#33192 [Opn]: failure to pass certificate in handshake of openssl related transport sockets

Thu, 02 Jun 2005 17:54:35 -0700 

 ID:               33192
 User updated by:  justin dot d dot allen at gmail dot com
 Reported By:      justin dot d dot allen at gmail dot com
 Status:           Open
 Bug Type:         Sockets related
 Operating System: linux(slackware)
 PHP Version:      5.0.4(latest snapshot)
 New Comment:

so I added php_error_docref displays to the certfile and passphrase
GET_VER_OPT sections of php_SSL_new_from_context and recieved no
display from either.

It seems that the variables aren't getting parsed, but truthfuly, I'm
hacking with very broad swings on that one... and, I haven't at all
looked at the inner workings of the GET_VER_OPT macro.


Previous Comments:
------------------------------------------------------------------------

[2005-06-02 20:48:27] justin dot d dot allen at gmail dot com

crap... ignore that... forgot to change SSL_do_handshake() to
SSL_connect() when took out SSL_set_connect_state()... so I can connect
using what seems to be the same connection method in C.

------------------------------------------------------------------------

[2005-06-02 20:12:48] justin dot d dot allen at gmail dot com

am also able to connect with c code
#include <iostream>
#include <string>

#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>

#include <openssl/ssl.h>
#include <openssl/err.h>

#include <openssl/x509.h>
#include <openssl/pem.h>
#include <openssl/rsa.h>

static int password_callback(char* buf, int num, int verify, void*
data) {
   strncpy(buf, (char*)(data),num);
   buf[num -1] = '\0';
   return (strlen(buf));
}

int main() {
   char *certfile = "sec.pem";

   SSL_METHOD* meth;
   SSL_CTX* ctx;

   SSL_library_init();
   SSL_load_error_strings();

   meth=TLSv1_method();
   ctx=SSL_CTX_new(meth);

   SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);
   SSL_CTX_set_cipher_list(ctx, "DEFAULT");

   if (SSL_CTX_use_certificate_chain_file(ctx,certfile) != 1)
     perror("error loading cert");

   if (SSL_CTX_use_PrivateKey_file(ctx, certfile,SSL_FILETYPE_PEM) !=
1)
     perror("error loading key");

   SSL_CTX_set_default_passwd_cb_userdata(ctx, (void*)"qwerty");
   SSL_CTX_set_default_passwd_cb(ctx, password_callback);

   SSL* ssl = SSL_new(ctx);

   int sd = socket(AF_INET, SOCK_STREAM, 0);
   struct sockaddr_in sa;
   memset(&sa, '\0', sizeof(sa));
   sa.sin_family      = AF_INET;
   sa.sin_addr.s_addr = inet_addr("206.127.2.49");
   sa.sin_port        = htons(1234);
   connect(sd, (struct sockaddr*) &sa, sizeof(sa));
   getpeername(sd,(struct sockaddr*) &sa,(socklen_t*)(sizeof(sa)));

   SSL_set_fd(ssl, sd);

   SSL_set_connect_state(ssl);

   int state = SSL_do_handshake(ssl);
   if (state!=1) {
      SSL_get_error(ssl,state);
      ERR_print_errors_fp(stderr);
      return 0;
   }
   sleep(15);
   return 1;
}

which if I'm right in assuming SSL *php_SSL_new_from_context(SSL_CTX
*ctx, php_stream *stream TSRMLS_DC) in /ext/openssl/openssl.c is the
context creator should be logically the same thing.

actually I looked at the methods and if I take out the
SSL_set_connect_state() and switch the method to TSLv1_client_method()
I get the errors out of C... so it looks like it's in my openssl
libraries...
I'm running 0.9.7g, which is the latest stable... I'll try the snapshot
and see if that helps... I'll let you know if it does but after that, if
it doesn't, I'll probably bug openSSL about it cause it seems to be
their deal...

I will say my workaround(which I had previously thought was just
different syntax) worked for me in C... but I can see where you would
want to keep all CTX settings in php_SSL_new_from_context and not put
them in php_openssl_setup_crypto where you set up the methods... it's
alot cleaner that way

------------------------------------------------------------------------

[2005-06-01 00:35:48] justin dot d dot allen at gmail dot com

installed php5-latest.tar.gz
am now getting the same error from server

but error from client is the same SSL error with added warnings
Warning: stream_socket_client(): SSL operation failed with code 1.
OpenSSL Error messages:
error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
failure in ssl.conector.php on line 17

Warning: stream_socket_client(): Failed to enable crypto in
ssl.conector.php on line 17

Warning: stream_socket_client(): unable to connect to tls://host:port
(Unknown error) in ssl.conector.php on line 17
 (0)<br />


still no certificate passed


stream_socket_enable_crypto makes no difference

------------------------------------------------------------------------

[2005-05-31 07:22:24] [EMAIL PROTECTED]

Please try using this CVS snapshot:

  http://snaps.php.net/php5-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5-win32-latest.zip

stream_socket_enable_crypto() was added in PHP 5.1-dev,
it's not (and will not be) in PHP 5.0.x


------------------------------------------------------------------------

[2005-05-31 05:36:42] justin dot d dot allen at gmail dot com

line that was truncated on exapmle source is 
if (!fp =
stream_sockect_client("tls://host:port",$errno,$errstr,30,STREAM_CLIENT_CONNECT/*|STREAM_CLIENT_ASYNC_CONNECT*/,$fc))
{

------------------------------------------------------------------------

The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
    http://bugs.php.net/33192

-- 
Edit this bug report at http://bugs.php.net/?id=33192&edit=1

Reply via email to