I am trying to read a remote website offering some JSON objects using file_get_contents. The connection should be encrypted so I try connecting using HTTPS.
<?php
$arrContextOptions=array(
"ssl"=>array(
"cafile" => "api.crt",
"verify_peer"=> true,
"verify_peer_name"=> true
),
);
$context = stream_context_create($arrContextOptions);
$jsonObjects = file_get_contents('https://example.com', false, $context);
?>
However, the connection fails with the following error:
PHP Warning: file_get_contents(): SSL operation failed with code 1. OpenSSL Error messages:
error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:reason(1112) in api-read.php on line 13
PHP Warning: file_get_contents(): Failed to enable crypto in api-read.php on line 13
PHP Warning: file_get_contents(https://example.com): failed to open stream: operation failed in api-read.php on line 13
The sources I found so far mentioned different possible causes.
Using wrong protocol versions. AFAIK you can only disallow certain protocols using the cipher option. PHP should support SSLv2, SSLv3 and TLSv1.0, correct? I verified by using curl on the command line that the remote machine accepts connections using SSLv3.
CN mismatch The CN mentioned in the certificate is the IP address I am connecting to.
So far I could not solve the issue or find any helpful information. I am running out of ideas. Any suggestions?
Related
We run an apache2 server and want to use google recaptcha due to high volume of bots on our newsletter.
Therefore I implemented some lines of developers php-code which in general should work ... but not on my server.
I investigated further and found that the function file_get_contents() ends with an SSL error.
file_get_contents(self::SITE_VERIFY_URL, false, $context)
Below you can find an extract from the servers log file.
PHP Warning: file_get_contents(): SSL operation failed with code 1. OpenSSL Error messages:\nerror:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed in /var/www/html/app/lib/vendor/google/recaptcha/src/ReCaptcha/RequestMethod/Post.php on line 68
PHP Warning: file_get_contents(): Failed to enable crypto in /var/www/html/app/lib/vendor/google/recaptcha/src/ReCaptcha/RequestMethod/Post.php on line 68
PHP Warning: file_get_contents(https://www.google.com/recaptcha/api/siteverify): failed to open stream: operation failed in /var/www/html/app/lib/vendor/google/recaptcha/src/ReCaptcha/RequestMethod/Post.php on line 68
This brought me to the conclusion that Openssl is misconfigured.
So I:
reinstalled ca-certificates with apt-get purge ca-certificate
Also downloaded the cacert.pem and linked it in the php.ini
checked if curl works properly, but it doesnt (every call of curl ends with curl: (60) SSL certificate problem: unable to get local issuer certificate
checked openssl.cnf which looks ok to me.
Any ideas how to solve this would be great.
So I found the problem:
First I changed the filepath according to the comment by drew010.
Then I fixed issues on my server with file permissions of /etc/ssl/certs according to this post: https://askubuntu.com/a/636979
Now file_get_contents does not invoke any errors and recaptcha runs smoothly.
I am trying to use fsockopen on localhost with https on Windows, using Wamp.
It is working fine on http but not on https.
I created a certificate with OpenSSL (How to install: OpenSSL + WAMP) and declared a virtual host in httpd-vhosts.conf file.
Here is the PHP code:
$fp = fsockopen("ssl://localhost", 443, $errno, $errstr, FSOCKOPEN_TIMEOUT); // same pb with ssl://www.localhost
That generates following errors:
PHP Warning: fsockopen(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
PHP Warning: fsockopen(): Failed to enable crypto
PHP Warning: fsockopen(): unable to connect to ssl://localhost:443 (Unknown error)
I also have following warning in my ssl error log file when Apache starts (I don't know if it may be related):
[ssl:warn] [pid 6008:tid 596] AH01909: localhost:443:0 server certificate does NOT include an ID which matches the server name
Do you have any idea what I did wrong?
Thank you!
Keep in mind - if you create a ssl certificate locally on your own it's normally not trusted by clients (e.g. webbrowser)
When you have followed the cert creation process you have been asked about the Common Name (CN). That should be a domain over which you are planning to serve your webpage, or, when you only use it locally it can also be localhost.
