tirengarfio Posted November 26, 2020 Share Posted November 26, 2020 (edited) HI, I'm running the next script from my local host and the production server, and Im getting different outputs. Anyone knows why am I getting that error from my localhost? <?php $host = 'ssl://mail.companyname.org'; $port = 993; $error = 0; $errorString = ""; var_dump(fsockopen($host, $port, $error, $errorString, 30)); var_dump($errorString); var_dump($error); Local host output: > PHP Warning: fsockopen(): SSL operation failed with code 1. OpenSSL > Error messages: error:1416F086:SSL > routines:tls_process_server_certificate:certificate verify failed in > /tmp/test.php on line 7 PHP Warning: fsockopen(): Failed to enable > crypto in /tmp/test.php on line 7 PHP Warning: fsockopen(): unable to > connect to ssl://mail.twmdata.org:993 (Unknown error) in /tmp/test.php > on line 7 bool(false) string(0) "" int(0) Production server output: resource(4) of type (stream) Edited November 26, 2020 by tirengarfio Quote Link to comment https://forums.phpfreaks.com/topic/311768-trying-to-connect-using-fsockopen/ Share on other sites More sharing options...
gw1500se Posted November 26, 2020 Share Posted November 26, 2020 This is an SSL certificate issue. Make sure you have OpenSSL’s default CA bundle implemented properly. Alternatively, though not the best idea, you could turn off SSL verification by setting options 'verify_peer' and 'verify_peer_name' both to false. Quote Link to comment https://forums.phpfreaks.com/topic/311768-trying-to-connect-using-fsockopen/#findComment-1582653 Share on other sites More sharing options...
tirengarfio Posted November 26, 2020 Author Share Posted November 26, 2020 (edited) Thanks, but could you give me a bit more details, please? How can I check if I have OpenSSL's default CA bundle implmented properly? Im on Ubuntu 20. Edited November 26, 2020 by tirengarfio Quote Link to comment https://forums.phpfreaks.com/topic/311768-trying-to-connect-using-fsockopen/#findComment-1582655 Share on other sites More sharing options...
kicken Posted November 26, 2020 Share Posted November 26, 2020 Your mail server is using a self-signed certificate rather than one from a trusted CA. This is why your verification is failing. Solving this requires using stream_socket_client rather than fsockopen so you can control the verification process via a stream context. There are a couple ways to address this using the context option, from best to worst: 1) Verify against a copy of your server certificate This involves saving a copy of your server's certificate along side your script in a file, then using the cafile option to tell PHP to verify the received certificate against this saved certificate. This allows the connect to complete only if the verification is successful thus preventing things such as MITM attacks. <?php $host = 'ssl://mail.example.org:993'; $context = stream_context_create(['ssl' => ['cafile' => 'mail.example.org.crt']]); var_dump(stream_socket_client($host, $error, $errorString, 30, STREAM_CLIENT_CONNECT, $context)); var_dump($errorString); var_dump($error); 2) Allow your self-signed certificate You can instruct PHP to accept a self-signed certificate using the allow_self_signed option. This will continue to verify that the host-name matches but does not verify the authenticity of the server against a known certificate. The could allow someone to intercept traffic to the server by generating another self-signed certificate with the correct host-name. 3) Disable verification entirely You can tell PHP to skip certificate verification with the verify_peer option. This will leave the connection encrypted but provides no protection against server impersonation. Quote Link to comment https://forums.phpfreaks.com/topic/311768-trying-to-connect-using-fsockopen/#findComment-1582661 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.