" => "api.crt",
"verify_peer"=> true,
"verify_peer_name"=> true
),
);
$context = stream_context_create($arrContextOptions);
$jsonObjects = file_get_contents('https://example.com', false, $context);
?>
However, the connection fails with the following error:
PHP Warning: file_get_contents(): SSL operation failed with code 1. OpenSSL Error messages:
error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:reason(1112) in api-read.php on line 13
PHP Warning: file_get_contents(): Failed to enable crypto in api-read.php on line 13
PHP Warning: file_get_contents(https://example.com): failed to open stream: operation failed in api-read.php on line 13
The sources I found so far mentioned different possible causes.
Using wrong protocol versions. AFAIK you can only disallow certain protocols using the cipher option. PHP should support SSLv2, SSLv3 and TLSv1.0, correct? I verified by using curl on the command line that the remote machine accepts connections using SSLv3.
CN mismatch The CN mentioned in the certificate is the IP address I am connecting to.
So far I could not solve the issue or find any helpful information. I am running out of ideas. Any suggestions?
I have been getting this error messages from my PHP code used to send message to the APNS...has anyone got faced the same issue?
Warning: stream_socket_client() [function.stream-socket-client]: SSL operation
failed with code 1. OpenSSL Error messages: error:14094410:SSL routines:
SSL3_READ_BYTES:sslv3 alert handshake failure in
/Library/WebServer/Documents/anish/apns/2.php on line 8
Warning: stream_socket_client() [function.stream-socket-client]: Failed to enable
crypto in /Library/WebServer/Documents/anish/apns/2.php on line 8
Warning: stream_socket_client() [function.stream-socket-client]: unable to connect
to ssl://gateway.sandbox.push.apple.com:2195 (Unknown error) in /Library/WebServer
/Documents/anish/apns/2.php on line 8
Failed to connect: 0
Warning: fclose(): supplied argument is not a valid stream resource in
/Library/WebServer/Documents/anish/apns/2.php on line 20*
Also it seems it always fails to connect to gateway.sandbox.push.apple.com. I even tried with PushMeBaby and it too fails to connect to gateway.sandbox.push.apple.com
the problem apparently was with the installation of certificates. If the certificate are installed properly, then everything works great like a charm..!