ssl - PHP cURL call returning error 56 with NSS error -12195 -
i have internal server (internal network) make rest api call external server.
i don't know if helps external server running php 5.3.6 curl 7.19.7.
to make safer (other firewall box limits external ip addresses can call internal server static ip address of external server), generated self-signed ssl server certificate internal server.
i generated client certificate used external server when making calls.
the calls being made using curl library of php. page makes calls looks (this page created "proof of concept", see call can made):
<?php $mycurl = curl_init(); $verbose = fopen('curl_error_log','a'); $url_site = 'https://internal.server.com/api_test.php'; $options = array( curlopt_header => false ,curlopt_returntransfer => true ,curlopt_verbose => true ,curlopt_stderr => $verbose ,curlopt_httpheader => array('accept: application/json') ,curlopt_cainfo => realpath('/certs/server/certs.pem') ,curlopt_capath => realpath('/certs/server') ,curlopt_ssl_verifypeer => true ,curlopt_ssl_verifyhost => 2 ,curlopt_sslcert => realpath('/certs/client.crt.pem') ,curlopt_sslkey => realpath('/certs/client.key.pem') ,curlopt_sslcerttype => 'pem' ,curlopt_url => $url_site ); curl_setopt_array($mycurl, $options); $webresponse = curl_exec($mycurl); fclose($verbose); ?> <html> <head> <title></title> </head> <body> <p>error: <?php echo curl_error($mycurl); ?></p> <p>error no.: <?php echo curl_errno($mycurl); ?></p> <p>result: <?php echo $webresponse; ?></p> </body> </html>
note: previous iteration of "proof of concept", without use of client certificate worked beautifully. in version, curlopt_verifypeer , curlopt_verifyhost set false , ssl... , ca... options absent.
the returning page looks this:
error: ssl read: errno -12195 error no.: 56 result:
and verbose file (curl_error_log) has this:
* connect() internal.server.com port 443 (#0) * trying 111.222.333.444... * connected * connected internal.server.com (111.222.333.444) port 443 (#0) * initializing nss certpath: sql:/etc/pki/nssdb * cafile: /certs/server/certs.pem capath: /certs/server * ssl connection using tls_dhe_rsa_with_aes_128_cbc_sha * server certificate: * subject: cn=internal.server.com,ou=bi,o=abc corp,l=city,st=state,c=co * start date: apr 13 15:15:38 2015 gmt * expire date: apr 12 15:15:38 2016 gmt * common name: internal.server.com * issuer: cn=internal.server.com,ou=bi,o=abc corp,l=city,st=state,c=co > /api_test.php http/1.1 host: internal.server.com accept: application/json * nss: client certificate file * subject: cn=internal.server.com,ou=bi,o=abc corp,l=city,st=state,c=co * start date: apr 13 15:26:48 2015 gmt * expire date: apr 12 15:26:48 2016 gmt * common name: internal.server.com * issuer: cn=internal.server.com,ou=bi,o=abc corp,l=city,st=state,c=co * ssl read: errno -12195 * closing connection #0
any ideas on i'm doing wrong or missing? why getting error?
edit: tried playing curlopt_sslversion =>. first set 3 , error changed slightly. still got same verbose output, towards bottom, reads "ssl read: errno -12195", became "ssl read: errno -12271".
then change version 2, , crashed earlier giving me "nss error -12268" around line 6 of verbose output.
finally, when tried 4 or 5, verbose file same above.
thanks.
after posting same question in curl website, got few answers gave me new ideas tried , solved problem, decided post them here, in case else has similar problems:
the first clue error codes (-12195, -12271, -12268). gave me url explains of them:
http://www-archive.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html
i went , regenerated certificates, following different recipe , using more specific parameters. can't sure made difference (the errors kept happening), without doing this, i'm pretty sure next step (the final 1 made error disappear), not work...
the final step (stupid is) use different file format ca certificate file. instead of pem, use crt. once changed (without other change), error disappeared , calls started work.
i hope out there...
Comments
Post a Comment