Jump to content

Trying to connect using fsockopen


tirengarfio

Recommended Posts

HI,

I'm running the next script from my local host and the production server, and Im getting different outputs. Anyone knows why am I getting that error from my localhost?

    <?php
    $host = 'ssl://mail.companyname.org';
    $port = 993;
    $error = 0;
    $errorString = "";
    
    var_dump(fsockopen($host, $port, $error, $errorString, 30));
    var_dump($errorString);
    var_dump($error);


Local host output:

> PHP Warning:  fsockopen(): SSL operation failed with code 1. OpenSSL
> Error messages: error:1416F086:SSL
> routines:tls_process_server_certificate:certificate verify failed in
> /tmp/test.php on line 7 PHP Warning:  fsockopen(): Failed to enable
> crypto in /tmp/test.php on line 7 PHP Warning:  fsockopen(): unable to
> connect to ssl://mail.twmdata.org:993 (Unknown error) in /tmp/test.php
> on line 7 bool(false) string(0) "" int(0)

Production server output:

resource(4) of type (stream)

 

 

 

Edited by tirengarfio
Link to comment
Share on other sites

Your mail server is using a self-signed certificate rather than one from a trusted CA.  This is why your verification is failing.  Solving this requires using stream_socket_client rather than fsockopen so you can control the verification process via a stream context.  There are a couple ways to address this using the context option, from best to worst:

1) Verify against a copy of your server certificate
This involves saving a copy of your server's certificate along side your script in a file, then using the cafile option to tell PHP to verify the received certificate against this saved certificate.  This allows the connect to complete only if the verification is successful thus preventing things such as MITM attacks.

<?php

$host = 'ssl://mail.example.org:993';
$context = stream_context_create(['ssl' => ['cafile' => 'mail.example.org.crt']]);
var_dump(stream_socket_client($host, $error, $errorString, 30, STREAM_CLIENT_CONNECT, $context));
var_dump($errorString);
var_dump($error);

2) Allow your self-signed certificate
You can instruct PHP to accept a self-signed certificate using the allow_self_signed option.  This will continue to verify that the host-name matches but does not verify the authenticity of the server against a known certificate.  The could allow someone to intercept traffic to the server by generating another self-signed certificate with the correct host-name.

3) Disable verification entirely
You can tell PHP to skip certificate verification with the verify_peer option.  This will leave the connection encrypted but provides no protection against server impersonation.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.