RE: OpenSSL Problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Richard,

Actually, if you leave the code exactly as-is, but change the
openssl_csr_sign function to create a self-signed certificate, the
entire script executes perfectly.  I know there is a lot of error
checking needed - I'm just making a "test" script to get a feel for how
OpenSSL operates in PHP.  The certificate and key files are mode 444
(readable by everyone) as they are just "test" certificates right now.
I have a valid openssl.cnf file (in /etc/ssl/openssl.cnf, which is
what's complied into OpenSSL) and I use that configuration file that I
use with some shell scripts to do everything that I want to do in PHP,
so I'm sure it's a valid openssl.cnf file.

Does PHP restrict access to /etc/ssl for the OpenSSL library if I have
open_basedir set?  Perhaps I need to make an openssl.cnf in the
/usr/home/ws1086 (which is the open_basedir path) so that it's readable?
I would think that the library would have access to the whole system
since it's not really part of PHP, but maybe I'm wrong.

Either way, it's not complaining about access to openssl.cnf, it's
complaining about access to the certificate, so let's take it one step
at a time.  :)

Tim Gustafson
MEI Technology Consulting, Inc
tjg@xxxxxxxxxxx
(516) 379-0001 Office
(516) 480-1870 Mobile/Emergencies
(516) 908-4185 Fax
http://www.meitech.com/ 




-----Original Message-----
From: Richard Lynch [mailto:ceo@xxxxxxxxx]
Sent: Thursday, January 06, 2005 11:24 AM
To: Gustafson, Tim
Cc: php-general@xxxxxxxxxxxxx
Subject: Re:  OpenSSL Problem


Gustafson, Tim wrote:
> I am trying to use the OpenSSL module for PHP on a FreeBSD 4.10
server.
> I have CVS'd everything, so I have the most current version of the
> FreeBSD port.
>
> I have attached the PHP file that I'm running.  Here's the error
message
> I get:
>
> openssl_csr_sign(): cannot get cert from parameter 2
>
> The file that is being referenced is a valid certificate, encoded in
> base-64 format and the path is correct, and OpenSSL is able to sign
> using this certificate and the corresponding key if I run it directly
> from the command line.  I have also attached the certificate.  What am
I
> missing?

You are missing error checking on the openssl_pkey_new() and
openssl_csr_new() function calls.

You don't even know for sure that you have a valid PKEY nor that you
have
a valid CSR resource.

And, of course, you should have some error-checking on the return value
from openssl_csr_sign() to see if it worked.

Odds are really good that if you add all that error-checking, and the
code
needed to find out what error occurred --
http://php.net/openssl_error_string -- you'll find out that the OpenSSL
software and PHP have conpsired to tell you *exactly* what is going
wrong.
:-)

My first Wild Guess would be that your PHP user doesn't have permission
to
read your .crt and .key files, or that you don't have a PHP-readable
valid
openssl.cnf file.

If all else fails, despite the examples in the manual, you may want to
try
to get rid of the 'file://' parts of your file names.  But maybe you
need
those for some arcane OpenSSL reason beyond my ken. [shrug]

-- 
Like Music?
http://l-i-e.com/artists.htm

Attachment: smime.p7s
Description: S/MIME cryptographic signature


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux