1

I am trying to use fsockopen on localhost with https on Windows, using Wamp. It is working fine on http but not on https.

I created a certificate with OpenSSL (How to install: OpenSSL + WAMP) and declared a virtual host in httpd-vhosts.conf file.

Here is the PHP code:

$fp = fsockopen("ssl://localhost", 443, $errno, $errstr, FSOCKOPEN_TIMEOUT); // same pb with ssl://www.localhost

That generates following errors:

PHP Warning:  fsockopen(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
PHP Warning:  fsockopen(): Failed to enable crypto
PHP Warning:  fsockopen(): unable to connect to ssl://localhost:443 (Unknown error)

I also have following warning in my ssl error log file when Apache starts (I don't know if it may be related):

[ssl:warn] [pid 6008:tid 596] AH01909: localhost:443:0 server certificate does NOT include an ID which matches the server name

Do you have any idea what I did wrong?

Thank you!

user2708647
  • 416
  • 8
  • 17
  • 1
    I doubt that your certificate is for the name "localhost" hence the mismatch. – Patrick Mevzek Jun 24 '18 at 20:49
  • Thanks Patrick. I regenerated by certificate with "Common Name (e.g. server FQDN or YOUR name) []:localhost". I don't have the Apache warning "localhost:443:0 server certificate does NOT include an ID which matches the server name" anymore but I still have "SSL operation failed" error. – user2708647 Jun 24 '18 at 21:23

1 Answers1

2

Keep in mind - if you create a ssl certificate locally on your own it's normally not trusted by clients (e.g. webbrowser)

When you have followed the cert creation process you have been asked about the Common Name (CN). That should be a domain over which you are planning to serve your webpage, or, when you only use it locally it can also be localhost. In your case you used something differnt which does not match the ServerName or ServerAlias in your apache config.

Atm I don't understand why you want connect to localhost via ssl - from a security perspective it's not really necessary.

Otherwise you could force your client (php) to not check the certificate's validity

<?php
$context = stream_context_create([
    'ssl' => [
        'verify_peer' => false,
        'verify_peer_name' => false
    ]
]);
$fp = stream_socket_client("ssl://localhost", $errno, $errstr, ini_get("default_socket_timeout"), STREAM_CLIENT_CONNECT, $context);

But do that only (!) for local connections

Evil_skunk
  • 3,040
  • 4
  • 30
  • 42
  • Thanks Evil_skunk. I am connecting via SSL to localhost to test my website locally in the same conditions than in production (I wanted to make sure it worked well locally before deploying). It works in deed with stream_socket_client (I just had to add port to the host in your code (`$fp = stream_socket_client("ssl://localhost:443", $errno, $errstr, ini_get("default_socket_timeout"), STREAM_CLIENT_CONNECT, $context);`) However I would like ideally to use same code locally and in production. – user2708647 Jun 24 '18 at 21:25
  • But you will always get the ssl error (verify error) because your self signed certificate is not public valid. There is another option - if you create a root certificate which is trusted on you local system and sign your cert with this one it should work (e.g. https://medium.freecodecamp.org/how-to-get-https-working-on-your-local-development-environment-in-5-minutes-7af615770eec). But I think that's too much effort - I would just make my code configurable and basically would not check certificate validity in "test mode" – Evil_skunk Jun 24 '18 at 21:56