Page 1 of 1

[SOLVED] get page from SSL server that requires client cert?

Posted: Wed Oct 06, 2004 7:54 pm
by saidwords
How do you write a php script to get a page from an SSL webserver that requires a client certificate?

Is it even possible?

I was able to write a script that that gets a page from an SSL sever that does NOT require a client certificate. But it doesnt work when I point it to a SSL webserver that DOES require a client certificate. here is the script:

Code: Select all

$fp = fsockopen ("ssl://192.168.0.28",5678, $errno, $errstr, 30 );

if (!$fp) {
    echo "<br>ERROR: $errstr ($errno)";
} else {
    $request = "GET / HTTP/1.0\r\n";
    $request .= "Host: 192.168.0.28\r\n";
    $request .= "Connection: Close\r\n\r\n";
    fputs ($fp, $request);
    while (!feof($fp)) {
        $result = fgets($fp,1024);
        print "$result\n";
    }
    fclose($fp);
}
It works great when pointed to a regular apache SSL webserver

But when I point this script to an apache webserver that is running SSL and requires client certificates (SSLVerifyClient require ) I get the following error in the /var/log/httpd/error_log:


mod_ssl: SSL handshake failed (server 192.168.0.28:5678:5678, client 192.168.0.28) (OpenSSL library error follows)
OpenSSL: error:140890C7:SSL routines:func(137):reason(199)


I looked up reason code 199 in the ssl.h file and it says: SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE

So, Im guessing that my little php script didnt send a client certificate to the SSL webserver when it was requested. And since the php script is running under apache, I am guessing that I need to configure apache to send a client certificate when it is requested unless it can be done from within php.

And yes, all my certificates are in order and I even imported a browser certificate into my browser and verified that the browser can communicate with the server in SSL mode properly.

Is it possible? Im already a week behind schedule!! Anybody need a good dishwasher?

Posted: Wed Oct 06, 2004 9:01 pm
by feyd
curl supports sending certificates it appears: [php_man]curl_setopt[/php_man]() :: CURLOPT_SSLCERT

[SOLVED] Howto get a page from SSL server that requires cert

Posted: Thu Oct 07, 2004 7:51 pm
by saidwords
W00t! I found the solution! here it is:

Code: Select all

$context = stream_context_create();
    $result = stream_context_set_option($context, "ssl", "verify_peer", true);
    $result = stream_context_set_option($context, "ssl", "cafile",     "/etc/httpd/opencountry/ssl.crt/ca-bundle.crt");
    $result = stream_context_set_option($context, 'ssl', 'local_cert', "/etc/httpd/opencountry/ssl.crt/client.pem");

    # some other valid options to stream_context_set_option() are: verify_depth, CN_match, passphrase, capath,  ciphers

    $fp = fsockopen ("ssl://192.168.0.28",443, $errno, $errstr, 30 ,$context);

if (!$fp) {
    echo "<br>ERROR: '$fp' $errstr ($errno)";
} else {

    $request = "GET /about HTTP/1.0\r\n";
    $request .= "Host: 192.168.0.28\r\n";
    $request .= "Connection: Close\r\n\r\n";
    fputs ($fp, $request);
    print "waiting for response...\n";
    while (!feof($fp)) {
        $result = fgets($fp,1024);
        print "$result ";
    }
    fclose($fp);
}
before you go running out to use this code, beware that the client cert 'cert.pem' that you create must include the private key. All I did was concatenate my client certificates private key file to the end of my client certificate and it worked! But I wonder is that a security risk? Does this mean that the private key is being sent across the network ?