Goutte - TLSv1 protocol version error - php

I'm using Goutte to get a page on a web server using an SSL certificate. Whenever I try to get this page the the following exception is thrown:
Uncaught exception 'Guzzle\\Http\\Exception\\CurlException' with message
'[curl] 35: error:1407742E:SSL
routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version
[url] https://somesite.com
I have been looking online for this type of error. It seems that this error happens when there is a handshake failure. The server seems to support TLSv1 and the client uses SSL23.
I'm not sure if this assessment is correct nor do I know how to correct it.
This is the code I'm currently using:
<?php
use Goutte\Client;
$client = new Client();
$guzzle = $client->getClient();
$guzzle->setConfig(
array(
'curl.CURLOPT_SSL_VERIFYHOST' => false,
'curl.CURLOPT_SSL_VERIFYPEER' => false,
)
);
$client->setClient($guzzle);
$crawler = $client->request('GET', 'https://somesite.com'); // IT FAILS HERE
UPDATE:
NOTE: I started getting a few weeks ago a similar error, so I thought I would update the question and answer as they are related.
I got a similar error:
[curl] 35: Unknown SSL protocol error in connection to website.com:443


I found the answer to this problem in the blogpost "Fixing SSL Handshake with PHP5 and Curl"
This error can happen in some operating systems but not in all making it a hard issue to replicate. I am currently using Ubuntu 12.04 in my development environment.
Thankfully this is something that can be addressed at the code level like this:
use Goutte\Client;
$client = new Client();
$guzzle = new GuzzleClient('https://somesite.com', array(
'curl.options' => array(
'CURLOPT_SSLVERSION' => 'CURL_SSLVERSION_TLSv1',
)
));
$client->setClient($guzzle);
$crawler = $client->request('GET', 'https://somesite.com');
UPDATE:
For the solution for the message
[curl] 35: Unknown SSL protocol error in connection to website.com:443
was a bit tricky to resolve as the message gives no indication of what is going on.
This GitHub issue pointed me in the right direction tho. There are multiple versions of the CURLOPT_SSLVERSION I can use (of course!), but these include v1.0, v1.1, and v1.2! See the curl_setopt for more information.
For this particular error I ended up using the following code:
$guzzle = new GuzzleClient('https://somesite.com', array(
'curl.options' => array(
'CURLOPT_SSLVERSION' => 'CURL_SSLVERSION_TLSv1_1',
)
));
The site I was trying to connect to would not accept any other option including CURL_SSLVERSION_TLSv1.

Related

How to solve cURL error 6: Could not resolve host with Guzzle?

Getting this error message when trying to send any request using Guzzle php library. It is HTTP client based on curl. My example code to work:
$client = new GuzzleHttp\Client(['base_uri' => 'https://api.twitter.com/oauth/']);
$response = $client->request('POST', 'access_token');
error: cURL error 6: Could not resolve host: foo.ru (see
http://curl.haxx.se/libcurl/c/libcurl-errors.html)
I have tried any other url, update my /etc/resolv.conf error is the same.
Could you give me some ideas how to fix it ?
Ubuntu, PHP 7.2

Laravel 5.8.* using GuzzleHttp on production

I'm using GuzzHttp in my laravel project to post some data to an API. In my local enviroment I have to to create my client with the cacert.pem file verification like this:
$client = new \GuzzleHttp\Client(['verify' => 'C:\wamp64\bin\php\php7.2.14\cacert.pem']);
But I can't do so on my shared hosting. So, removing that verification:
$client = new \GuzzleHttp\Client();
Results on an internal server error:
[2019-06-11 15:17:10] local.ERROR: GuzzleHttp\Exception\ServerException: Server error: `POST https://pruebas2.mayoristaseguridad.es/tiendaseguridad/02-ConectorLaravelPrestashop/ConectorCategorias.php` resulted in a `500 Internal Server Error` response in /home/admin/web/iberoseguridad.eu/public_html/csv_products/vendor/guzzle/guzzlehttp/guzzle/src/Exception/RequestException.php:113
Is there a way to fix this error?

Not sure if this will help, here it goes anyways
// Disable validation entirely (don't do this!).
$client->request('GET', '/', ['verify' => false]);
Guzzle verify api

This ended up being a remote server error, not mine. I just had to communicate that error with the server's maintainer and now it works just fine.

