Package home | Report new bug | New search | Development Roadmap Status: Open | Feedback | All | Closed Since Version 2.3.0

Doc Bug #19351 SSL certificate validation
Submitted: 2012-03-26 22:45 UTC
From: till Assigned: avb
Status: Closed Package: HTTP_Request2 (version 2.0.0)
PHP Version: 5.3.8 OS:
Roadmaps: (Not assigned)    
Subscription  


 [2012-03-26 22:45 UTC] till (Till Klampaeckel)
Description: ------------ Hi, I ran into another issue – basically, I'm connecting with HTTP_Request2 to a remote ssl-server. The exception contains "unknown error" (Line 324, in the socket adapeter). When I execute the code in a test-script, I get the following error instead: int(-1138572888) string(98) "Unable to find the socket transport "https" - did you forget to enable it when you configured PHP?" ($errno and $errstr from stream_socket_client, dumped). So the error is a configuration issue, but what I mean is: Could the correct error message be exposed with HTTP_Request2? Would save some time debugging.

Comments

 [2012-03-26 22:47 UTC] avb (Alexey Borzov)
-Status: Open +Status: Feedback
Can you please test with current SVN version? Fix for bug #19337 should have addressed this, exception message should now contain all warnings produced by stream_socket_client() (there may be several).
 [2012-03-26 22:59 UTC] till (Till Klampaeckel)
I think my previous comment made no sense since the wrapper is 'ssl://' not 'https://', my mistake, but I'm still debugging the issue: My remote is: https://metrics-api.librato.com/ In HTTP_Request2, this is turned into this: 'ssl://metrics-api.librato.com:443'. I came up with this test script: <?php $ctx = stream_context_create(array( 'http' => array( 'ignore_errors' => true, ), 'ssl' => array( 'CN_match' => "metrics-api.librato.com", 'verify_peer' => true, ), )); $remote = 'ssl://metrics-api.librato.com:443'; ini_set('track_errors', 1); $socket = stream_socket_client($remote, $errno, $errstr, 2); var_dump($socket); var_dump($errno, $errstr); if (isset($php_errormsg)) { var_dump($php_errormsg); } This seems to set the same SSL-options HTTP_Request2 sets, but with HTTP_Request2 I get an "unknown error" which I cannot reproduce with this script. Do you have any idea how I could debug this further?
 [2012-03-26 22:59 UTC] till (Till Klampaeckel)
I'll check out trunk in the meantime.
 [2012-03-26 23:14 UTC] till (Till Klampaeckel)
OK, trunk is very verbose! I like that! I checked out HTTP_Request2-trunk into my vendor dir and prepended it to the include_path. This is the output: Fatal error: Uncaught HTTP_Request2_ConnectionException: Unable to connect to ssl://metrics-api.librato.com:443. Error: stream_socket_client(): unable to connect to ssl://metrics-api.librato.com:443 (Unknown error) stream_socket_client(): Failed to enable crypto stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed in /path/vendor/HTTP_Request2/HTTP/Request2/Adapter/Socket.php on line 163 #0 /path/vendor/HTTP_Request2/HTTP/Request2/Adapter/Socket.php(163): HTTP_Request2_Adapter_Socket->connect() #1 /path/vendor/HTTP_Request2/HTTP/Request2.php(943): HTTP_Request2_Adapter_Socket->sendRequest(Object(HTTP_Request2)) #2 /path/test.php(27): HTTP_Request2->send() #3 {main} thrown in /path/vendor/HTTP_Request2/HTTP/Request2/Adapter/Socket.php on line 337 Any idea which opens cause this to fail from within HTTP_Request2 when my simple stream_socket_client() which verifies as well doesn't error?
 [2012-03-26 23:23 UTC] avb (Alexey Borzov)
I see creation of $ctx in your code, but I don't see it being used in stream_socket_client() call.
 [2012-03-26 23:26 UTC] till (Till Klampaeckel)
From Googling it seems like I'm not the first to run into this (and open a bug ;)). The error in regard to 'socket' is in verifying the SSL cert. But I'm not sure why the defaults in cURL work and in socket they do not. You previously suggest on another issue to set the ssl_capath- and ssl_cafile-options. I'm still trying to figure out what these default with cURL too, but I can't figure out where these are kept. When I $req->setAdapter('curl') - it works instantly. Shouldn't both adapters yield the same result?
 [2012-03-27 00:29 UTC] avb (Alexey Borzov)
-Summary: stream_socket_client +Summary: SSL certificate validation -Status: Feedback +Status: Open -Type: Bug +Type: Documentation Problem
Well, locally (on Windows) both adapters do yield the same result as both fail to validate server certificate. :] If I download cacert.pem from http://curl.haxx.se/docs/caextract.html and pass it as ssl_cafile, both of them succeed. If you learn something useful about defaults, I'll gladly put that into the docs.
 [2012-09-20 21:41 UTC] till (Till Klampaeckel)
I would put a note on SSL into the docs – especially for the ext/socket adapter. I think that's all. Otherwise – feel free to close this as it's a non-issue and configuration/OS-env related.
 [2014-01-15 15:01 UTC] avb (Alexey Borzov)
-Status: Open +Status: Closed -Assigned To: +Assigned To: avb
Documented the need to explicitly provide cafile and differences between Curl and Socket adapters.