| imap_open: Certificate Error, but only in PHP [message #179813] |
Sat, 08 December 2012 13:01  |
Florian Zeisel
Messages: 3
Registered: December 2012
Karma: 0
|
Junior Member |
|
|
Hi everyone,
this week, one of my php scripts suddenly stopped working. I received the following errors:
It started with: "unable to locate common name", then after a while it was "invalid remote specification".
The code is:
$srv = '{mail.twooit.com:993/imap/ssl/}';
$conn = imap_open($srv, $mailuser, $mailpass) or die("can't connect: " . imap_last_error());
It seems the provider installed a new certificate. Openssl on the terminal results in:
depth=1 /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=PositiveSSL CA 2
verify error:num=20:unable to get local issuer certificate
verify return:0
After some research, I was able to make it work by adding the "novalidate-cert" option. However, this means that the script does not authenticate the server anymore, which cannot be the solution! At least: Is it correct to assume that passwords and mails are still transferred encrypted? It might not be that much of a problem, because the script is also executed at that provider (different IP address though), and man-in-the-middle risk is therefore low..
HOWEVER, my Thunderbird email client and also smartphone are still connecting without any certificate errors and ssl-check websites say, that the certificate is ok...
Can anyone help me to fix this, please?
Thank you very much,
Florian
|
|
|
|
| Re: imap_open: Certificate Error, but only in PHP [message #179814 is a reply to message #179813] |
Sat, 08 December 2012 15:54  |
J.O. Aho
Messages: 194
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
Florian Zeisel wrote:
> Hi everyone,
>
> this week, one of my php scripts suddenly stopped working. I received the following errors:
> It started with: "unable to locate common name", then after a while it was "invalid remote specification".
>
> The code is:
> $srv = '{mail.twooit.com:993/imap/ssl/}';
> $conn = imap_open($srv, $mailuser, $mailpass) or die("can't connect: " . imap_last_error());
>
> It seems the provider installed a new certificate. Openssl on the terminal results in:
> depth=1 /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=PositiveSSL CA 2
> verify error:num=20:unable to get local issuer certificate
> verify return:0
>
> After some research, I was able to make it work by adding the "novalidate-cert" option.
> However, this means that the script does not authenticate the server anymore, which
> cannot be the solution! At least: Is it correct to assume that passwords and mails are
> still transferred encrypted? It might not be that much of a problem, because the script
> is also executed at that provider (different IP address though), and man-in-the-middle
> risk is therefore low..
Yes, the data will still be transferred encrypted, but you could have a man in
the middle without knowing it.
you could try to verify that the certificate belongs to the "host" which you
connect to, this should at least remove the risk of a random certificate to be
used in a man in the middle attack.
> HOWEVER, my Thunderbird email client and also smartphone are still connecting
> without any certificate errors and ssl-check websites say, that the certificate is ok...
have you controlled that it's the same certificate used in thunderbird as the
one you got when you checked with openssl from the machine where the php
script runs?
Also the machine which runs the script may have limited access to the internet
or and having another trusted CA list than your phone/desktop has.
> Can anyone help me to fix this, please?
I doubt this has to do with your PHP code and those it's something off topic
on this newsgroup.
--
//Aho
|
|
|
|
| Re: imap_open: Certificate Error, but only in PHP [message #179815 is a reply to message #179813] |
Sat, 08 December 2012 16:10 |
M. Strobel
Messages: 386
Registered: December 2011
Karma: 0
|
Senior Member |
|
|
Am 08.12.2012 14:01, schrieb Florian Zeisel:
> Hi everyone,
>
> this week, one of my php scripts suddenly stopped working. I received the following errors:
> It started with: "unable to locate common name", then after a while it was "invalid remote specification".
>
> The code is:
> $srv = '{mail.twooit.com:993/imap/ssl/}';
> $conn = imap_open($srv, $mailuser, $mailpass) or die("can't connect: " . imap_last_error());
>
> It seems the provider installed a new certificate. Openssl on the terminal results in:
> depth=1 /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=PositiveSSL CA 2
> verify error:num=20:unable to get local issuer certificate
> verify return:0
Some certificates require a intermediate CA to be configured on the server. I suggest
you ask COMODO (phone!) about their certificate chains, with the data of the cert in
question on your desk. They know all about it.
