I try to get PHP accepting the a certificate which Chrome accepts.
I created the following minimal reproducing example:
echo OPENSSL_VERSION_TEXT;
require 'vendor/autoload.php';
$fetch = new \ParagonIE\Certainty\RemoteFetch('/tmp/');
$latestBundle = $fetch->getLatestBundle();
$context = stream_context_create(
[
'ssl' => array(
'cafile' => $latestBundle->getFilePath(),
'SNI_enabled' => true,
)
]
);
$url = 'https://example.com:8080/x/y';
echo file_get_contents($url . '?wsdl', false, $context);
I am using https://github.com/paragonie/certainty to get the latest CAcerts.
I get the following error
OpenSSL 1.0.2g 1 Mar 2016
PHP Warning: file_get_contents():
SSL operation failed with code 1. OpenSSL Error messages:
error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert
internal error in /tmp/test/test.php on line 20
PHP Warning: file_get_contents(): Failed to enable crypto in
/tmp/test/test.php on line 20
PHP Warning: file_get_contents(https://example.com:8080/x/y?
wsdl): failed to open stream: operation failed in
/tmp/test/test.php on line 20
What is going wrong here?
Unfortunately I cannot share the URL (it's behind a Firewall anyways).
Accessing it with curl --insecure works - but I would really like to properly verify the CA cert
EDIT SSLyze outputs this:
SCAN RESULTS FOR example.COM:8080 - > ------------------------------------------------------ * TLSV1_1 Cipher Suites: Forward Secrecy OK - Supported RC4 OK - Not Supported Preferred: TLS_DHE_RSA_WITH_AES_256_CBC_SHA 256 bits Accepted: TLS_RSA_WITH_AES_256_CBC_SHA 256 bits TLS_DH_anon_WITH_AES_256_CBC_SHA ANONYMOUS TLS_DHE_RSA_WITH_AES_256_CBC_SHA 256 bits Undefined - An unexpected error happened: TLS_DHE_DSS_WITH_AES_256_CBC_SHA OpenSSLError - error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error * TLSV1 Cipher Suites: Forward Secrecy OK - Supported RC4 OK - Not Supported Preferred: TLS_DHE_RSA_WITH_AES_256_CBC_SHA 256 bits Accepted: TLS_RSA_WITH_AES_256_CBC_SHA 256 bits TLS_DH_anon_WITH_AES_256_CBC_SHA ANONYMOUS TLS_DHE_RSA_WITH_AES_256_CBC_SHA 256 bits Undefined - An unexpected error happened: TLS_DHE_DSS_WITH_AES_256_CBC_SHA OpenSSLError - error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error * Deflate Compression: OK - Compression disabled * Certificate Information: Content SHA1 Fingerprint: c2b3ce5b0905caa2ec5998aacf074f99cffb0207 Common Name: example.com Issuer: Thawte TLS RSA CA G1 Serial Number: 10361996092389695445524615643169842847 Not Before: 2018-12-05 00:00:00 Not After: 2020-12-04 12:00:00 Signature Algorithm: sha256 Public Key Algorithm: RSA Key Size: 2048 Exponent: 65537 (0x10001) DNS Subject Alternative Names: ['example.com'] Trust Hostname Validation: OK - Certificate matches example.com Android CA Store (9.0.0_r3): FAILED - Certificate is NOT Trusted: unable to get local issuer certificate iOS CA Store (11): FAILED - Certificate is NOT Trusted: unable to get local issuer certificate Java CA Store (jre-10.0.2): FAILED - Certificate is NOT Trusted: unable to get local issuer certificate macOS CA Store (High Sierra): FAILED - Certificate is NOT Trusted: unable to get local issuer certificate Mozilla CA Store (2018-08-23): FAILED - Certificate is NOT Trusted: unable to get local issuer certificate Windows CA Store (2018-08-04): FAILED - Certificate is NOT Trusted: unable to get local issuer certificate Symantec 2018 Deprecation: OK - Not a Symantec-issued certificate Received Chain: example.com Verified Chain: ERROR - Could not build verified chain (certificate untrusted?) Received Chain Contains Anchor: ERROR - Could not build verified chain (certificate untrusted?) Received Chain Order: OK - Order is valid Verified Chain contains SHA1: ERROR - Could not build verified chain (certificate untrusted?) Extensions OCSP Must-Staple: NOT SUPPORTED - Extension not found Certificate Transparency: OK - 3 SCTs included OCSP Stapling NOT SUPPORTED - Server did not send back an OCSP response * OpenSSL CCS Injection: OK - Not vulnerable to OpenSSL CCS injection * SSLV3 Cipher Suites: Server rejected all cipher suites. * SSLV2 Cipher Suites: Server rejected all cipher suites. * Resumption Support: With Session IDs: OK - Supported (5 successful, 0 failed, 0 errors, 5 total attempts). With TLS Tickets: NOT SUPPORTED - TLS ticket not assigned. * Downgrade Attacks: TLS_FALLBACK_SCSV: VULNERABLE - Signaling cipher suite not supported * TLSV1_3 Cipher Suites: Server rejected all cipher suites. * OpenSSL Heartbleed: OK - Not vulnerable to Heartbleed * TLSV1_2 Cipher Suites: Forward Secrecy OK - Supported RC4 OK - Not Supported Preferred: TLS_RSA_WITH_AES_256_CBC_SHA 256 bits Accepted: TLS_RSA_WITH_AES_256_CBC_SHA 256 bits TLS_DH_anon_WITH_AES_256_CBC_SHA ANONYMOUS TLS_DHE_RSA_WITH_AES_256_CBC_SHA 256 bits Undefined - An unexpected error happened: TLS_DHE_DSS_WITH_AES_256_CBC_SHA OpenSSLError - error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error * Session Renegotiation: Client-initiated Renegotiation: VULNERABLE - Server honors client-initiated renegotiations Secure Renegotiation: OK - Supported * ROBOT Attack: OK - Not vulnerable SCAN COMPLETED IN 9.31 S