dthl8036
dthl8036
2016-02-22 15:31
浏览 246
已采纳

fsockopen,连接ssl:// imap服务器时证书验证失败

I'm trying to connect to ssl:// imap through php script using fsockopen()

Server: CentOS Linux release 7.1.1503

Apache: Apache/2.4.6

PHP: PHP 5.6.17

$host = "ssl://mail.example.com";
$port = 993;
echo "Connecting with " . $host . "o port " . $port;
$socket = fsockopen($host, $port, $errno, $errstr, 30);
if (!$socket) {
echo "Connection failed";
}

$line = fgets($socket);

return $line;

receiving this error:

Connecting with ssl://mail.example.com port 993PHP Warning: fsockopen(): SSL operation failed with code 1. OpenSSL Error messages:

error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed in imapProtocols/imap.php on line 7

Warning: fsockopen(): SSL operation failed with code 1. OpenSSL Error messages:

error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed in imapProtocols/imap.php on line 7

PHP Warning:  fsockopen(): Failed to enable crypto in imapProtocols/imap.php on line 7

Warning: fsockopen(): Failed to enable crypto in /home/bmarszal/imapProtocols/imap.php on line 7

PHP Warning:  fsockopen(): unable to connect to ssl://mail.example.com:993 (Unknown error) in imapProtocols/imap.php on line 7

Warning: fsockopen(): unable to connect to ssl://mail.example.com:993 (Unknown error) in imapProtocols/imap.php on line 7
Connection failedPHP Warning:  fgets() expects parameter 1 to be resource, boolean given in imapProtocols/imap.php on line 11

Warning: fgets() expects parameter 1 to be resource, boolean given in imapProtocols/imap.php on line 11

This is my php.ini related to SSL configuration:

$php -i |grep ssl
Registered Stream Socket Transports => tcp, udp, unix, udg, ssl, sslv3, sslv2, tls, tlsv1.0, tlsv1.1, tlsv1.2
openssl
Openssl default config => /etc/pki/tls/openssl.cnf
openssl.cafile => /etc/ssl/certs/ca-bundle.trust.crt => /etc/ssl/certs/ca-bundle.trust.crt
openssl.capath => /etc/ssl/certs/ => /etc/ssl/certs/

And for capital SSL

$php -i |grep SSL
SSL => Yes
SSL Version => NSS/3.15.4
OpenSSL support => enabled
OpenSSL Library Version => OpenSSL 1.0.1e-fips 11 Feb 2013
OpenSSL Header Version => OpenSSL 1.0.1e-fips 11 Feb 2013
Native OpenSSL support => enabled

But when I try connect to this same server using openSSL client I received OK response with few errors. I resolve this errors by adding CA certs. Then I receive this output from openssl client

openssl s_client -connect imap.exaple.com:993
CONNECTED(00000003)
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = Hosted by Allenta Consulting, OU = PositiveSSL Wildcard, CN = *.exaple.com
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=Hosted by Allenta Consulting/OU=PositiveSSL Wildcard/CN=*.example.
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
Server certificate
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=Hosted by Allenta Consulting/OU=PositiveSSL Wildcard/CN=*.example.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
---
SSL handshake has read 1718 bytes and written 573 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol  : TLSv1
Cipher    : AES256-SHA
Session-ID:  5B621F5347861FCE91811F4BA5C2CA8DA7D73D493791BE7491DEF0CCB714C1AD
Session-ID-ctx: 
Master-Key: 7DE0349D9057174C6C2DF9924F14CDB6FD7A35FDDB3FC0F128BF04CD2EA0852CAD1E8BBABF24854D4CC2FDF69C947DB7
Key-Arg   : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket:
0000 - ea d4 d7 55 8c 93 8d 79-23 5b 2c 2a 4f bb d0 94   ...U...y#[,*O...
0010 - c3 00 d7 fd 33 52 76 48-45 3c cf 9e 54 2f 24 db   ....3RvHE<..T/$.
0020 - 04 f6 f3 09 47 ba 5d 9a-c8 b8 8f 7e 98 5e 33 b0   ....G.]....~.^3.
0030 - c3 ab 71 1c f5 0e 03 fd-19 b8 be b7 8c f6 58 79   ..q...........Xy
0040 - 79 59 b6 a6 4e 97 0c 71-e1 61 ec c1 ff 41 0b 25   yY..N..q.a...A.%
0050 - 7a 5f ed 38 00 86 41 42-83 1c a4 c4 65 13 2d 19   z_.8..AB....e.-.
0060 - 73 3c ff cf be 90 43 c7-dc e4 04 0c 1b 78 57 a9   s<....C......xW.
0070 - 8d 22 5d c6 a6 61 0a f0-d6 04 ce 45 2e c7 88 f1   ."]..a.....E....
0080 - 9c 15 91 1a 90 03 08 74-7e b7 51 bc 08 47 7c 38   .......t~.Q..G|8
0090 - 47 62 3e 16 04 b1 58 de-c0 a1 b3 36 dc ca 42 f6   Gb>...X....6..B.

Start Time: 1456230737
Timeout   : 300 (sec)
Verify return code: 0 (ok)
---
* OK IMAP4 Ready 212.160.140.206 0001dd1c

I'm aware of issue: SSL error SSL3_GET_SERVER_CERTIFICATE:certificate verify failed but I need solve this problem using fsockopen()

I replace sensitive company data by 'example', it is look like: imap.company.com

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 邀请回答

1条回答 默认 最新

  • dongmu6225
    dongmu6225 2016-02-23 15:24
    已采纳

    Problem in this was related with CA certs that are from server. When I use openSSL client to connect to connect to imap server I receive ok response becouse openSSL ignore CA certs warning. It seems that PHP doesn't ignore this warnings. We have to ensure that we have valid CA certs from COMODO RSA Domain Validation Secure Server CA.

    I had to import cert from this page and add it to our global certs. After this change I could run fsockopen() without error.

    点赞 评论

相关推荐