Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
imap_open: Certificate Error, but only in PHP
265 views
Skip to first unread message
Florian Zeisel
Dec 8, 2012, 8:01:29 AM12/8/12
to
Hi everyone,
this week, one of my php scripts suddenly stopped working. I received the following errors:
It started with: "unable to locate common name", then after a while it was "invalid remote specification".
The code is:
$srv = '{mail.twooit.com:993/imap/ssl/}';
$conn = imap_open($srv, $mailuser, $mailpass) or die("can't connect: " . imap_last_error());
It seems the provider installed a new certificate. Openssl on the terminal results in:
depth=1 /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=PositiveSSL CA 2
verify error:num=20:unable to get local issuer certificate
verify return:0
After some research, I was able to make it work by adding the "novalidate-cert" option. However, this means that the script does not authenticate the server anymore, which cannot be the solution! At least: Is it correct to assume that passwords and mails are still transferred encrypted? It might not be that much of a problem, because the script is also executed at that provider (different IP address though), and man-in-the-middle risk is therefore low..
HOWEVER, my Thunderbird email client and also smartphone are still connecting without any certificate errors and ssl-check websites say, that the certificate is ok...
Can anyone help me to fix this, please?
Thank you very much,
Florian
this week, one of my php scripts suddenly stopped working. I received the following errors:
It started with: "unable to locate common name", then after a while it was "invalid remote specification".
The code is:
$srv = '{mail.twooit.com:993/imap/ssl/}';
$conn = imap_open($srv, $mailuser, $mailpass) or die("can't connect: " . imap_last_error());
It seems the provider installed a new certificate. Openssl on the terminal results in:
depth=1 /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=PositiveSSL CA 2
verify error:num=20:unable to get local issuer certificate
verify return:0
After some research, I was able to make it work by adding the "novalidate-cert" option. However, this means that the script does not authenticate the server anymore, which cannot be the solution! At least: Is it correct to assume that passwords and mails are still transferred encrypted? It might not be that much of a problem, because the script is also executed at that provider (different IP address though), and man-in-the-middle risk is therefore low..
HOWEVER, my Thunderbird email client and also smartphone are still connecting without any certificate errors and ssl-check websites say, that the certificate is ok...
Can anyone help me to fix this, please?
Thank you very much,
Florian
J.O. Aho
Dec 8, 2012, 10:54:41 AM12/8/12
to
Florian Zeisel wrote:
> Hi everyone,
>
> this week, one of my php scripts suddenly stopped working. I received the following errors:
> It started with: "unable to locate common name", then after a while it was "invalid remote specification".
>
> The code is:
> $srv = '{mail.twooit.com:993/imap/ssl/}';
> $conn = imap_open($srv, $mailuser, $mailpass) or die("can't connect: " . imap_last_error());
>
> It seems the provider installed a new certificate. Openssl on the terminal results in:
> depth=1 /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=PositiveSSL CA 2
> verify error:num=20:unable to get local issuer certificate
> verify return:0
>
> After some research, I was able to make it work by adding the "novalidate-cert" option.
> However, this means that the script does not authenticate the server anymore, which
> cannot be the solution! At least: Is it correct to assume that passwords and mails are
> still transferred encrypted? It might not be that much of a problem, because the script
> is also executed at that provider (different IP address though), and man-in-the-middle
> risk is therefore low..
Yes, the data will still be transferred encrypted, but you could have a man in
> Hi everyone,
>
> this week, one of my php scripts suddenly stopped working. I received the following errors:
> It started with: "unable to locate common name", then after a while it was "invalid remote specification".
>
> The code is:
> $srv = '{mail.twooit.com:993/imap/ssl/}';
> $conn = imap_open($srv, $mailuser, $mailpass) or die("can't connect: " . imap_last_error());
>
> It seems the provider installed a new certificate. Openssl on the terminal results in:
> depth=1 /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=PositiveSSL CA 2
> verify error:num=20:unable to get local issuer certificate
> verify return:0
>
> After some research, I was able to make it work by adding the "novalidate-cert" option.