Error PHP 7.0 and SSL TLS 1.0

Im having a problem with SoapClient and PHP 7.0 to parse wsdl.
Im getting this error:
SOAP-ERROR: Parsing WSDL: Couldn't load from 'https://ws.ocasa.com/testecommerce/service.asmx?wsdl' : failed to load external entity "https://ws.ocasa.com/testecommerce/service.asmx?wsdl"
If you put this URL in a browser you can see the SOAP, and also in SoapUI it works OK.
I'm using laravel 5.4, and my code is:
$client = new \SoapClient('https://ws.ocasa.com/testecommerce/service.asmx?wsdl',
['soap_version'=>SOAP_1_2]);
I noticed that that website is under SSL TLS 1.0. If I change PHP to 5.6, it works perfect, but with PHP 7.0 it does not work.
If I change to this other WSDL:
https://id3check.gb.co.uk/gbportalinternational/aspx/id3check_1b.asmx?WSDL
Everything works fine.
Thank you

you could choose to ignore a bad cert:
$endpoint = new SOAPClient($url,
array(
'soap_version'=>SOAP_1_2,
'stream_context' => stream_context_create(
array(
'ssl' => array(
'verify_peer' => false,
'verify_peer_name' => false
)
)
)
)
);
This would be a solution, should you not have access to the soap server to correct the certificate, or be able to elsewise make your server accept the certificate.
This should be the last solution as indeed you ignore all warnings something is wrong

Services_Twilio_TinyHttpException error PHP

I been trying to seen SMS messages from Twilio but get the error message.
I have added a path to a new curl.cainfo in the php.info
curl.cainfo = c:\wamp\certs\cacert.pem
yet I still was getting an error.
ERROR MESSAGE WAS:
Fatal error: Uncaught exception 'Services_Twilio_TinyHttpException' with message 'SSL certificate problem: self signed certificate in certificate chain' in C:MYPATH\twilio-php-master\twilio-php-master\Services\Twilio\TinyHttp.php on line 119
This is the PHP code:
<?php
// Get the PHP helper library from twilio.com/docs/php/install
require ('C:/wamp/www/Services/Twilio.php'); // Loads the library
$sid = "Axxxxxxxxxxxxxxxxxxxxxxx9";
$token = "8xxxxxxxxxxxxxxxxxxxxxxx2";
$http = new Services_Twilio_TinyHttp(
'https://api.twilio.com',
array('curlopts' => array(
CURLOPT_SSL_VERIFYPEER => true,
CURLOPT_SSL_VERIFYHOST => 2,
)));
$client = new Services_Twilio($sid, $token, "2010-04-01", $http);
$sms = $client->account->sms_messages->create("+1480xxxxx", "+1520xxxxx", "HELP please?! I love you <3", array());
echo $sms->sid;
?>
Im using Windows 8, and the the curl version:cURL Information 7.36.0 is enabled
should I update the curl stated in https://github.com/twilio/twilio-php/blob/master/docs/faq.rst
What am I doing Wrong?

Twilio Customer Support here!
Did you update cURL as mentioned earlier?
https://github.com/twilio/twilio-php/blob/master/docs/faq.rst#ssl-validation-exceptions
It should resolve the issue, if not ping help#twilio.com an email and we can look into it.

Make same changes in php.ini inside apache bin folder.
"curl.cainfo = c:\wamp\certs\cacert.pem"
Restart the service.

SOAP-ERROR: Parsing WSDL: Couldn't load from - but works on WAMP

This works fine on my WAMP server, but doesn't work on the linux master server!?
try{
$client = new SoapClient('http://ec.europa.eu/taxation_customs/vies/checkVatService.wsdl', ['trace' => true]);
$result = $client->checkVat([
'countryCode' => 'DK',
'vatNumber' => '47458714'
]);
print_r($result);
}
catch(Exception $e){
echo $e->getMessage();
}
What am I missing here?! :(
SOAP is enabled
Error
SOAP-ERROR: Parsing WSDL: Couldn't load from 'http://ec.europa.eu/taxation_customs/vies/checkVatService.wsdl' : failed to load external entity "http://ec.europa.eu/taxation_customs/vies/checkVatService.wsdl"/taxation_customs/vies/checkVatService.wsdl"
Call the URL from PHP
Calling the URL from PHP returns error
$wsdl = file_get_contents('http://ec.europa.eu/taxation_customs/vies/checkVatService.wsdl');
echo $wsdl;
Error
Warning: file_get_contents(http://ec.europa.eu/taxation_customs/vies/checkVatService.wsdl): failed to open stream: HTTP request failed! HTTP/1.0 503 Service Unavailable
Call the URL from command line
Calling the URL from the linux command line HTTP 200 is returned with a XML response
curl http://ec.europa.eu/taxation_customs/vies/checkVatService.wsdl

