2

I'm trying to open a TLS connection using this code:

<?php

$cafile = '/var/www/html/mosquitto/cert.pem';

$socketContext = stream_context_create(["ssl" => [
    "verify_peer_name" => true,
    "cafile" => $cafile
]]);

$socket = stream_socket_client("tls://xx.xx.xx.xx:8883", $errno, $errstr, 60, STREAM_CLIENT_CONNECT, $socketContext);

if (!$socket) {
    print("Error: ".$errstr);
    return false;
}else{
    print("Connection Opened");
}

?>

Nginx error log:

2018/02/08 17:40:28 [error] 1331#1331: *658 FastCGI sent in stderr: "PHP message: PHP Warning:  stream_socket_client(): SSL operation $
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed in /var/www/html/test.php on line 10
PHP message: PHP Warning:  stream_socket_client(): Failed to enable crypto in /var/www/html/test.php on line 10
PHP message: PHP Warning:  stream_socket_client(): unable to connect to tls://xx.xx.xx.xx:8883 (Unknown error) in /var/www/html/test.$

This is always getting in error section !$socket but without any error string. It's just Error:. How can I fix this issue? I'm speculating cert.pem file may be the issue. What file do I need to put there?

Thanks!

Improve this question
2
  • Nothing in the server logs? Commented Feb 8, 2018 at 12:22
  • @JulienLachal question updated. Commented Feb 8, 2018 at 12:30

1 Answer 1

Reset to default
1

How can I fix this issue?

That's going to be very hard until you know what the issue is.

Clearly tackling the problem using stream_socket_client is not working and is not giving you any useful diagnostic information. You need to breakdown what this call is doing and test each part in isolation.

Does 'xx.xx.xx.xx' represent an IP address or a hostname? If it's the latter you may have issues with resolution. Try dns_get_record() If its the former, how do you expect to validate the subject of the certificate?

Can you connect on port 8883? Try fsockopen()

Is SSL working?

  • Can you negotiate a cypher
  • Is the certificate valid
  • is the certificate signed by a CA in your certs.pem file

You can check these from the command line with openssl s_client

Update

From your edit: certificate verify failed - see note above regarding IP address and certificate vlidation

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

xx.xx.xx.xx is the IP. I can connect on port 8883 using python. SSL seems to working everywhere else. Certificate details: Let's Encrypt Authority X3 Identity: Let's Encrypt Authority X3 Verified by: DST Root CA X3 Expires: Wednesday 17 March 2021
With this certificate two more files were issued, one is private key and other is domain identification. Do I have to use those too?
NO - PLEASE GO READ UP ON HOW SSL WORKS. You cannot validate an IP address using a certificate. The private key MUST NEVER BE EXPOSED to clients. The PEM file you validate the connection against is that containing the CA, not the server certificate. You need a basic understanding of how the technology works before you can start developing against it.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.