1. 技术文章
  2. PHP Sockets with SSL / TLS - no suitable shared cipher could be used

PHP Sockets with SSL / TLS - no suitable shared cipher could be used

半世苍凉 提交于 2019-12-07 16:59:16

问题


I am attempting to create a server and client using PHP Sockets with SSL / TLS. However, when sending data to the server, I receive the following error:

PHP Warning: stream_socket_accept(): SSL_R_NO_SHARED_CIPHER: no suitable shared cipher could be used. This could be because the server is missing an SSL certificate (local_cert context option) in server.php on line 32

I've looked at other examples and tried various changes to no avail. Any help could be much appreciated.

client.php

<?php

$host = '192.168.10.10';
$port = 8080;
$timeout = 30;
$cert = 'assets/cert.pem';

$context = stream_context_create(
    [ 'ssl'=> [ 'local_cert'=> $cert, "crypto_method" => STREAM_CRYPTO_METHOD_TLS_CLIENT ] ]
);

stream_context_set_option($context, 'ssl', 'allow_self_signed', true);
stream_context_set_option($context, 'ssl', 'verify_peer', false);
stream_context_set_option($context, 'ssl', 'verify_peer_name', false);

if ($socket = stream_socket_client( 'tls://'.$host.':'.$port, $errno, $errstr, 30, STREAM_CLIENT_CONNECT, $context) ) {
    $meta = stream_get_meta_data($socket);

    print_r( $meta );

    fwrite($socket, "Hello, World!\n");
    echo stream_socket_recvfrom($socket,8192);
    fclose($socket);
} else {
   echo "ERROR: $errno - $errstr\n";
}

server.php

<?php

// Set the ip and port we will listen on
$address = '192.168.10.10';
$port = 8080;

$cert = 'assets/cert.pem';

$context = stream_context_create();

stream_context_set_option($context, 'ssl', 'local_cert', $cert);
stream_context_set_option($context, 'ssl', 'crypto_method', STREAM_CRYPTO_METHOD_TLS_SERVER);

stream_context_set_option($context, 'ssl', 'allow_self_signed', true);
stream_context_set_option($context, 'ssl', 'verify_peer', false);
stream_context_set_option($context, 'ssl', 'verify_peer_name', false);

$server = stream_socket_server('tls://'.$address.':'.$port, $errno, $errstr, STREAM_SERVER_BIND|STREAM_SERVER_LISTEN, $context);

// Display server start time
echo "PHP Socket Server started at " . $address . " " . $port . ", at ". date( 'Y-m-d H:i:s' ) ."\n";

// loop and listen
while (true) {
    /* Accept incoming requests and handle them as child processes */
    $client = stream_socket_accept($server);

    $ip = stream_socket_get_name( $client, true );

    echo "New connection from " . $ip;

    stream_set_blocking($client, true); // block the connection until SSL is done
    stream_socket_enable_crypto($client, true, STREAM_CRYPTO_METHOD_TLS_SERVER);

    // Read the input from the client – 1024 bytes
    $input = fread($client, 1024);

    // unblock connection
    stream_set_blocking($client, false);

    // Strip all white spaces from input
    $output = preg_replace("[ \t\n\r]", "", $input) . "\0";

    $new = $input;

    // Display Date, IP and Msg received
    echo date( 'Y-m-d H:i:s' ) . " | " . $ip . ": \033[0;32m" . $input . "\033[0m" . PHP_EOL;

    fclose($client);
}

// Close the master sockets
socket_close($sock);

回答1:


It turns out that the issue was related to OpenSSL and the transport streams available. The issue was resolved by:

  • Updating OpenSSL to the latest version (1.0.2k, to support TLS v1.2)
  • Recompiling PHP to enable tlsv1.2 transport stream

  • Updating the code to use tlsv1.2:// as the protocol on both the server and the client, e.g.

    $server = stream_socket_server('tlsv1.2://'.$address.':'.$port, $errno, 
  $errstr, STREAM_SERVER_BIND|STREAM_SERVER_LISTEN, $context);

    and 

    $socket = stream_socket_client( 'tlsv1.2://'.$host.':'.$port, $errno,
  $errstr, 30, STREAM_CLIENT_CONNECT, $context)

Once the transport stream was updated to TLSv1.2, there was no need for the cipher option, and the scripts successfully negotiated a TLS connection.




回答2:


I experienced similar problems. However my certificate and private key were in seperate files. According to the PHP documentation you should be able to load the private key seperately:

stream_context_set_option($context, 'ssl', 'local_cert', '/etc/apache2/ssl/public_crt.cert');
stream_context_set_option($context, 'ssl', 'local_pk', '/etc/apache2/ssl/private_key.pem');

Turns out this did not work for me resulting in the same error message in the original post. Combining the certificate and key in one file did the trick:

cat public_crt.cert private_key.pem > combined_cert.pem

And setting the new combo cert in PHP, made the thing work:

stream_context_set_option($context, 'ssl', 'local_cert', '/etc/apache2/ssl/combined_cert.pem');



回答3:


PHP has pathetic problems with SSL. At worse they are OS dependent, most fixes are for REHL. I am supplying you sample full code and other guides. They will possibly help you. To avoid those errors, this library is commonly used. That is not always practical.

Line 32 should be this :

stream_set_blocking($client, true); // block the connection until SSL is done

Here is stream blocking doc on PHP manual, also read this. Here is a good guide on using SSL with PHP, here is example of client-server. Cipher can be added in this fashion :

$context = stream_context_create(
    [
        'ssl' => [
            'ciphers' => 'DHE-RSA-AES256-SHA:LONG-CIPHER',
        ],
    ]
);


来源:https://stackoverflow.com/questions/44295193/php-sockets-with-ssl-tls-no-suitable-shared-cipher-could-be-used

标签
ssl
client-server
php-7
tls1.2
php-socket
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!