> However, this means that the script does not authenticate the server anymore, which
> cannot be the solution! At least: Is it correct to assume that passwords and mails are
> still transferred encrypted? It might not be that much of a problem, because the script
> is also executed at that provider (different IP address though), and man-in-the-middle
> risk is therefore low..
the middle without knowing it.
you could try to verify that the certificate belongs to the "host" which you
connect to, this should at least remove the risk of a random certificate to be
used in a man in the middle attack.
> HOWEVER, my Thunderbird email client and also smartphone are still connecting
> without any certificate errors and ssl-check websites say, that the certificate is ok...
one you got when you checked with openssl from the machine where the php
script runs?
Also the machine which runs the script may have limited access to the internet
or and having another trusted CA list than your phone/desktop has.
> Can anyone help me to fix this, please?
on this newsgroup.
--
//Aho
M. Strobel
Dec 8, 2012, 11:10:49 AM12/8/12
to
Am 08.12.2012 14:01, schrieb Florian Zeisel:
> Hi everyone,
>
> this week, one of my php scripts suddenly stopped working. I received the following errors:
> It started with: "unable to locate common name", then after a while it was "invalid remote specification".
>
> The code is:
> $srv = '{mail.twooit.com:993/imap/ssl/}';
> $conn = imap_open($srv, $mailuser, $mailpass) or die("can't connect: " . imap_last_error());
>
> It seems the provider installed a new certificate. Openssl on the terminal results in:
> depth=1 /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=PositiveSSL CA 2
> verify error:num=20:unable to get local issuer certificate
> verify return:0
Some certificates require a intermediate CA to be configured on the server. I suggest
> Hi everyone,
>
> this week, one of my php scripts suddenly stopped working. I received the following errors:
> It started with: "unable to locate common name", then after a while it was "invalid remote specification".
>
> The code is:
> $srv = '{mail.twooit.com:993/imap/ssl/}';
> $conn = imap_open($srv, $mailuser, $mailpass) or die("can't connect: " . imap_last_error());
>
> It seems the provider installed a new certificate. Openssl on the terminal results in:
> depth=1 /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=PositiveSSL CA 2
> verify error:num=20:unable to get local issuer certificate
> verify return:0
you ask COMODO (phone!) about their certificate chains, with the data of the cert in
question on your desk. They know all about it.
But I don't know where PHP gets his certs from. If from openSSL, put the intermediate
CA in your cert directory and rehash it.
/Str.
Florian Zeisel
Dec 8, 2012, 3:30:50 PM12/8/12
to
> Also the machine which runs the script may have limited access to the internet
> or and having another trusted CA list than your phone/desktop has.
I suppose that's the issue. The intermediate CA might be missing on the server that runs the script.
> or and having another trusted CA list than your phone/desktop has.
But since this is just a small hosted space, I guess there's nothing I can do about it.
If I'd ask the hosting provider to fix it: What exactely do they need to do? Do they just need to install the intermediate certificate so that it's also sent when connecting? Or do they need to recompile PHP or some component?
Thank you,
Florian
Florian Zeisel
Dec 8, 2012, 3:33:52 PM12/8/12
to
> Some certificates require a intermediate CA to be configured on the server. I suggest
> you ask COMODO (phone!) about their certificate chains, with the data of the cert in
> question on your desk. They know all about it.
No need to ask. I can see that the chain consists of the certificate, an intermediate certificate and the Root CA.
> you ask COMODO (phone!) about their certificate chains, with the data of the cert in
> question on your desk. They know all about it.
> But I don't know where PHP gets his certs from. If from openSSL, put the intermediate
> CA in your cert directory and rehash it.
What's correct? It's a hosting provider. If I know what to ask for, they might do it for free :)
Thank you,
Florian
Jerry Stuckle
Dec 8, 2012, 7:19:17 PM12/8/12
to
certificate problem (i.e. OpenSSL), not a PHP code problem, and as such
is off-topic in this newsgroup.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstu...@attglobal.net
==================
M. Strobel
Dec 9, 2012, 7:15:27 AM12/9/12
to
http://php.net/manual/en/openssl.cert.verification.php
/Str.
0 new messages