Php 5.6 ssl3_get_server_certificate

Y

yapadu

Verified User
Joined
Jun 26, 2009
Messages
38
I upgraded to PHP 5.6 using custom build 2.0 (on Debian)

I send email out from my server using encryption).

PHP 5.6 is not happy about his, generating the following anytime I try and send anything:

[15-May-2015 20:51:01 America/New_York] PHP Warning: stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed in /home/ikbb/domains/wwater.com/public_html/includes/phpmailer/5.2.7/class.smtp.php on line 274

I have been Googling around trying to find out the issue.

The problem is caused by OpenSSL changes in PHP 5.6. PHP is now verifying peer certificates using OpenSSL's default CA bundle.

Problem is I do not seem to have a cert for PHP to use.

This other DirectAdmin user had a the same problem. SSL certificate verification on PHP 5.6

He fixed his problem by providing PHP with the location of his cert.pem. Sounds good, except I don't have any cert.pem on my computer.

I have upgraded 3 server so far, all have the exact same problem. How can I get the certificate file that PHP is looking for?
 
Hello,

I've got it here /etc/pki/tls/cert.pem as a symlink to /etc/pki/tls/certs/ca-bundle.crt:


Code: 
[root@server custombuild]# /usr/local/php56/bin/php
<?php
var_dump(openssl_get_cert_locations());
array(8) {
  ["default_cert_file"]=>
  string(21) "/etc/pki/tls/cert.pem"
  ["default_cert_file_env"]=>
  string(13) "SSL_CERT_FILE"
  ["default_cert_dir"]=>
  string(18) "/etc/pki/tls/certs"
  ["default_cert_dir_env"]=>
  string(12) "SSL_CERT_DIR"
  ["default_private_dir"]=>
  string(20) "/etc/pki/tls/private"
  ["default_default_cert_area"]=>
  string(12) "/etc/pki/tls"
  ["ini_cafile"]=>
  string(0) ""
  ["ini_capath"]=>
  string(0) ""
}
[root@server custombuild]# ls -la /etc/pki/tls/cert.pem
lrwxrwxrwx 1 root root 19 May 13 23:29 /etc/pki/tls/cert.pem -> certs/ca-bundle.crt
[root@server custombuild]#
[root@server custombuild]# ls -la /etc/pki/tls/certs/ca-bundle.crt
-rw-r--r-- 1 root root 877042 Apr 23 22:07 /etc/pki/tls/certs/ca-bundle.crt
[root@server custombuild]#

And what do you see with

PHP: 
<?php
var_dump(openssl_get_cert_locations());
?>
?
 
Interesting, I get:

array(8) {
["default_cert_file"]=>
string(21) "/usr/lib/ssl/cert.pem"
["default_cert_file_env"]=>
string(13) "SSL_CERT_FILE"
["default_cert_dir"]=>
string(18) "/usr/lib/ssl/certs"
["default_cert_dir_env"]=>
string(12) "SSL_CERT_DIR"
["default_private_dir"]=>
string(20) "/usr/lib/ssl/private"
["default_default_cert_area"]=>
string(12) "/usr/lib/ssl"
["ini_cafile"]=>
string(0) ""
["ini_capath"]=>
string(0) ""
}


root@server:/# ls -la /usr/lib/ssl/cert.pem
ls: cannot access /usr/lib/ssl/cert.pem: No such file or directory

No ca-bundle on the machine either.
 
On debian it might be:

Code: 
da:~# updatedb
da:~# locate cert.pem
...

/usr/local/share/perl/5.10.0/Mozilla/CA/cacert.pem
/usr/share/doc/libssl-dev/demos/easy_tls/cert.pem
/usr/share/doc/libssl-dev/demos/sign/cert.pem

or these

Code: 
~# locate cacert
/etc/ssl/certs/cacert.org.pem
/etc/ssl/certs/spi-cacert-2008.pem
/usr/share/ca-certificates/cacert.org
/usr/share/ca-certificates/cacert.org/cacert.org.crt
/usr/share/ca-certificates/spi-inc.org/spi-cacert-2008.crt


you might copy one to /usr/lib/ssl/cert.pem (I did not check which exactly is the right one)

and/or try to (re-)install it:

Code: 
apt-get install ca-certificates

or get one from here: http://curl.haxx.se/docs/caextract.html
 
Last edited:
I've found these:

/usr/share/doc/libssl-doc/demos/cms/cacert.pem
/usr/share/doc/libssl-doc/demos/easy_tls/cert.pem
/usr/share/doc/libssl-doc/demos/maurice/cert.pem.gz
/usr/share/doc/libssl-doc/demos/sign/cert.pem
/usr/share/doc/libssl-doc/demos/smime/cacert.pem

I plugged some of them into https://www.sslshopper.com/certificate-decoder.html

/usr/share/doc/libssl-doc/demos/smime/cacert.pem

Certificate Information:
Common Name: Test S/MIME Root CA
Organization: OpenSSL Group
Locality: Test City
Country: UK
Valid From: April 13, 2007
Valid To: April 10, 2017
Issuer: Test S/MIME Root CA, OpenSSL Group
Serial Number: 14395258657826892692 (0xc7c63b7adda36b94)


/usr/share/doc/libssl-doc/demos/cms/cacert.pem

Certificate Information:
Common Name: Test S/MIME Root CA
Organization: OpenSSL Group
Locality: Test City
Country: UK
Valid From: April 13, 2007
Valid To: April 10, 2017
Issuer: Test S/MIME Root CA, OpenSSL Group
Serial Number: 14395258657826892692 (0xc7c63b7adda36b94)


So whatever those two cacert.pem files are, they are the same. What good is a random cert to PHP, you can just feed it anything?
 
I'm not sure whether or not they are what you need. Probably you need to try CA Certs from mozilla.org http://curl.haxx.se/docs/caextract.html or this direct link: https://raw.githubusercontent.com/bagder/ca-bundle/master/ca-bundle.crt

Cert on CentOS system located in /etc/pki/tls/cert.pem (as a symlink to /etc/pki/tls/certs/ca-bundle.crt) has the following lines in the header:

Code: 
# This is a bundle of X.509 certificates of public Certificate
# Authorities.  It was generated from the Mozilla root CA list.

From docs:

cafile string
Location of Certificate Authority file on local filesystem which should be used with the verify_peer context option to authenticate the identity of the remote peer.
Click to expand...
 
You must log in or register to reply here.
Back
Top