For some versions of php, the SoapClient does not send http user agent information. What php versions do you have on the server vs your local WAMP?
Try to set the user agent explicitly, using a context stream as follows:
try {
$opts = array(
'http' => array(
'user_agent' => 'PHPSoapClient'
)
);
$context = stream_context_create($opts);
$wsdlUrl = 'http://ec.europa.eu/taxation_customs/vies/checkVatService.wsdl';
$soapClientOptions = array(
'stream_context' => $context,
'cache_wsdl' => WSDL_CACHE_NONE
);
$client = new SoapClient($wsdlUrl, $soapClientOptions);
$checkVatParameters = array(
'countryCode' => 'DK',
'vatNumber' => '47458714'
);
$result = $client->checkVat($checkVatParameters);
print_r($result);
}
catch(Exception $e) {
echo $e->getMessage();
}
Edit
It actually seems to be some issues with the web service you are using. The combination of HTTP over IPv6, and missing HTTP User Agent string, seems to give the web service problems.
To verify this, try the following on your linux host:
curl -A '' -6 http://ec.europa.eu/taxation_customs/vies/checkVatService.wsdl
this IPv6 request fails.
curl -A 'cURL User Agent' -6 http://ec.europa.eu/taxation_customs/vies/checkVatService.wsdl
this IPv6 request succeeds.
curl -A '' -4 http://ec.europa.eu/taxation_customs/vies/checkVatService.wsdl
curl -A 'cURL User Agent' -4 http://ec.europa.eu/taxation_customs/vies/checkVatService.wsdl
both these IPv4 request succeeds.
Interesting case :) I guess your linux host resolves ec.europa.eu to its IPv6 address, and that your version of SoapClient did not add a user agent string by default.

Security issue: This answer disables security features and should not be used in production!
Try this. I hope it helps
$options = [
'cache_wsdl' => WSDL_CACHE_NONE,
'trace' => 1,
'stream_context' => stream_context_create(
[
'ssl' => [
'verify_peer' => false,
'verify_peer_name' => false,
'allow_self_signed' => true
]
]
)
];
$client = new SoapClient($url, $options);

This issue can be caused by the libxml entity loader having been disabled.
Try running libxml_disable_entity_loader(false); before instantiating SoapClient.

It may be helpful for someone, although there is no precise answer to this question.
My soap url has a non-standard port(9087 for example), and firewall blocked that request and I took each time this error:
ERROR - 2017-12-19 20:44:11 --> Fatal Error - SOAP-ERROR: Parsing
WSDL: Couldn't load from 'http://soalurl.test:9087/orawsv?wsdl' :
failed to load external entity "http://soalurl.test:9087/orawsv?wsdl"
I allowed port in firewall and solved the error!

Try changing
$client = new SoapClient('http://ec.europa.eu/taxation_customs/vies/checkVatService.wsdl', ['trace' => true]);
to
$client = new SoapClient('http://ec.europa.eu/taxation_customs/vies/checkVatService.wsdl', ['trace' => true, 'cache_wsdl' => WSDL_CACHE_MEMORY]);
Also (whether that works or not), check to make sure that /tmp is writeable by your web server and that it isn't full.

Try enabling openssl extension in your php.ini if it is disabled.
This way I could access the web service without need of any extra arguments, i.e.,
$client = new SoapClient(url);

None of the above works for me, so after a lot of research, I ended up pre-downloading the wsdl file, saving it locally, and passing that file as the first parameter to SoapClient.
Worth mentioning is that file_get_contents($serviceUrl) returned empty response for me, while the url opened fine in my browser. That is probably why SoapClient also could not load the wsdl document. So I ended up downloading it with the php curl library. Here is an example
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $serviceUrl);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
$wsdl = curl_exec($ch);
curl_close($ch);
$wsdlFile = '/tmp/service.wsdl';
file_put_contents($wsdlFile, $wsdl);
$client = new SoapClient($wsdlFile);
You can of course implement your own caching policy for the wsdl file, so it won't be downloaded on each request.

503 means the functions are working and you're getting a response from the remote server denying you. If you ever tried to cURL google results the same thing happens, because they can detect the user-agent used by file_get_contents and cURL and as a result block those user agents. It's also possible that the server you're accessing from also has it's IP address blackballed for such practices.
Mainly three common reasons why the commands wouldn't work just like the browser in a remote situation.
1) The default USER-AGENT has been blocked.
2) Your server's IP block has been blocked.
3) Remote host has a proxy detection.

