Alex
Reputation: 35179
Trying to get PHP streams working with Thawte TLS RSA CA G1 - internal error
I try to get PHP accepting the a certificate which Chrome accepts.
I created the following minimal reproducing example:
echo OPENSSL_VERSION_TEXT;
require 'vendor/autoload.php';
$fetch = new \ParagonIE\Certainty\RemoteFetch('/tmp/');
$latestBundle = $fetch->getLatestBundle();
$context = stream_context_create(
[
'ssl' => array(
'cafile' => $latestBundle->getFilePath(),
'SNI_enabled' => true,
)
]
);
$url = 'https://example.com:8080/x/y';
echo file_get_contents($url . '?wsdl', false, $context);
I am using https://github.com/paragonie/certainty to get the latest CAcerts.
I get the following error
OpenSSL 1.0.2g 1 Mar 2016
PHP Warning: file_get_contents():
SSL operation failed with code 1. OpenSSL Error messages:
error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert
internal error in /tmp/test/test.php on line 20
PHP Warning: file_get_contents(): Failed to enable crypto in
/tmp/test/test.php on line 20
PHP Warning: file_get_contents(https://example.com:8080/x/y?
wsdl): failed to open stream: operation failed in
/tmp/test/test.php on line 20
What is going wrong here?
Unfortunately I cannot share the URL (it's behind a Firewall anyways).
Accessing it with curl --insecure works - but I would really like to properly verify the CA cert
EDIT SSLyze outputs this:
SCAN RESULTS FOR example.COM:8080 - >
------------------------------------------------------
* TLSV1_1 Cipher Suites:
Forward Secrecy OK - Supported
RC4 OK - Not Supported
Preferred:
TLS_DHE_RSA_WITH_AES_256_CBC_SHA 256 bits
Accepted:
TLS_RSA_WITH_AES_256_CBC_SHA 256 bits
TLS_DH_anon_WITH_AES_256_CBC_SHA ANONYMOUS
TLS_DHE_RSA_WITH_AES_256_CBC_SHA 256 bits
Undefined - An unexpected error happened:
TLS_DHE_DSS_WITH_AES_256_CBC_SHA OpenSSLError - error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
* TLSV1 Cipher Suites:
Forward Secrecy OK - Supported
RC4 OK - Not Supported
Preferred:
TLS_DHE_RSA_WITH_AES_256_CBC_SHA 256 bits
Accepted:
TLS_RSA_WITH_AES_256_CBC_SHA 256 bits
TLS_DH_anon_WITH_AES_256_CBC_SHA ANONYMOUS
TLS_DHE_RSA_WITH_AES_256_CBC_SHA 256 bits
Undefined - An unexpected error happened:
TLS_DHE_DSS_WITH_AES_256_CBC_SHA OpenSSLError - error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
* Deflate Compression:
OK - Compression disabled
* Certificate Information:
Content
SHA1 Fingerprint: c2b3ce5b0905caa2ec5998aacf074f99cffb0207
Common Name: example.com
Issuer: Thawte TLS RSA CA G1
Serial Number: 10361996092389695445524615643169842847
Not Before: 2018-12-05 00:00:00
Not After: 2020-12-04 12:00:00
Signature Algorithm: sha256
Public Key Algorithm: RSA
Key Size: 2048
Exponent: 65537 (0x10001)
DNS Subject Alternative Names: ['example.com']
Trust
Hostname Validation: OK - Certificate matches example.com
Android CA Store (9.0.0_r3): FAILED - Certificate is NOT Trusted: unable to get local issuer certificate
iOS CA Store (11): FAILED - Certificate is NOT Trusted: unable to get local issuer certificate
Java CA Store (jre-10.0.2): FAILED - Certificate is NOT Trusted: unable to get local issuer certificate
macOS CA Store (High Sierra): FAILED - Certificate is NOT Trusted: unable to get local issuer certificate
Mozilla CA Store (2018-08-23): FAILED - Certificate is NOT Trusted: unable to get local issuer certificate
Windows CA Store (2018-08-04): FAILED - Certificate is NOT Trusted: unable to get local issuer certificate
Symantec 2018 Deprecation: OK - Not a Symantec-issued certificate
Received Chain: example.com
Verified Chain: ERROR - Could not build verified chain (certificate untrusted?)
Received Chain Contains Anchor: ERROR - Could not build verified chain (certificate untrusted?)
Received Chain Order: OK - Order is valid
Verified Chain contains SHA1: ERROR - Could not build verified chain (certificate untrusted?)
Extensions
OCSP Must-Staple: NOT SUPPORTED - Extension not found
Certificate Transparency: OK - 3 SCTs included
OCSP Stapling
NOT SUPPORTED - Server did not send back an OCSP response
* OpenSSL CCS Injection:
OK - Not vulnerable to OpenSSL CCS injection
* SSLV3 Cipher Suites:
Server rejected all cipher suites.
* SSLV2 Cipher Suites:
Server rejected all cipher suites.
* Resumption Support:
With Session IDs: OK - Supported (5 successful, 0 failed, 0 errors, 5 total attempts).
With TLS Tickets: NOT SUPPORTED - TLS ticket not assigned.
* Downgrade Attacks:
TLS_FALLBACK_SCSV: VULNERABLE - Signaling cipher suite not supported
* TLSV1_3 Cipher Suites:
Server rejected all cipher suites.
* OpenSSL Heartbleed:
OK - Not vulnerable to Heartbleed
* TLSV1_2 Cipher Suites:
Forward Secrecy OK - Supported
RC4 OK - Not Supported
Preferred:
TLS_RSA_WITH_AES_256_CBC_SHA 256 bits
Accepted:
TLS_RSA_WITH_AES_256_CBC_SHA 256 bits
TLS_DH_anon_WITH_AES_256_CBC_SHA ANONYMOUS
TLS_DHE_RSA_WITH_AES_256_CBC_SHA 256 bits
Undefined - An unexpected error happened:
TLS_DHE_DSS_WITH_AES_256_CBC_SHA OpenSSLError - error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
* Session Renegotiation:
Client-initiated Renegotiation: VULNERABLE - Server honors client-initiated renegotiations
Secure Renegotiation: OK - Supported
* ROBOT Attack:
OK - Not vulnerable
SCAN COMPLETED IN 9.31 S
Upvotes: 1
Views: 473
Answers (1)
Alex
Reputation: 35179
The internal error is resolved like this:
$context = stream_context_create(
[
'ssl' => array(
'cafile' => $latestBundle->getFilePath(),
'SNI_enabled' => true,
'ciphers' => 'HIGH:TLSv1.2:TLSv1.1:TLSv1.0:SSLv3:SSLv2',
'verify_peer' => false,
'verify_peer_name' => false,
'crypto_disable_compression' => true,
'method' => STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT,
'verify_depth' => 10,
)
]
);
But still I cannot verify the CA cert.
In Chrome it works fine.
This is because Chrome does some workarounds, see https://security.stackexchange.com/questions/199963/certificate-works-in-chrome-firefox-but-not-with-curl-unable-to-get-local-is
So I have to wait until the chain is configured properly.
Upvotes: 0
Related Questions
- "tlsv1 alert internal error" during handshake
- Unable to set private key file using TLS protocol with function stream_socket_client()
- TLS 1.2 not working in cURL
- stream_socket_client and server not working
- PHP Sockets with SSL / TLS - no suitable shared cipher could be used
- stream_context_create certificate verify failed
- PHP: TLS socket not setting up using stream_socket_client()
- OpenSSL with stream_socket_accept on PHP
- PHP handshake fail TLS1.0
- PHP stream socket not decrypting data