fsockopen,连接ssl:// imap服务器时证书验证失败

时间:2016-02-22 15:31:24

标签: php apache ssl ssl-certificate imap

我正在尝试使用fsockopen()

通过php脚本连接到ssl:// imap
  

服务器:CentOS Linux版本7.1.1503

     

Apache:Apache / 2.4.6

     

PHP:PHP 5.6.17

$host = "ssl://mail.example.com";
$port = 993;
echo "Connecting with " . $host . "o port " . $port;
$socket = fsockopen($host, $port, $errno, $errstr, 30);
if (!$socket) {
echo "Connection failed";
}

$line = fgets($socket);

return $line;

收到此错误:

Connecting with ssl://mail.example.com port 993PHP Warning: fsockopen(): SSL operation failed with code 1. OpenSSL Error messages:

error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed in imapProtocols/imap.php on line 7

Warning: fsockopen(): SSL operation failed with code 1. OpenSSL Error messages:

error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed in imapProtocols/imap.php on line 7

PHP Warning:  fsockopen(): Failed to enable crypto in imapProtocols/imap.php on line 7

Warning: fsockopen(): Failed to enable crypto in /home/bmarszal/imapProtocols/imap.php on line 7

PHP Warning:  fsockopen(): unable to connect to ssl://mail.example.com:993 (Unknown error) in imapProtocols/imap.php on line 7

Warning: fsockopen(): unable to connect to ssl://mail.example.com:993 (Unknown error) in imapProtocols/imap.php on line 7
Connection failedPHP Warning:  fgets() expects parameter 1 to be resource, boolean given in imapProtocols/imap.php on line 11

Warning: fgets() expects parameter 1 to be resource, boolean given in imapProtocols/imap.php on line 11

这是我与SSL配置相关的php.ini:

$php -i |grep ssl
Registered Stream Socket Transports => tcp, udp, unix, udg, ssl, sslv3, sslv2, tls, tlsv1.0, tlsv1.1, tlsv1.2
openssl
Openssl default config => /etc/pki/tls/openssl.cnf
openssl.cafile => /etc/ssl/certs/ca-bundle.trust.crt => /etc/ssl/certs/ca-bundle.trust.crt
openssl.capath => /etc/ssl/certs/ => /etc/ssl/certs/

对于资本SSL

$php -i |grep SSL
SSL => Yes
SSL Version => NSS/3.15.4
OpenSSL support => enabled
OpenSSL Library Version => OpenSSL 1.0.1e-fips 11 Feb 2013
OpenSSL Header Version => OpenSSL 1.0.1e-fips 11 Feb 2013
Native OpenSSL support => enabled

但是当我尝试使用openSSL客户端连接到同一台服务器时,我收到了OK响应,几乎没有错误。我通过添加CA证书来解决此错误。然后我从openssl客户端

收到此输出
openssl s_client -connect imap.exaple.com:993
CONNECTED(00000003)
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = Hosted by Allenta Consulting, OU = PositiveSSL Wildcard, CN = *.exaple.com
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=Hosted by Allenta Consulting/OU=PositiveSSL Wildcard/CN=*.example.
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
Server certificate
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=Hosted by Allenta Consulting/OU=PositiveSSL Wildcard/CN=*.example.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
---
SSL handshake has read 1718 bytes and written 573 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol  : TLSv1
Cipher    : AES256-SHA
Session-ID:  5B621F5347861FCE91811F4BA5C2CA8DA7D73D493791BE7491DEF0CCB714C1AD
Session-ID-ctx: 
Master-Key: 7DE0349D9057174C6C2DF9924F14CDB6FD7A35FDDB3FC0F128BF04CD2EA0852CAD1E8BBABF24854D4CC2FDF69C947DB7
Key-Arg   : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket:
0000 - ea d4 d7 55 8c 93 8d 79-23 5b 2c 2a 4f bb d0 94   ...U...y#[,*O...
0010 - c3 00 d7 fd 33 52 76 48-45 3c cf 9e 54 2f 24 db   ....3RvHE<..T/$.
0020 - 04 f6 f3 09 47 ba 5d 9a-c8 b8 8f 7e 98 5e 33 b0   ....G.]....~.^3.
0030 - c3 ab 71 1c f5 0e 03 fd-19 b8 be b7 8c f6 58 79   ..q...........Xy
0040 - 79 59 b6 a6 4e 97 0c 71-e1 61 ec c1 ff 41 0b 25   yY..N..q.a...A.%
0050 - 7a 5f ed 38 00 86 41 42-83 1c a4 c4 65 13 2d 19   z_.8..AB....e.-.
0060 - 73 3c ff cf be 90 43 c7-dc e4 04 0c 1b 78 57 a9   s<....C......xW.
0070 - 8d 22 5d c6 a6 61 0a f0-d6 04 ce 45 2e c7 88 f1   ."]..a.....E....
0080 - 9c 15 91 1a 90 03 08 74-7e b7 51 bc 08 47 7c 38   .......t~.Q..G|8
0090 - 47 62 3e 16 04 b1 58 de-c0 a1 b3 36 dc ca 42 f6   Gb>...X....6..B.

Start Time: 1456230737
Timeout   : 300 (sec)
Verify return code: 0 (ok)
---
* OK IMAP4 Ready 212.160.140.206 0001dd1c

我发现问题:SSL错误SSL3_GET_SERVER_CERTIFICATE:证书验证失败但我需要使用fsockopen()解决此问题

我用'example'替换敏感的公司数据,它看起来像:imap.company.com

1 个答案:

答案 0 :(得分:6)

此问题与来自服务器的CA证书有关。当我使用openSSL客户端连接到连接到imap服务器时,我收到ok响应因为openSSL忽略了CA证书警告。看来PHP并没有忽略这个警告。我们必须确保我们拥有COMODO RSA域验证安全服务器CA的有效CA证书。

我必须从此page导入证书并将其添加到我们的全球证书中。在这个改变之后,我可以运行fsockopen()而不会出错。