I'm using the PHP userland library, found here: https://github.com/mongodb/mongo-php-library
, with documentation at: http://mongodb.github.io/mongo-php-library/classes/client/
How do I supply SSL options and which constructor to use? I'm assuming MongoDB/Client but documentation is sparse.
I have the usual on the server; CA file, server certificate and private key file with net.ssl being set to requireSSL.
So if anyone has tried anything, it'd be great if you can list what worked.
Update
A lot of googling took me to this page. and I could only get the mongo shell connected successfully, but definitely not through the php library. I am using MongoDB 3.2.1 on Centos7.
Additionally I see that client certificates need two additional fields in the x509 certificates[keyUsage = digitalSignature, extendedKeyUsage = clientAuth], as narrated here. Now although that isn't impossible, but isn't a very manageable or scalable way for my implementation in my opinion.
Also a strange thing I discovered is that the CN in the final client certificate needs to be "localhost.". You cannot omit the last period. And the --host argument accordingly has to be "localhost." (not just localhost) or else the validation fails. But if you try to create a certificate with the CN as just localhost, you will never be able to connect to the server and the validation would fail everytime.
Related
I am doing a CAS integration with a project that I am doing with my university. The final integration should be made with symfony2, however first I need to make the example code working.
I finally get working the example_simple.php example with phpCAS 1.3.2 , however the directive:
phpCAS::setNoCasServerValidation();
is the enabled one. I think I should use instead:
phpCAS::setCasServerCACert($cas_server_ca_cert_path);
However when I enable this second one (and disable the other) then the authorization does not work anymore. Here is the relevant output line error of the log:
could not open URL 'https://cas_server.fi/cas/serviceValidate?service=http%3A%2F%2Flocalhost%2Fphpcas2%2Fdocs%2Fexamples%2Fexample_simple.php&ticket=ST-115606-M1Omd1cHWzbLbmxa1nYV-cas' to validate (CURL error #60: SSL certificate problem: unable to get local issuer certificate) [Client.php:2763]
The cas server provided me two .crt files:
MYCASRootCA.crt
MYCASLinuxSUBCA.crt
And they are suppose to be installed in my system (Ubuntu 13.10). They are in different places, such a /etc/ssl/certs/MYCASLinuxSUBCA.pem but also:
/usr/share/ca-certificates/lut/MYCASRootCA.crt
/usr/share/ca-certificates/lut/MYCASLinuxSUBCA.crt
So assuming that the variable $cas_server_ca_cert_path has to have one of these .crt files or .pem dirs (such a /usr/share/ca-certificates/lut/MYCASLinuxSUBCA.crt) I cannot make it work. What I am doing it wrong? My client-server (no the cas server) is in my localhost. Is it a problem? Should I avoid use setCasServerCACert command? Why is it happening?
I've also tried to use the curl-ca-bundle.crt certificate provided by my XAMP instalation (Xampp 1.8.3).
I am a little bit lost with certificates as you can see.
I read about problems with phpCAS and recent Ubuntu versions in https://github.com/Jasig/phpCAS/issues?state=open. However I cannot make this working with the master code, even without certification (by default).
Any ideas would be appreciated...
I have found the solution asking in the github library: https://github.com/Jasig/phpCAS/issues/119
The reason is that the curl binary used by PHP in my xampp installation is different from the system's curl binary. The system one has access to /etc/ssl/certs/ certificates, but the xampp curl does not have (unless you don't indicate it, of course). By default, it searches in a special certificate-bundle-file.
Finally I have found the real certificate for my cas-server and I am using it, however maybe you want to use other proposed solution at the end of the discussion thread if you are having a similar problem.
I am trying to use a c++ app to access a php script on a different computer. The script queries a mysql database and outputs the values. When accessing https://myaddress/script.php in my web browser, it gives me the "The site's security certificate is not trusted!" page, then allows me to Proceed Anyway. I expected that, and it is ok because I have not yet jumped through the hoops to get my certificate certified.
However, when I try to access the same site from within my c++ app using QNetworkAccessManager, it tells me that the SSL handshake failed and quits out.
Why is this a problem? Does it have something to do with the fact that my certificate hasn't been authenticated, or is it something else? Can I set a feature in Qt Creator that allows my code to access even not trusted sites?
