Php – file_get_contents ignoring verify_peer=>false

httpsPHPssl

file_get_contents with https hosts works just fine, except for a particular host (test api server from some company – ip whitelisted, can't give you URL to test). This rules out not loaded https modules and other initial setup mistakes.

I have tested with multiple PHP installations, all at v5.3.3, 32bits, Debian 32bits.

The request works with cURL, but only if setting curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 0);. However, setting verify_peer"=>false on the context for file_get_contents seems to make no difference.

With file_get_contents, the exact same request (same URL, same XML POST data) fails with SSL: Connection reset by peer:

$arrContextOptions=array(
    "http" => array(
        "method" => "POST",
        "header" => 
            "Content-Type: application/xml; charset=utf-8;\r\n".
            "Connection: close\r\n",
        "ignore_errors" => true,
        "timeout" => (float)30.0,
        "content" => $strRequestXML,
    ),
    "ssl"=>array(
        "allow_self_signed"=>true,
        "verify_peer"=>false,
    ),
);

file_get_contents("https://somedomain:2000/abc/", false, stream_context_create($arrContextOptions));

.

Has anyone encountered this with file_get_contents? Any ideas how to debug?

Best Answer

You missed verify_peer_name. If you set that to false as well, the request works:

$arrContextOptions=array(
    "http" => array(
        "method" => "POST",
        "header" => 
            "Content-Type: application/xml; charset=utf-8;\r\n".
            "Connection: close\r\n",
        "ignore_errors" => true,
        "timeout" => (float)30.0,
        "content" => $strRequestXML,
    ),
    "ssl"=>array(
        "allow_self_signed"=>true,
        "verify_peer"=>false,
        "verify_peer_name"=>false,
    ),
);

file_get_contents("https://somedomain:2000/abc/", false, stream_context_create($arrContextOptions));

Related Solutions

Java – Resolving javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed Error

You need to add the certificate for App2 to the truststore file of the used JVM located at %JAVA_HOME%\lib\security\cacerts.

First you can check if your certificate is already in the truststore by running the following command: keytool -list -keystore "%JAVA_HOME%/jre/lib/security/cacerts" (you don't need to provide a password)

If your certificate is missing, you can get it by downloading it with your browser and add it to the truststore with the following command:

keytool -import -noprompt -trustcacerts -alias <AliasName> -file <certificate> -keystore <KeystoreFile> -storepass <Password>

Example:
keytool -import -noprompt -trustcacerts -alias myFancyAlias -file /path/to/my/cert/myCert.cer -keystore /path/to/my/jdk/jre/lib/security/cacerts/keystore.jks -storepass changeit

After import you can run the first command again to check if your certificate was added.

Sun/Oracle information can be found here.

Php SoapClient verify_peer=>true fails with ca-signed certificate

The problem was that php has by default insecure settings to handle https requests. It will not verify the certificate or check that the domain in the certificate is correct.

You have to download the file that is used to verify the certificate yourself too.

You can download one at: http://curl.haxx.se/ca/cacert.pem

The settings to handle them properly are

<?php
$client = new SoapClient("my-wsdlfile.wsdl"
                ,array(
                       "location"=>"https://examplesoapserver.com"
                       ,"stream_context"=>stream_context_create(
                          array(
                            "ssl"=>array(
                                "verify_peer"=>true
                                ,"allow_self_signed"=>false
                                ,"cafile"=>"path/to/cacert.pem"
                                ,"verify_depth"=>5
                                ,"CN_match"=>"examplesoapserver.com"
                                )
                            )
                        )
                    )
                );

There is the same problem with other php functions that can use https ( like file_get_contents ) so the same solution for makeing it secure should work.

CURL has secure settings by default so if possible it is easier to use it.

Here is a great and more detailed explanation of how php handles https:

http://phpsecurity.readthedocs.org/en/latest/Transport-Layer-Security-(HTTPS-SSL-and-TLS).html#php-streams

Related Topic