[SOLVED] SSL through shell_exec

[IsmAvatar]

I've looked at the php documentation for openSSL, but found that the module seemed insufficient for purposes like checking a certificate's expiration date on another server. That is, I could not find a function to run "openssl s_client -connect", so I decided to instead achieve it through shell_exec.

This is a three step process:

1) Check the openssl version via shell_exec('openssl version -v'); just to confirm that openssl is installed and runs properly.

This returns "OpenSSL 0.9.7a Feb 19 2003 "

2) Connect to the remote server. As a test, I decided to use www.gna.org, since I know they use a certificate. shell_exec('openssl s_client -connect www.gna.org:4433');

This pauses for about 20 seconds, and then returns FALSE. I've tried various combinations, like removing the -connect argument but leaving the server name in, removing the port, including the https:// part, removing the www, and so on. I have not tried a port other than 4433 yet (I wouldn't know what other part to use). All other methods returned FALSE immediately. This is the only method that delays 20 seconds, which indicates to me that I'm close.

3) Fetch certificate expiration date via shell_exec('openssl x509 -enddate'); although this obviously returns FALSE because I have not been able to connect to the server yet.

 

Is there a recommended port to use, or should I try with another server?

[IsmAvatar]

In order to improve the output that I was getting (since "false" wasnt' very descriptive, I decided to add the -prexit switch, and switched to port 4432 (on a whim)

 

//display debug message
function disp($val,$name) {
if ($val == FALSE) {
  print 'No '.$name.'<br>';
} else {
  print $name.': '.$val.'~<br>';
}
}


//attempt to get the enddate, with debug messages
$ver = shell_exec('openssl version -v');
disp($ver,'Version');
$ret = shell_exec('openssl s_client -connect www.gna.org:4432 -prexit');
disp($ret,'Connect');
$crt = shell_exec('openssl x509 -enddate');
disp($crt,'EndDate');

 

Now it displays the following:

Version: OpenSSL 0.9.7a Feb 19 2003 ~

Connect: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 0 bytes --- New, (NONE), Cipher is (NONE) --- ~

No EndDate

with a 20 second delay between Version and Connect (which I assume indicates that it's attempting to access the server).

 

This is progress, because this proves that "openssl s_client" 'works' somewhat, it just can't access the peer certificate.

 

I also thought "well whenever I visit GNA, they always give me a warning about a self-signed certificate", so also on a whim, I tried another https server, like mail.ship.edu, and still got the exact same effect.

[IsmAvatar]

The port was supposed to be 443, not 4433 or 4432. When I made this correction, it displayed the certificate and various certificate information.

The last line, however, which requests the end date of the certificate, returned "No enddate". I'm wondering if I'm supposed to get the version information in the same execution as "openssl s_client"? If so, what switches would I add to get this information?

In the case of GNA, I'm expecting to see some form of expiration date in year 2017. I see no such information in the basic certificate info.

[IsmAvatar]

Thanks for all the help guys (not), but I manged to figure it out on my own. Apprantely you have to output the s_client information to a file, and then pass that file back into x509. Solved.