fsockopen,连接 ssl://imap 服务器时证书验证失败
fsockopen, certificate verify failed while connecting ssl://imap server
我正在尝试使用 fsockopen()
通过 php 脚本连接到 ssl:// imap
Server: CentOS Linux release 7.1.1503
Apache: Apache/2.4.6
PHP: PHP 5.6.17
$host = "ssl://mail.example.com";
$port = 993;
echo "Connecting with " . $host . "o port " . $port;
$socket = fsockopen($host, $port, $errno, $errstr, 30);
if (!$socket) {
echo "Connection failed";
}
$line = fgets($socket);
return $line;
收到此错误:
Connecting with ssl://mail.example.com port 993PHP Warning: fsockopen(): SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed in imapProtocols/imap.php on line 7
Warning: fsockopen(): SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed in imapProtocols/imap.php on line 7
PHP Warning: fsockopen(): Failed to enable crypto in imapProtocols/imap.php on line 7
Warning: fsockopen(): Failed to enable crypto in /home/bmarszal/imapProtocols/imap.php on line 7
PHP Warning: fsockopen(): unable to connect to ssl://mail.example.com:993 (Unknown error) in imapProtocols/imap.php on line 7
Warning: fsockopen(): unable to connect to ssl://mail.example.com:993 (Unknown error) in imapProtocols/imap.php on line 7
Connection failedPHP Warning: fgets() expects parameter 1 to be resource, boolean given in imapProtocols/imap.php on line 11
Warning: fgets() expects parameter 1 to be resource, boolean given in imapProtocols/imap.php on line 11
这是我的 php.ini 相关的 SSL 配置:
$php -i |grep ssl
Registered Stream Socket Transports => tcp, udp, unix, udg, ssl, sslv3, sslv2, tls, tlsv1.0, tlsv1.1, tlsv1.2
openssl
Openssl default config => /etc/pki/tls/openssl.cnf
openssl.cafile => /etc/ssl/certs/ca-bundle.trust.crt => /etc/ssl/certs/ca-bundle.trust.crt
openssl.capath => /etc/ssl/certs/ => /etc/ssl/certs/
对于资本 SSL
$php -i |grep SSL
SSL => Yes
SSL Version => NSS/3.15.4
OpenSSL support => enabled
OpenSSL Library Version => OpenSSL 1.0.1e-fips 11 Feb 2013
OpenSSL Header Version => OpenSSL 1.0.1e-fips 11 Feb 2013
Native OpenSSL support => enabled
但是当我尝试使用 openSSL 客户端连接到同一台服务器时,我收到了 OK 响应,但几乎没有错误。我通过添加 CA 证书解决了这个错误。然后我从 openssl client
收到这个输出
openssl s_client -connect imap.exaple.com:993
CONNECTED(00000003)
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = Hosted by Allenta Consulting, OU = PositiveSSL Wildcard, CN = *.exaple.com
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=Hosted by Allenta Consulting/OU=PositiveSSL Wildcard/CN=*.example.
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
Server certificate
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=Hosted by Allenta Consulting/OU=PositiveSSL Wildcard/CN=*.example.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
---
SSL handshake has read 1718 bytes and written 573 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 5B621F5347861FCE91811F4BA5C2CA8DA7D73D493791BE7491DEF0CCB714C1AD
Session-ID-ctx:
Master-Key: 7DE0349D9057174C6C2DF9924F14CDB6FD7A35FDDB3FC0F128BF04CD2EA0852CAD1E8BBABF24854D4CC2FDF69C947DB7
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket:
0000 - ea d4 d7 55 8c 93 8d 79-23 5b 2c 2a 4f bb d0 94 ...U...y#[,*O...
0010 - c3 00 d7 fd 33 52 76 48-45 3c cf 9e 54 2f 24 db ....3RvHE<..T/$.
0020 - 04 f6 f3 09 47 ba 5d 9a-c8 b8 8f 7e 98 5e 33 b0 ....G.]....~.^3.
0030 - c3 ab 71 1c f5 0e 03 fd-19 b8 be b7 8c f6 58 79 ..q...........Xy
0040 - 79 59 b6 a6 4e 97 0c 71-e1 61 ec c1 ff 41 0b 25 yY..N..q.a...A.%
0050 - 7a 5f ed 38 00 86 41 42-83 1c a4 c4 65 13 2d 19 z_.8..AB....e.-.
0060 - 73 3c ff cf be 90 43 c7-dc e4 04 0c 1b 78 57 a9 s<....C......xW.
0070 - 8d 22 5d c6 a6 61 0a f0-d6 04 ce 45 2e c7 88 f1 ."]..a.....E....
0080 - 9c 15 91 1a 90 03 08 74-7e b7 51 bc 08 47 7c 38 .......t~.Q..G|8
0090 - 47 62 3e 16 04 b1 58 de-c0 a1 b3 36 dc ca 42 f6 Gb>...X....6..B.