But I don't know where PHP gets his certs from. If from openSSL, put the intermediate
CA in your cert directory and rehash it.
/Str.
|
|
|
|
| Re: imap_open: Certificate Error, but only in PHP [message #179816 is a reply to message #179814] |
Sat, 08 December 2012 20:30 |
Florian Zeisel
Messages: 3
Registered: December 2012
Karma: 0
|
Junior Member |
|
|
> Also the machine which runs the script may have limited access to the internet
> or and having another trusted CA list than your phone/desktop has.
I suppose that's the issue. The intermediate CA might be missing on the server that runs the script.
But since this is just a small hosted space, I guess there's nothing I can do about it.
If I'd ask the hosting provider to fix it: What exactely do they need to do? Do they just need to install the intermediate certificate so that it's also sent when connecting? Or do they need to recompile PHP or some component?
Thank you,
Florian
|
|
|
|
| Re: imap_open: Certificate Error, but only in PHP [message #179817 is a reply to message #179815] |
Sat, 08 December 2012 20:33 |
Florian Zeisel
Messages: 3
Registered: December 2012
Karma: 0
|
Junior Member |
|
|
> Some certificates require a intermediate CA to be configured on the server. I suggest
> you ask COMODO (phone!) about their certificate chains, with the data of the cert in
> question on your desk. They know all about it.
No need to ask. I can see that the chain consists of the certificate, an intermediate certificate and the Root CA.
> But I don't know where PHP gets his certs from. If from openSSL, put the intermediate
> CA in your cert directory and rehash it.
So I was googleing and some people say: "Install the certificate" while others say things like "You have to recompile PHP."
What's correct? It's a hosting provider. If I know what to ask for, they might do it for free :)
Thank you,
Florian
|
|
|
|
| Re: imap_open: Certificate Error, but only in PHP [message #179818 is a reply to message #179817] |
Sun, 09 December 2012 00:19 |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 12/8/2012 3:33 PM, Florian Zeisel wrote:
>> Some certificates require a intermediate CA to be configured on the server. I suggest
>> you ask COMODO (phone!) about their certificate chains, with the data of the cert in
>> question on your desk. They know all about it.
>
> No need to ask. I can see that the chain consists of the certificate, an intermediate certificate and the Root CA.
>
>> But I don't know where PHP gets his certs from. If from openSSL, put the intermediate
>> CA in your cert directory and rehash it.
>
> So I was googleing and some people say: "Install the certificate" while others say things like "You have to recompile PHP."
>
> What's correct? It's a hosting provider. If I know what to ask for, they might do it for free :)
>
> Thank you,
> Florian
>
I didn't see anyone say "You have to recompile PHP". This is a
certificate problem (i.e. OpenSSL), not a PHP code problem, and as such
is off-topic in this newsgroup.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
| Re: imap_open: Certificate Error, but only in PHP [message #179819 is a reply to message #179817] |
Sun, 09 December 2012 12:15 |
M. Strobel
Messages: 386
Registered: December 2011
Karma: 0
|
Senior Member |
|
|
Am 08.12.2012 21:33, schrieb Florian Zeisel:
>> Some certificates require a intermediate CA to be configured on the server. I suggest
>> you ask COMODO (phone!) about their certificate chains, with the data of the cert in
>> question on your desk. They know all about it.
>
> No need to ask. I can see that the chain consists of the certificate, an intermediate certificate and the Root CA.
>
>> But I don't know where PHP gets his certs from. If from openSSL, put the intermediate
>> CA in your cert directory and rehash it.
>
> So I was googleing and some people say: "Install the certificate" while others say things like "You have to recompile PHP."
>
> What's correct? It's a hosting provider. If I know what to ask for, they might do it for free :)
Check this out, I found it for you (and learned a bit myself):
http://php.net/manual/en/openssl.cert.verification.php
/Str.
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]