After hours of analysis reading tons of logs and internet, finally found problem.
If you use docker and php 7.4 (my case) you probably get error because default security level in OpenSSL it too high for wsdl cert. Even if you disable verify and allow self-signed in SoapClient options.
You need lower seclevel in /etc/ssl/openssl.cnf from DEFAULT#SECLEVEL=2 to
DEFAULT#SECLEVEL=1
Or just add into Dockerfile
RUN sed -i "s|DEFAULT#SECLEVEL=2|DEFAULT#SECLEVEL=1|g" /etc/ssl/openssl.cnf
Source: https://github.com/dotnet/runtime/issues/30667#issuecomment-566482876
You can verify it by run on container
curl -A 'cURL User Agent' -4 https://ewus.nfz.gov.pl/ws-broker-server-ewus/services/Auth?wsdl
Before that change I got error:
SSL routines:tls_process_ske_dhe:dh key too small

It was solved for me this way:
Every company from which you provide "Host" has a firewall.
This error occurs when your source IP is not defined in that firewall.
Contact the server administrator to add the IP.
Or the target IP must be defined in the server firewall whitelist.

I use the AdWords API, and sometimes I have the same problem.
My solution is to add
ini_set('default_socket_timeout', 900);
on the file
vendor\googleads\googleads-php-lib\src\Google\AdsApi\AdsSoapClient.php line 65
and in the
vendor\googleads-php-lib\src\Google\AdsApi\Adwords\Reporting\v201702\ReportDownloader.php line 126
ini_set('default_socket_timeout', 900);
$requestOptions['stream_context']['http']['timeout'] = "900";
Google package overwrite the default php.ini parameter.
Sometimes, the page could connect to 'https://adwords.google.com/ap
i/adwords/mcm/v201702/ManagedCustomerService?wsdl and sometimes no.
If the page connects once, The WSDL cache will contain the same page, and the program will be ok until the code refreshes the cache...

Adding ?wsdl at the end and calling the method:
$client->__setLocation('url?wsdl');
helped to me.

I might have read all questions about this for two days. None of the answers worked for me.
In my case I was lacking cURL module for PHP.
Be aware that, just because you can use cURL on terminal, it does not mean that you have PHP cURL module and it is active.
There was no error showing about it. Not even on /var/log/apache2/error.log
How to install module:
(replace version number for the apropiated one)
sudo apt install php7.2-curl
sudo service apache2 reload

I had the same problem
From local machines everything work (wamp + php5.5.38 or vagrant + php 7.4), but from prod linux server I had error
SOAP-ERROR: Parsing WSDL: Couldn't load from 'http://ec.europa.eu/taxation_customs/vies/checkVatService.wsdl' : failed to load external entity "http://ec.europa.eu/taxation_customs/vies/checkVatService.wsdl"
From redirect path plugin in chrome I discovered permanent redirect to https, but change url to https doesnt help.
Status Code URL IP Page Type Redirect Type Redirect URL
301 http://ec.europa.eu/taxation_customs/vies/checkVatService.wsdl 147.67.210.30 server_redirect permanent https://ec.europa.eu/taxation_customs/vies/checkVatService.wsdl
200 https://ec.europa.eu/taxation_customs/vies/checkVatService.wsdl 147.67.210.30 normal none none
After few attempts of different code solutions helped my our server provider. He discovered problem in IP forwarding with ipv6.
http://ec.europa.eu/
Pinging ec.europa.eu [147.67.34.30] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Recommendation was user stream_context_create with socket and bind to 0:0. this forces ipv4
// https://www.php.net/manual/en/context.socket.php
$streamContextOptions = [
'socket' => [
'bindto' => '0:0'
],
];
$streamContext = stream_context_create($streamContextOptions);
$soapOptions = [
'stream_context' => $streamContext
];
$service = new SoapClient('https://ec.europa.eu/taxation_customs/vies/checkVatService.wsdl', $soapOptions);

I had similar error because I accidently removed attribute
[ServiceContract] from my contract, yet the service host was still opening successfully. Blunders happen

May try to see if the endpoint supports https as well

Below solution worked for me.
1- Go to php.ini in ubuntu with apache is /etc/php/7.4/apache2
( note: you should use your php version replace by 7.4 )
2- Remove ; from this line ;extension=openssl to make in uncommented.
3- Restart your web server sudo service apache2 restart

Categories