Package home | Report new bug | New search | Development Roadmap Status: Open | Feedback | All | Closed Since Version 2.6.0

Bug #20462 Can't select HTTPS protocol
Submitted: 2014-12-13 05:36 UTC
From: miken32 Assigned: avb
Status: Closed Package: HTTP_Request2 (version 2.2.1)
PHP Version: 5.5.19 OS: OS X
Roadmaps: (Not assigned)    
Subscription  


 [2014-12-13 05:36 UTC] miken32 (Michael Newton)
Description: ------------ Trying to connect to a secure site that only implemented TLS, and kept getting errors. Had to hack your code to make the URI protocol tls:// instead of ssl:// This should probably be a configurable feature, and should probably default to TLS, in this post-POODLE era.

Comments

 [2014-12-21 02:41 UTC] avb (Alexey Borzov)
-Status: Open +Status: Feedback
Please provide the site's address so that I can test this.
 [2014-12-23 07:49 UTC] miken32 (Michael Newton)
Like I said, any site not running SSL. Which is a lot more lately, and will continue to be more and more. Hopefully within a year or two there will be very few SSL sites left. $req = new HTTP_Request2("https://sni.velox.ch"); try { $resp = $req->send(); } catch (HTTP_Request2_Exception $e) { echo $e->getMessage(); } Unable to connect to ssl://sni.velox.ch:443. Error: stream_socket_client(): unable to connect to ssl://sni.velox.ch:443 (Unknown error) stream_socket_client(): Failed to enable crypto stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
 [2014-12-24 03:13 UTC] miken32 (Michael Newton)
Sorry, was in too much of a hurry, that's a certificate error. Here is the proper test code: <?php require_once("HTTP/Request2.php"); $req = new HTTP_Request2("https://pie.primus.ca/"); $req->setConfig(["ssl_verify_peer"=>false]); try { $resp = $req->send(); } catch (HTTP_Request2_Exception $e) { echo $e->getMessage(); } echo $resp->getHeader("Content-Length"); ?> Output looks like this: Unable to connect to ssl://pie.primus.ca:443. Error: stream_socket_client(): unable to connect to ssl://pie.primus.ca:443 (Unknown error) stream_socket_client(): Failed to enable crypto After changing Adapter/Socket.php to use tls:// instead of ssl:// it looks like this: 8261
 [2015-06-20 21:28 UTC] avb (Alexey Borzov)
-Status: Feedback +Status: Assigned -Assigned To: +Assigned To: avb
Cannot reproduce the problem, suspect it is something related to a particular version of OpenSSL on OS X. If I test with PHP 5.5 on Windows, connecting to https://www.howsmyssl.com/ gives me TLS 1.0 if I change the connection string to 'tls://' and TLS 1.2 if I leave it as is. Go figure. That being said, HTTP_Request2_SocketWrapper::enableCrypto() falls back to insecure SSL protocol versions and 'ssl' options when connecting should be updated to contain 'ciphers' key with secure ciphers setup.
 [2015-06-20 21:29 UTC] avb (Alexey Borzov)
Forgot to add: connection to https://pie.primus.ca/ works with either 'ssl://' or 'tls://'
 [2016-02-08 04:00 UTC] gauthierm (Michael Gauthier)
Tested trunk on OS X 10.11.2 (El Capitan). PHP 5.5.30 (cli) (built: Oct 23 2015 17:21:45) OpenSSL Library Version => OpenSSL 0.9.8zg 14 July 2015 The test script runs without error with no change to code. At time of test, pie.primus.ca supported TLS 1.2, TLS 1.1 and TLS 1.0. It did not support SSL 2 or SSL 3: https://www.ssllabs.com/ssltest/analyze.html?d=pie.primus.ca
 [2016-02-08 04:08 UTC] gauthierm (Michael Gauthier)
Tested trunk on OS X 10.11.2 (El Capitan). PHP 5.5.30 (cli) (built: Oct 23 2015 17:21:45) OpenSSL Library Version => OpenSSL 0.9.8zg 14 July 2015 Requesting https://www.howsmyssl.com/a/check with HTTP_Request2 uses TLS 1.0 regardless of specifying 'tls://' or 'ssl://' in the socket adapter. If I explicitly use the curl adapter, TLS 1.2 is used.
 [2016-02-13 11:03 UTC] avb (Alexey Borzov)
-Status: Assigned +Status: Closed
Fixed in Git. I changed the connection string to 'tls://' from 'ssl://' since this will prevent fallback to insecure SSL versions and as there is no reliable way to set required TLS version in PHP below 5.6 (see my comment from 2015-06-20 for an unreliable way).