stream_socket_enable_crypto alternative or similar solution

2k views Asked by At

I'm running a script on my site that connects to Facebook, It was working fine until my server updated Centos with a buggy version of Openssl. My problem is that until Redhat release a new version I'm stuck with this bug.

This is my script how actually run:

  if( !stream_socket_enable_crypto($fp, true, STREAM_CRYPTO_METHOD_TLS_CLIENT))
  {

    throw new Exception('stream_socket_enable_crypto failed');

  }

Obviously now it fails all the time with the following error:

PHP Warning:  stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:
error:100AE081:elliptic curve routines:EC_GROUP_new_by_curve_name:unknown group
error:1408D010:SSL routines:SSL3_GET_KEY_EXCHANGE:EC lib

So there is any other alternative to enable crypto on the resource such as curl or something similar. How can I fix this?

2

There are 2 answers

1
Cristian Ciocău On BEST ANSWER

This is not a solution, it's just a similar OpenSSL test ran on my box.

I updated my CentOS box today, so I have the last version on it:


# cat /etc/redhat-release
CentOS release 6.5 (Final)

The OpenSSL version is:


openssl.i686 0:1.0.1e-16.el6_5
openssl-devel.i686 0:1.0.1e-16.el6_5

And I ran the following test on it:


<?php

  // open the socket
  $f = @stream_socket_client("google.com" . ":" . "443", $err, $errstr, 30);

  if (!$f) {
    echo "Socket error: (" . $err . ") " . $errstr . "\n";
    exit;
  }

  // Start SSL, if needed
  if(!@stream_socket_enable_crypto($f, true, STREAM_CRYPTO_METHOD_TLS_CLIENT)) {
    echo "Socket error. Can not start SSL encryption" . "\n";
    exit;
  }

  $request_headers  = "GET / HTTP/1.1" . "\r\n";
  $request_headers .= "Host: www.google.com" . "\r\n";
  $request_headers .= "Connection: close" . "\r\n";
  $request_headers .= "\r\n";

  // send the HTTP headers
  fputs ($f, $request_headers);

  // read everything
  $buf = "";
  while(!feof($f)) {
    $buf .= fgets ($f, 8192);
  }

  // close the socket
  fclose($f);

  echo $buf;

  echo "\n";
?>

At the end I got the desired response, with no Open-SSL errors.

0
obsergiu On

In my case it worked replacing the

STREAM_CRYPTO_METHOD_TLS_CLIENT

with:

STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT

That's because the TLS1.0 which is what is equivalent STREAM_CRYPTO_METHOD_TLS_CLIENT to is getting deprecated.