Geek Answers Handbook

How to set a list of trusted certificates for a socket client in PHP?

In the context of IHE Connectathon, I want to create a socket server that is responsible for the ATNA profile, which requires TLS sockets with certificates on both ends.

My problem is if it summarizes in this post: https://groups.google.com/d/msg/eu_connectathon/O-VGI_3cltw/ARsElA65ZkkJ

Change . Sorry, Google groups are not public, here is the message:

Hi Florian,

What exactly is the error message "The server requested a certificate, but the list of issuers does not contain a valid certification authority." has meant and implemented a change in the TLS client client in recent years, or am I using the wrong certificates?

The message means that the server sent a CertificateRequest message to clienmt with no values ​​in the cert_authorities field.

I ran into this problem last year and discussed this with the TLS tool developer. He argued that if the server did not include this field, the client would have no idea what certificate to return, suggesting a scenario in which you would have to connect the top row of affinity domains, each with its own CA.

It looks like you can instruct OpenSSL to return this value to an SSL_CTX_set_client_CA_list call, for example. in DcmTLSTransportLayer :: addTrustedCertificateFile. I have not tested this with TLS tools, but I hope to do this before connectathon starts.

PHP , . , PHP " CA CA set set CA Client", , .

$context = stream_context_create();

if ($certificate) {
  // Server certificate + private key
  stream_context_set_option($context, 'ssl', 'local_cert', "/path/to/server.pem"); 
  stream_context_set_option($context, 'ssl', 'passphrase', $passphrase); 

  // Client public certificates
  stream_context_set_option($context, 'ssl', 'cafile', "/path/to/ca.pem");

  stream_context_set_option($context, 'ssl', 'allow_self_signed', false);
  stream_context_set_option($context, 'ssl', 'verify_peer', true);
  stream_context_set_option($context, 'ssl', 'peer_name', "TlsTools2");
  stream_context_set_option($context, 'ssl', 'capture_peer_cert', true);
  stream_context_set_option($context, 'ssl', 'capture_peer_cert_chain', true);
}

$this->__socket = @stream_socket_server("tcp://$address:$port", $errno, $errstr, STREAM_SERVER_BIND | STREAM_SERVER_LISTEN, $context);

TLS IHE Gazelle : " , ".

, , " ", .

, PHP , ?

.

. @rdlowrey, : https://bugs.php.net/bug.php?id=69215

+4
1

:

PHP SSL_CTX_set_client_CA_list() .

, :

https://bugs.php.net/bug.php?id=69215

PHP 5.6.8 ( PHP ).

, OP . :

<?php
$serverCtx = stream_context_create(['ssl' => [
    'local_cert' => '/path/to/my-server-cert.pem',
    'passphrase' => 'elephpant',
    'cafile' => '/path/to/my-ca-certs.pem',
    'verify_peer' => true
]]);

PHP , my-ca-certs.pem, , CA TLS.

​​ "verify_peer" => true PHP . , ( ) , , . , , . , , , :

<?php
$serverCtx = stream_context_create(['ssl' => [
    'local_cert' => '/path/to/my-server-cert.pem',
    'passphrase' => 'elephpant',
    'cafile' => '/path/to/my-ca-certs.pem',
    'verify_peer' => true,
    'verify_peer_name' => true, // verify the name on the cert
    'peer_name' => 'zanzibar' // ensure the cert name matches this
]]);
+5

More articles:


All Articles