stackoom
  简体   繁体   中英

Trying to get PHP streams working with Thawte TLS RSA CA G1 - internal error

 原文  2018-12-17 12:34:03       php/ ssl

Question

I try to get PHP accepting the a certificate which Chrome accepts.

I created the following minimal reproducing example: 

echo OPENSSL_VERSION_TEXT;

require 'vendor/autoload.php';
    $fetch = new \ParagonIE\Certainty\RemoteFetch('/tmp/');
    $latestBundle = $fetch->getLatestBundle();

    $context = stream_context_create(
        [
            'ssl' => array(
                'cafile' => $latestBundle->getFilePath(),
                'SNI_enabled' => true,
            )
        ]
    );

$url = 'https://example.com:8080/x/y';

    echo file_get_contents($url  . '?wsdl', false, $context);

I am using https://github.com/paragonie/certainty to get the latest CAcerts.

I get the following error 

OpenSSL 1.0.2g  1 Mar 2016
PHP Warning:  file_get_contents(): 
SSL operation failed with code 1. OpenSSL Error messages:
error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert 
internal error in /tmp/test/test.php on line 20
PHP Warning:  file_get_contents(): Failed to enable crypto in 
/tmp/test/test.php on line 20
PHP Warning:  file_get_contents(https://example.com:8080/x/y? 
wsdl): failed to open stream: operation failed in 
/tmp/test/test.php on line 20

What is going wrong here?

Unfortunately I cannot share the URL (it's behind a Firewall anyways).

Accessing it with curl --insecure works - but I would really like to properly verify the CA cert

EDIT SSLyze outputs this: 

SCAN RESULTS FOR example.COM:8080 - >
 ------------------------------------------------------

 * TLSV1_1 Cipher Suites:
       Forward Secrecy                    OK - Supported
       RC4                                OK - Not Supported

     Preferred:
        TLS_DHE_RSA_WITH_AES_256_CBC_SHA                                 256 bits                                                                  
     Accepted:
        TLS_RSA_WITH_AES_256_CBC_SHA                                     256 bits                                                                  
        TLS_DH_anon_WITH_AES_256_CBC_SHA                                 ANONYMOUS                                                                 
        TLS_DHE_RSA_WITH_AES_256_CBC_SHA                                 256 bits                                                                  
     Undefined - An unexpected error happened:
        TLS_DHE_DSS_WITH_AES_256_CBC_SHA                  OpenSSLError - error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error


 * TLSV1 Cipher Suites:
       Forward Secrecy                    OK - Supported
       RC4                                OK - Not Supported

     Preferred:
        TLS_DHE_RSA_WITH_AES_256_CBC_SHA                                 256 bits                                                                  
     Accepted:
        TLS_RSA_WITH_AES_256_CBC_SHA                                     256 bits                                                                  
        TLS_DH_anon_WITH_AES_256_CBC_SHA                                 ANONYMOUS                                                                 
        TLS_DHE_RSA_WITH_AES_256_CBC_SHA                                 256 bits                                                                  
     Undefined - An unexpected error happened:
        TLS_DHE_DSS_WITH_AES_256_CBC_SHA                  OpenSSLError - error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error


 * Deflate Compression:
                                          OK - Compression disabled

 * Certificate Information:
     Content
       SHA1 Fingerprint:                  c2b3ce5b0905caa2ec5998aacf074f99cffb0207
       Common Name:                       example.com
       Issuer:                            Thawte TLS RSA CA G1
       Serial Number:                     10361996092389695445524615643169842847
       Not Before:                        2018-12-05 00:00:00
       Not After:                         2020-12-04 12:00:00
       Signature Algorithm:               sha256
       Public Key Algorithm:              RSA
       Key Size:                          2048
       Exponent:                          65537 (0x10001)
       DNS Subject Alternative Names:     ['example.com']

