php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75565 Certificate verification fails
Submitted: 2017-11-23 20:27 UTC Modified: 2018-01-09 23:40 UTC
From: nkiwga at gmail dot com Assigned:
Status: Not a bug Package: OpenSSL related
PHP Version: 7.1.11 OS: Windows
Private report: No CVE-ID: None
 [2017-11-23 20:27 UTC] nkiwga at gmail dot com
Description:
------------
Certificate verification is failing for me now, on Windows 10 version 1709.

As I understand it PHP should automatically use the operating system's root certificates, and it used to do so, however now it is failing.

I can mitigate the issue by specifying openssl.cafile in php.ini with a certificate bundle I found on the internet, but this never used to be necessary.

Test script:
---------------
file_get_contents('https://www.google.com/');

Actual result:
--------------
PHP Warning:  file_get_contents(): SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed in Command line code on line 1

Warning: file_get_contents(): SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed in Command line code on line 1
PHP Warning:  file_get_contents(): Failed to enable crypto in Command line code on line 1

Warning: file_get_contents(): Failed to enable crypto in Command line code on line 1
PHP Warning:  file_get_contents(https://www.google.com/): failed to open stream: operation failed in Command line code on line 1

Warning: file_get_contents(https://www.google.com/): failed to open stream: operation failed in Command line code on line 1

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-11-23 20:35 UTC] nkiwga at gmail dot com
I should add, this is using PHP 7.1.11 (cli).
 [2017-11-28 19:41 UTC] ab@php.net
-Status: Open +Status: Not a bug
 [2017-11-28 19:41 UTC] ab@php.net
Thanks for the report. There's not much can be done on the PHP side. The certificate store is updated automatically from some central place, that's why fe. also self signed certs sometimes got deleted besides they're imported manually. I've checked on several machines and some of them reproduced this, some didn't. So in the end it looks like there's still some propagation phase for what ever reason the certificates have changed, etc.

Thanks.
 [2018-01-09 23:23 UTC] nkiwga at gmail dot com
I have some further information.

https://www.google.co.uk/ loads in Google Chrome without any certificate warning.

file_get_contents('https://www.google.co.uk/') fails with a certificate warning.

openssl is suggesting this certificate chain:

Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=google.com
   i:/C=US/O=Google Inc/CN=Google Internet Authority G2
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority

"Equifax Secure Certificate Authority" is a revoked certificate in Windows.

The odd thing here is that Chrome ceases traversing the chain at "GeoTrust Global CA", whereas (perhaps) PHP is traversing the root all the way to "Equifax Secure Certificate Authority", which will fail due to the revocation. 

Could this be what's happening here? And if so is PHP/openssl correct in traversing the root to "Equifax Secure Certificate Authority" instead of stopping at "GeoTrust Global CA"?
 [2018-01-09 23:40 UTC] nkiwga at gmail dot com
The bug I described sounds identical to this: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1565293

Which is curious because it says that bug is fixed in recent versions of OpenSSL. But the issue as described there seems to be exactly what I'm seeing in PHP now.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Mar 29 15:01:28 2024 UTC