Trying to connect SSL server using fsockopen()

4
votes

I'm running the next script from my local host and the production server, and Im getting different outputs. Anyone knows why am I getting that false from my localhost?

<?php
$host = 'ssl://mail.companyname.org';
$port = 993;
$error = 0;
$errorString = "";

var_dump(fsockopen($host, $port, $error, $errorString, 30));
var_dump($errorString);
var_dump($error);

Local host output:

bool(false)

Production server output:

resource(4) of type (stream)

UPDATE: after the comments/answer I have modified the code and now Im getting this output on my local host:

PHP Warning: fsockopen(): SSL operation failed with code 1. OpenSSL Error messages: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed in /tmp/test.php on line 7 PHP Warning: fsockopen(): Failed to enable crypto in /tmp/test.php on line 7 PHP Warning: fsockopen(): unable to connect to ssl://mail.twmdata.org:993 (Unknown error) in /tmp/test.php on line 7 bool(false) string(0) "" int(0)

3
phpphp-5.6fsockopen
Looks as your local server not permitted on service side. Check firewalls and other configurations - Slava Rozhnev
Probably stating the obvious here, but $errorString might contain some useful information. You haven't mentioned anything about it. What does it say? - Ro Achterberg
@RoAchterberg $errorString is empty. - ziiweb
"certificate verify failed" As @brensnap already pointed out, you don't have the OpenSSL settings properly configured on localhost. Check out the php.ini file on your production server. - Olivier
any update? need any help? your SSL certificate has been expired 4 days ago. - Abilogos

3 Answers

5
votes

it seems this is problem with server certificate :

first you can check if your server certificate and its chains are valid by this:

https://www.sslshopper.com/ssl-checker.htm

if somethings were wrong in ssl-checker?

  • you can try to correct SSL certificate configs in companyname.org

    if you succeed and error was persists ?

    1. you have to add Certificate files manually.

if you have a self-signed certificate:

  1. you have to add Certificate files manually.

if you dont have certificate nor you dont care about man-in-the-middle attack, you can still use SSL without Certificate.

  1. turn off php fsock Certificate check (not recommended)

its recommended to have a certificate at least a self-signed. if you have a self-signed try 1 solution.

I have found the Problem

You have exposed your Domain name in your PHP Warning Log, so i have checked your domain SSL.

after i check your company`s domain certificate using this tool:

https://www.sslshopper.com/ssl-checker.html#hostname=twmdata.org

it had 2 errors with your certificates:

  • This certificate has expired (0 days ago). Renew now.

  • None of the common names in the certificate match the name that was entered (twmdata.org). You may receive an error when accessing this site in a web browser.

so it seems you have to renew your certificate first

certificate error

Update:

i have found this answer maybe helpful

https://stackoverflow.com/a/40962061/9287628

it suggested to use

stream_context_create(['ssl' => [
   'ciphers' => 'RC4-MD5'
]])

as @ChrisHaas suggested connecting with stream_context_create and stream_socket_client brings you a lot of option if you want to dictate the cert directory or you want to turn off certificate check.

3
votes

Per the documentation for fsockopen

The function stream_socket_client() is similar but provides a richer set of options, including non-blocking connection and the ability to provide a stream context.

Basically, fsockopen is very low-level but without many options, or, arguably, "sane defaults".

Instead, you can switch to stream_socket_client which will allow you to specify a context as the last parameter, and that object has many options, including a dedicated one with over a dozen options specific to SSL. The object created from this function is compatible with fwrite and other functions, so it should do everything you are hoping for.

$context = stream_context_create([/*Options here*/]);
$connection = stream_socket_client($host, $errno, $errorString, 30, null, $context);

Now, what options should you use?

The worst option that might work is probably verify_peer. I say "worst" because you are throwing away the verifiability part of SSL/TLS and only using it for encryption, and doing this will make you susceptible to MitM attacks. However, there's a place and time for this, so you could try it if the other options are too complicated.

$context = stream_context_create(['ssl' => ['verify_peer' => false]]);
$connection = stream_socket_client($host, $errno, $errorString, 30, null, $context);

Instead, I'd recommend using either cafile or capath which do the same thing except the former is for a file while the latter is for a directory.

$context = stream_context_create(['ssl' => ['verify_peer' => true, 'cafile' => '/path/to/file']]);
$connection = stream_socket_client($host, $errno, $errorString, 30, null, $context);

What certs should you use? We use this library to pull in recent CA files on a periodic basis, very convenient. There's a little bit of setup that's per-project but once you get it it goes pretty fast. See this for pulling in a CA file at a well-known location.

One other last option is local_cert which you can use with a PEM file that holds the certificate and private key from the server, if you have access to that.

EDIT

The cert on mail.twmdata.org:993 is different than the web server's cert that other people are talking about, which is generally a best practice. You can inspect that cert using:

openssl s_client -connect mail.twmdata.org:993 -servername mail.twmdata.org

If you do that, you'll see that the server has a self-signed cert which you can get around by setting the verify_peer option to false.

2
votes

Remove the @ symbol. You are hiding error messages that might tell you what the problem is. You should also set a variable in the errorno argument to fsockopen() and echo it for debugging.

My guess would be that you haven't installed PHP with SSL support on your local server. See here.

Companyname.org might also block requests from your local server that are allowed from the production server.