     Trust
       Hostname Validation:               OK - Certificate matches example.com
       Android CA Store (9.0.0_r3):       FAILED - Certificate is NOT Trusted: unable to get local issuer certificate
       iOS CA Store (11):                 FAILED - Certificate is NOT Trusted: unable to get local issuer certificate
       Java CA Store (jre-10.0.2):        FAILED - Certificate is NOT Trusted: unable to get local issuer certificate
       macOS CA Store (High Sierra):      FAILED - Certificate is NOT Trusted: unable to get local issuer certificate
       Mozilla CA Store (2018-08-23):     FAILED - Certificate is NOT Trusted: unable to get local issuer certificate
       Windows CA Store (2018-08-04):     FAILED - Certificate is NOT Trusted: unable to get local issuer certificate
       Symantec 2018 Deprecation:         OK - Not a Symantec-issued certificate
       Received Chain:                    example.com
       Verified Chain:                    ERROR - Could not build verified chain (certificate untrusted?)
       Received Chain Contains Anchor:    ERROR - Could not build verified chain (certificate untrusted?)
       Received Chain Order:              OK - Order is valid
       Verified Chain contains SHA1:      ERROR - Could not build verified chain (certificate untrusted?)

     Extensions
       OCSP Must-Staple:                  NOT SUPPORTED - Extension not found
       Certificate Transparency:          OK - 3 SCTs included

     OCSP Stapling
                                          NOT SUPPORTED - Server did not send back an OCSP response

 * OpenSSL CCS Injection:
                                          OK - Not vulnerable to OpenSSL CCS injection

 * SSLV3 Cipher Suites:
      Server rejected all cipher suites.

 * SSLV2 Cipher Suites:
      Server rejected all cipher suites.

 * Resumption Support:
      With Session IDs:                  OK - Supported (5 successful, 0 failed, 0 errors, 5 total attempts).
      With TLS Tickets:                  NOT SUPPORTED - TLS ticket not assigned.

 * Downgrade Attacks:
       TLS_FALLBACK_SCSV:                 VULNERABLE - Signaling cipher suite not supported

 * TLSV1_3 Cipher Suites:
      Server rejected all cipher suites.

 * OpenSSL Heartbleed:
                                          OK - Not vulnerable to Heartbleed

 * TLSV1_2 Cipher Suites:
       Forward Secrecy                    OK - Supported
       RC4                                OK - Not Supported

     Preferred:
        TLS_RSA_WITH_AES_256_CBC_SHA                                     256 bits                                                                  
     Accepted:
        TLS_RSA_WITH_AES_256_CBC_SHA                                     256 bits                                                                  
        TLS_DH_anon_WITH_AES_256_CBC_SHA                                 ANONYMOUS                                                                 
        TLS_DHE_RSA_WITH_AES_256_CBC_SHA                                 256 bits                                                                  
     Undefined - An unexpected error happened:
        TLS_DHE_DSS_WITH_AES_256_CBC_SHA                  OpenSSLError - error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error


 * Session Renegotiation:
       Client-initiated Renegotiation:    VULNERABLE - Server honors client-initiated renegotiations
       Secure Renegotiation:              OK - Supported

 * ROBOT Attack:
                                          OK - Not vulnerable


 SCAN COMPLETED IN 9.31 S

1 answers

solution1
 0  2018-12-18 10:36:51

The internal error is resolved like this: 

    $context = stream_context_create(
        [
            'ssl' => array(
                    'cafile' => $latestBundle->getFilePath(),
                    'SNI_enabled' => true,
                    'ciphers' => 'HIGH:TLSv1.2:TLSv1.1:TLSv1.0:SSLv3:SSLv2',
                    'verify_peer' => false,
                    'verify_peer_name' => false,
                    'crypto_disable_compression' => true,
                    'method' => STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT,
                    'verify_depth' => 10,
            )
        ]
    );

But still I cannot verify the CA cert.

In Chrome it works fine.

This is because Chrome does some workarounds, see https://security.stackexchange.com/questions/199963/certificate-works-in-chrome-firefox-but-not-with-curl-unable-to-get-local-is

So I have to wait until the chain is configured properly.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question I'm trying to get streams in php Why I get this exception by trying to decrypt RSA with java but encrypted with php? PHP mail function not working 500 internal error Ajax get is not working - Internal Server Error CURL & PHP SSLv3 Error and Can't Get TLS to Work Internal Sever Error while trying to access php extensions on my site Internal Sever error when trying to update query in PHP Trying to write a pdf to file directory: Get internal server error 500 PHP file_get_contents 500 Internal Server error in php SSL/TLS operations failing PHP5.6 - curl-ca-bundle.crt & cacert.pem
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM