SSL error SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
After upgrading to PHP 5.6 I get an error when trying to connect to a server via fsockopen()..
The certificate on the server (host) is self-signed
-
You mention the certificate is self-signed (by you)? Then you have two choices:
- add the certificate to your trust store (fetching
cacert.pemfrom cURL website won't do anything, since it's self-signed) - don't bother verifying the certificate: you trust yourself, don't you?
Here's a list of SSL context options in PHP: https://secure.php.net/manual/en/context.ssl.php
Set
allow_self_signedif you import your certificate into your trust store, or setverify_peerto false to skip verification.The reason why we trust a specific certificate is because we trust its issuer. Since your certificate is self-signed, no client will trust the certificate as the signer (you) is not trusted. If you created your own CA when signing the certificate, you can add the CA to your trust store. If your certificate doesn't contain any CA, then you can't expect anyone to connect to your server.
讨论(0) - add the certificate to your trust store (fetching
-
The file that you downloaded (http://curl.haxx.se/ca/cacert.pem) is a bundle of the root certificates from the major trusted certificate authorities. You said that the remote host has a self-signed SSL certificate, so it didn't use a trusted certificate. The
openssl.cafilesetting needs to point to the CA certificate that was used to sign the SSL certificate on the remote host. PHP 5.6 has been improved over previous versions of PHP to now verify peer certificates and host names by default (http://php.net/manual/en/migration56.openssl.php)You'll need to locate the CA certificate that was generated on the server that signed the SSL certificate and copy it to this server. The only other option is to disable verifying the peer, but that defeats the SSL security. If you DO want to try disabling verification, try this array with the code from my previous answer:
$contextOptions = array( 'ssl' => array( 'verify_peer' => false, 'verify_peer_name' => false ) );Either way, if you're using self-signed certificates, you'll need to add the CA cert that was used to sign the remote host's SSL certificate to the trusted store on the server you're connecting from OR use stream contexts to use that certificate for each individual request. Adding it to the trusted certificates is the simplest solution. Just add the contents of the remote host's CA cert to the end of the cacert.pem file you downloaded.
Previous:
fsockopen doesn't support stream contexts, so use stream_socket_client instead. It returns a resource that can be used with all the commands that fsockopen resources can.
This should be a drop in replacement for the snippet you have in your question:
<?php $contextOptions = array( 'ssl' => array( 'verify_peer' => true, // You could skip all of the trouble by changing this to false, but it's WAY uncool for security reasons. 'cafile' => '/etc/ssl/certs/cacert.pem', 'CN_match' => 'example.com', // Change this to your certificates Common Name (or just comment this line out if not needed) 'ciphers' => 'HIGH:!SSLv2:!SSLv3', 'disable_compression' => true, ) ); $context = stream_context_create($contextOptions); $fp = stream_socket_client("tcp://{$host}:{$port}", $errno, $errstr, 20, STREAM_CLIENT_CONNECT, $context); if (!$fp) { echo "$errstr ({$errno})<br />\n"; }else{ $this->request = 'POST '.substr($this->url, strlen($this->host)).' HTTP/1.1'.$crlf .'Host: '.$this->host.$crlf .'Content-Length: '.$content_length.$crlf .'Connection: Close'.$crlf.$crlf .$body; fwrite($fp, $this->request); while (!feof($fp)) { $this->response .= fgets($fp); } fclose($fp); }讨论(0) -
Add
$mail->SMTPOptions = array( 'ssl' => array( 'verify_peer' => false, 'verify_peer_name' => false, 'allow_self_signed' => true ));before
mail->send()and replace
require "mailer/class.phpmailer.php";with
require "mailer/PHPMailerAutoload.php";讨论(0)
加载中...
- 热议问题