Start Time: 1456230737
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
* OK IMAP4 Ready 212.160.140.206 0001dd1c
我知道问题:SSL 错误 SSL3_GET_SERVER_CERTIFICATE:certificate 验证失败,但我需要使用 fsockopen()
解决这个问题
我用 'example' 替换敏感的公司数据,它看起来像:imap.company.com
这里的问题与来自服务器的 CA 证书有关。当我使用 openSSL 客户端连接到 imap 服务器时,我收到了 ok 响应,因为 openSSL 忽略了 CA 证书警告。 PHP 似乎没有忽略此警告。我们必须确保我们拥有来自 COMODO RSA 域验证安全服务器 CA 的有效 CA 证书。
我必须从此 page 导入证书并将其添加到我们的全球证书中。进行此更改后,我可以 运行 fsockopen() 而不会出错。
我正在尝试使用 fsockopen()
Server: CentOS Linux release 7.1.1503
Apache: Apache/2.4.6
PHP: PHP 5.6.17
$host = "ssl://mail.example.com";
$port = 993;
echo "Connecting with " . $host . "o port " . $port;
$socket = fsockopen($host, $port, $errno, $errstr, 30);
if (!$socket) {
echo "Connection failed";
}
$line = fgets($socket);
return $line;
收到此错误:
Connecting with ssl://mail.example.com port 993PHP Warning: fsockopen(): SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed in imapProtocols/imap.php on line 7
Warning: fsockopen(): SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed in imapProtocols/imap.php on line 7
PHP Warning: fsockopen(): Failed to enable crypto in imapProtocols/imap.php on line 7
Warning: fsockopen(): Failed to enable crypto in /home/bmarszal/imapProtocols/imap.php on line 7
PHP Warning: fsockopen(): unable to connect to ssl://mail.example.com:993 (Unknown error) in imapProtocols/imap.php on line 7
Warning: fsockopen(): unable to connect to ssl://mail.example.com:993 (Unknown error) in imapProtocols/imap.php on line 7
Connection failedPHP Warning: fgets() expects parameter 1 to be resource, boolean given in imapProtocols/imap.php on line 11
Warning: fgets() expects parameter 1 to be resource, boolean given in imapProtocols/imap.php on line 11
这是我的 php.ini 相关的 SSL 配置:
$php -i |grep ssl
Registered Stream Socket Transports => tcp, udp, unix, udg, ssl, sslv3, sslv2, tls, tlsv1.0, tlsv1.1, tlsv1.2
openssl
Openssl default config => /etc/pki/tls/openssl.cnf
openssl.cafile => /etc/ssl/certs/ca-bundle.trust.crt => /etc/ssl/certs/ca-bundle.trust.crt
openssl.capath => /etc/ssl/certs/ => /etc/ssl/certs/
对于资本 SSL
$php -i |grep SSL
SSL => Yes
SSL Version => NSS/3.15.4
OpenSSL support => enabled
OpenSSL Library Version => OpenSSL 1.0.1e-fips 11 Feb 2013
OpenSSL Header Version => OpenSSL 1.0.1e-fips 11 Feb 2013
Native OpenSSL support => enabled
但是当我尝试使用 openSSL 客户端连接到同一台服务器时,我收到了 OK 响应,但几乎没有错误。我通过添加 CA 证书解决了这个错误。然后我从 openssl client
收到这个输出openssl s_client -connect imap.exaple.com:993
CONNECTED(00000003)
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = Hosted by Allenta Consulting, OU = PositiveSSL Wildcard, CN = *.exaple.com
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=Hosted by Allenta Consulting/OU=PositiveSSL Wildcard/CN=*.example.
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
Server certificate
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=Hosted by Allenta Consulting/OU=PositiveSSL Wildcard/CN=*.example.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
---
SSL handshake has read 1718 bytes and written 573 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 5B621F5347861FCE91811F4BA5C2CA8DA7D73D493791BE7491DEF0CCB714C1AD
Session-ID-ctx:
Master-Key: 7DE0349D9057174C6C2DF9924F14CDB6FD7A35FDDB3FC0F128BF04CD2EA0852CAD1E8BBABF24854D4CC2FDF69C947DB7
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket:
0000 - ea d4 d7 55 8c 93 8d 79-23 5b 2c 2a 4f bb d0 94 ...U...y#[,*O...
0010 - c3 00 d7 fd 33 52 76 48-45 3c cf 9e 54 2f 24 db ....3RvHE<..T/$.
0020 - 04 f6 f3 09 47 ba 5d 9a-c8 b8 8f 7e 98 5e 33 b0 ....G.]....~.^3.
0030 - c3 ab 71 1c f5 0e 03 fd-19 b8 be b7 8c f6 58 79 ..q...........Xy
0040 - 79 59 b6 a6 4e 97 0c 71-e1 61 ec c1 ff 41 0b 25 yY..N..q.a...A.%
0050 - 7a 5f ed 38 00 86 41 42-83 1c a4 c4 65 13 2d 19 z_.8..AB....e.-.
0060 - 73 3c ff cf be 90 43 c7-dc e4 04 0c 1b 78 57 a9 s<....C......xW.
0070 - 8d 22 5d c6 a6 61 0a f0-d6 04 ce 45 2e c7 88 f1 ."]..a.....E....
0080 - 9c 15 91 1a 90 03 08 74-7e b7 51 bc 08 47 7c 38 .......t~.Q..G|8
0090 - 47 62 3e 16 04 b1 58 de-c0 a1 b3 36 dc ca 42 f6 Gb>...X....6..B.
Start Time: 1456230737
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
* OK IMAP4 Ready 212.160.140.206 0001dd1c
我知道问题:SSL 错误 SSL3_GET_SERVER_CERTIFICATE:certificate 验证失败,但我需要使用 fsockopen()
我用 'example' 替换敏感的公司数据,它看起来像:imap.company.com
这里的问题与来自服务器的 CA 证书有关。当我使用 openSSL 客户端连接到 imap 服务器时,我收到了 ok 响应,因为 openSSL 忽略了 CA 证书警告。 PHP 似乎没有忽略此警告。我们必须确保我们拥有来自 COMODO RSA 域验证安全服务器 CA 的有效 CA 证书。
我必须从此 page 导入证书并将其添加到我们的全球证书中。进行此更改后,我可以 运行 fsockopen() 而不会出错。