英文:
SSL/TLS Handshake Error "bad certificate" when using stream_socket_client in PHP
问题
我在尝试使用PHP中的stream_socket_client建立安全连接时遇到了SSL/TLS握手错误,错误消息是"bad certificate"。目标是将我们的PHP应用程序与要求SSL/TLS加密的外部服务集成。
以下是相关的代码片段:
private function createSocketConnection($host, $port){// 客户端证书和私钥的路径// $localCertificateFile = '/var/www/sslcert/suezpublic.crt';// $privateKeyFile = '/var/www/sslcert/privatekesy.pem';// 使用客户端证书创建安全的SSL/TLS上下文$contextOptions = ['ssl' => ['local_cert' => '/var/www/sslcert/suezcombined.pem',// 'local_pk' => '/var/www/sslcert/privatekesy.pem','cafile' => '/var/www/sslcert/bizswitch.pem', // GoDaddy Intermediate证书或您的CA证书'verify_peer' => true, // 启用对等证书验证'verify_peer_name' => true, // 检查通用名称是否存在且与主机名匹配'crypto_method' => STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT, // 使用TLSv1.2// 'crypto_timeout' => 30, // 将握手超时增加到30秒'CN_match' => 'www.suezelectric.com', // 确保通用名称与服务器的主机名匹配'ciphers' => 'HIGH:!SSLv2:!SSLv3', // 指定允许的密码套件以确保安全性'disable_compression' => true, // 为了安全性禁用SSL/TLS压缩'capture_peer_cert' => true,'capture_peer_chain' => true,// 'allow_self_signed' => true,'debug' => true, // 启用SSL调试],];$context = stream_context_create($contextOptions);// 创建TCP/IP套接字连接$socket = stream_socket_client("tls://$host:$port", $errno, $errstr, 30);if ($socket === false) {throw new Exception("Failed to create socket: [$errno] $errstr");}// 在流上启用SSL/TLS$secured = stream_socket_enable_crypto($socket, true, STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT);if ($secured === false) {throw an Exception("Failed to enable SSL/TLS on the socket");}return $socket;// 现在您可以使用$socket与服务器使用SSL/TLS发送/接收数据// 例如,您可以使用fwrite($socket, $data)将数据发送到服务器。}
我已经验证了以下内容:
- 客户端证书(public_cert.crt)和私钥(private_key.pem)是有效的,并正确匹配。
- CA证书(server_cert.pem)已提供,并包含必要的中间证书。
- STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT和'ciphers'设置与服务器的配置兼容。
有趣的是,当服务器管理员在服务器端禁用身份验证时,SSL/TLS握手成功完成。但是,当启用身份验证时,会出现"bad certificate"错误,并且还注意到服务器收到了空的证书链。
我已经尝试使用error_log进行调试,并验证了证书文件的路径是正确的。
在我的SSL/TLS配置中是否有任何遗漏或在使用PHP中的stream_socket_client时可能导致此错误的潜在陷阱?对于这个问题的任何指导或见解将不胜感激。谢谢!
英文:
I am encountering an SSL/TLS handshake error with the message "bad certificate" while attempting to establish a secure connection using stream_socket_client in PHP. The goal is to integrate our PHP application with an external service that requires SSL/TLS encryption.