In your case you used something differnt which does not match the ServerName or ServerAlias in your apache config.
Atm I don't understand why you want connect to localhost via ssl - from a security perspective it's not really necessary.
Otherwise you could force your client (php) to not check the certificate's validity
<?php
$context = stream_context_create([
'ssl' => [
'verify_peer' => false,
'verify_peer_name' => false
]
]);
$fp = stream_socket_client("ssl://localhost", $errno, $errstr, ini_get("default_socket_timeout"), STREAM_CLIENT_CONNECT, $context);
But do that only (!) for local connections
I'm trying to open a TLS connection using this code:
<?php
$cafile = '/var/www/html/mosquitto/cert.pem';
$socketContext = stream_context_create(["ssl" => [
"verify_peer_name" => true,
"cafile" => $cafile
]]);
$socket = stream_socket_client("tls://xx.xx.xx.xx:8883", $errno, $errstr, 60, STREAM_CLIENT_CONNECT, $socketContext);
if (!$socket) {
print("Error: ".$errstr);
return false;
}else{
print("Connection Opened");
}
?>
Nginx error log:
2018/02/08 17:40:28 [error] 1331#1331: *658 FastCGI sent in stderr: "PHP message: PHP Warning: stream_socket_client(): SSL operation $
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed in /var/www/html/test.php on line 10
PHP message: PHP Warning: stream_socket_client(): Failed to enable crypto in /var/www/html/test.php on line 10
PHP message: PHP Warning: stream_socket_client(): unable to connect to tls://xx.xx.xx.xx:8883 (Unknown error) in /var/www/html/test.$
This is always getting in error section !$socket but without any error string. It's just Error:. How can I fix this issue? I'm speculating cert.pem file may be the issue. What file do I need to put there?
Thanks!
How can I fix this issue?
That's going to be very hard until you know what the issue is.
Clearly tackling the problem using stream_socket_client is not working and is not giving you any useful diagnostic information. You need to breakdown what this call is doing and test each part in isolation.
Does 'xx.xx.xx.xx' represent an IP address or a hostname? If it's the latter you may have issues with resolution. Try dns_get_record() If its the former, how do you expect to validate the subject of the certificate?
Can you connect on port 8883? Try fsockopen()
Is SSL working?
Can you negotiate a cypher
Is the certificate valid
is the certificate signed by a CA in your certs.pem file
You can check these from the command line with openssl s_client
Update
From your edit: certificate verify failed - see note above regarding IP address and certificate vlidation
I followed a certain tutorial found here to install Wordpress onto App Engine, using a SQL Cloud Database.
I'm up to the point when I have to run the setup script to download the Wordpress archive and plugins. When that command is ran I get the following errors:
Downloading the WordPress archive...
Warning: file_get_contents(): SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed in /Users/Me/Sites/Blog/src/Project.php on line 47
Warning: file_get_contents(): Failed to enable crypto in /Users/Me/Sites/Blog/src/Project.php on line 47
Warning: file_get_contents(https://wordpress.org/latest.zip): failed to open stream: operation failed in /Users/Me/Sites/Blog/src/Project.php on line 47
I've looked at multiple resources to combat this issue such as, this one, where they suggest to set the verification to the peer to false, but I do not have that option within this project. I also found that someone suggested to use curl instead but I'm unsure how to use that without breaking the project.
i try to include a file from a remote server. When i use normal ftp everything works well. when i try to use ftps ...
<?php
$erg = include("ftps://user:pw#ftp.doamin.de/files/toinclude.php");
?>
i got an error:
Warning: include(): SSL operation failed with code 1. OpenSSL Error messages: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure in /var/www/html/includetest.php on line 10
Warning: include(ftps://...#ftp.domain.de/files/toinclude.php): failed to open stream: Unable to activate SSL mode in /var/www/html/includetest.php on line 10
the ftpserver is able to work in "ftp over tls" mode when i use filezilla to connect.
on the webserver openssl is activated in this version: OpenSSL 1.0.1f 6 Jan 2014
i already searched the web and this site for quite a while but without any sucess.
lg grischan