Any guidance would be very helpful,
Thanks in advance.
I had similar problem, I did two things:
re run/install Win32 OpenSSL Installation.
Download the latest "light" Win32 or Win64 installation package, for example "Win32 OpenSSL v0.9.8l Light".
follow link here:
http://developer.nokia.com/community/discussion/showthread.php/234276-Qt-SSL-handshake-failed
My college downloaded cert-name.crt file from external host. Now we need to connect to web service platform, obviously using their SSL certificate. We are a bit confused by OpenSSL documentation. Research didn't help either. All we get is 'Could not connect to host' PHP exception. Just to clear things, interface worked perfectly fine over unsecured HTTP. We use pure Soap library. As an act of desperation we also tried to connect with host without verification by disabling verify_peer variable in SoapClient stream context. Please help, we are under pressure.
To get your started:
By default, PHP looks for the CA file on UNIX systems in, make sure it is readable by the PHP invoker (user via cli, Apache user, etc..), and place the .crt file here:
/etc/pki/CA
Currently setting up a backup solution that sends a database dump and some other files from a Wordpress network to a NAS on my LAN, via WebDAV. I have installed PHP WebDAV on my web server and the basic code to get that that to work is:
webdav_connect('http://webdav.example.com/dav', 'davuser', 'davpassword');
webdav_put('/your/nice/thing.txt', $data);
webdav_close();
The issue is, my NAS requires this connection to be done via HTTPS, so in a web browser you'd see a warning which you can ignore, but PHP gives the following warning and the code fails:
Warning: webdav_put() [function.webdav-put]: Server certificate verification failed: certificate issued for a different hostname, issuer is not trusted in /var/www/vhosts/blah/blah/blah.php on line 5
Is there a way in which I can ask PHP to ignore this, or will I need to obtain an SSL certificate? The domain name used for accessing the WebDAV service on my NAS is one provided by Dynamic DNS if that makes a difference.
Is there a way in which I can ask PHP to ignore this, or will I need to obtain an SSL certificate?
I don't know which HTTP Layer PHP WebDAV uses (which extension are you using?), but often it's possible to configure the underlying layer to ignore certificate errors.
If you need certificate verification for security reasons, you should obtain a valid certificate.
Just for completeness as I don't like leaving things un-answered. I've decided to access my WebDAV service via SMEStorage. They provide an API which developers can use for this sort of thing:
http://smestorage.com/?p=static&page=for_developers
I'm trying to bind to an LDAP server using PHP. It's a fairly straightforward process, except that I can't get around a certificate error that I'm getting. My auth credentials are fine, since I can connect to the server with Apache Directory Studio. Is there any way to just automatically accept the server cert? Similar to how you click "Accept this cert.." with Apache directory studio? I know it's not good security, but I just need to make it work at this point and can square away the cert issue later.
Thanks
You don't specify the environment, so here's the answer (found elsewhere on this site: How do I solve ldap_start_tls() "Unable to start TLS: Connect error" in PHP? ):
Linux: on the client machine (PHP web server) modify the ldap.conf file that the systems is using, in RH/Fedora the file you want is /etc/openldap/ldap.conf (not /etc/ldap.conf, that is for system authentication...) . Add/modify the following line:
TLS_REQCERT never
Windows: Add a system environment variable like the following:
LDAPTLS_REQCERT=never
Or in your PHP code, before the ldap_connect, put the following:
putenv('LDAPTLS_REQCERT=never');
These will insure the client web server PHP instance never checks the FQDN of the server against the CN (common name) of the certificate. Very helpful in cluster environments where a virtual IP and certificate for that is used. But since this also makes it so that the other tools/applications in the entire OS on the web server machine will not check this either, please insure that your environment allows this change (high-security environments might not allow it).
Use a web browser, point at ldaps://ipaddress/
when the cert pop up box shows up, view the cert, look at the cert chain, find the trusted root (not the specific cert being used, rather the parent who signed it) then export THAT cert. Save in in PEM and B64 format. (Binary and B64 encoded).
Then use that to get it into the PHP keystore format, whichever that is. Java keystores are easy. Not sure what PHP uses.