Here is the relevant code snippet:
private function createSocketConnection($host, $port){// Path to the client certificate and private key// $localCertificateFile = '/var/www/sslcert/suezpublic.crt';// $privateKeyFile = '/var/www/sslcert/privatekesy.pem';// Create a secure SSL/TLS context with client certificates$contextOptions = ['ssl' => ['local_cert' => '/var/www/sslcert/suezcombined.pem',// 'local_pk' => '/var/www/sslcert/privatekesy.pem','cafile' => '/var/www/sslcert/bizswitch.pem', // GoDaddy Intermediate certificate or your CA certificate'verify_peer' => true, // Enable peer certificate verification'verify_peer_name' => true, // Check that the common name exists and matches the host name'crypto_method' => STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT, // Use TLSv1.2// 'crypto_timeout' => 30, // Increase the handshake timeout to 30 seconds'CN_match' => 'www.suezelectric.com', // Ensure the common name matches the server's hostname'ciphers' => 'HIGH:!SSLv2:!SSLv3', // Specify allowed ciphers for security'disable_compression' => true, // Disable SSL/TLS compression for security'capture_peer_cert' => true,'capture_peer_chain' => true,// 'allow_self_signed' => true,'debug' => true, // Enable SSL debugging],];$context = stream_context_create($contextOptions);// Create a TCP/IP socket connection$socket = stream_socket_client("tls://$host:$port", $errno, $errstr, 30);if ($socket === false) {throw new Exception("Failed to create socket: [$errno] $errstr");}// Enable SSL/TLS on the stream$secured = stream_socket_enable_crypto($socket, true, STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT);if ($secured === false) {throw new Exception("Failed to enable SSL/TLS on the socket");}return $socket;// Now you can use the $socket to send/receive data with the server using SSL/TLS// For example, you can use fwrite($socket, $data) to send data to the server.}
I have verified the following:
- The client certificate (public_cert.crt) and private key (private_key.pem) are valid and correctly matched.
- The CA certificate (server_cert.pem) is provided and contains the necessary intermediate certificates.
- The STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT and 'ciphers' settings are compatible with the server's configuration.
Interestingly, when the server admintrators disable authentication on the server-side, the SSL/TLS handshake completes successfully. However, when authentication is enabled, the "bad certificate" error occurs, and it has also been noticed that the server is receiving an empty certificate chain.
I have already tried debugging with error_log and verified that the certificate files' paths are correct.
Is there anything I am missing in my SSL/TLS configuration or any potential pitfalls when using stream_socket_client in PHP that could be causing this error?
Any guidance or insights into this issue would be greatly appreciated. Thank you!
答案1
得分: 2
感谢 @miken32 指向了 https://www.php.net/manual/en/context.ssl.php 资源,我已成功解决了我的问题。因此,我认为我应该将它作为答案发布。
private function createSocketConnection($host, $port){// 创建带有客户端证书的安全 SSL/TLS 上下文$contextOptions = ['ssl' => ['local_cert' => '/filepath/public_cert.pem','cafile' => '/filepath/server_cert.pem','verify_peer' => true,'verify_peer_name' => true,'allow_self_signed' => true,],];$context = stream_context_create($contextOptions);// 创建一个 TCP/IP 套接字连接$socket = stream_socket_client("tcp://$host:$port", $errno, $errstr, 30, STREAM_CLIENT_CONNECT, $context);if ($socket === false) {throw new Exception("Failed to create socket: [$errno] $errstr");}return $socket;}
通过这种方式,我已成功建立了与服务器的 SSL 连接。还值得注意的是,当使用 stream_socket_client() 连接套接字时,旧的方法如 socket_write、socket_read 和 socket_close 将不再起作用。我将它们分别更改为 fwrite、fread 和 fclose。
英文:
Thank you @miken32 for pointing me to the resource https://www.php.net/manual/en/context.ssl.php I have been able to resolve my issue. Hence, I thought I should post it as an answer
private function createSocketConnection($host, $port){// Create a secure SSL/TLS context with client certificates$contextOptions = ['ssl' => ['local_cert' => '/filepath/public_cert.pem','cafile' => '/filepath/server_cert.pem','verify_peer' => true,'verify_peer_name' => true,'allow_self_signed' => true,],];$context = stream_context_create($contextOptions);// Create a TCP/IP socket connection$socket = stream_socket_client("tcp://$host:$port", $errno, $errstr, 30, STREAM_CLIENT_CONNECT, $context);if ($socket === false) {throw new Exception("Failed to create socket: [$errno] $errstr");}return $socket;}
With this, I have successfully established an SSL connection to the server. It is also good to note that when using stream_socket_client() to connect to the socket, old methods like socket_write, socket_read, and socket_close will no longer work. I changed them to fwrite, fread and fclose respectively
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论