PHP TCP connection to EPP API using SSL certificate authentication

Question

I have tried this upwards and backwards without any success. The national domain registry department has decided to change their entire system to EPP. Their documentation is very poor but to summarize:

• Connection via TCP: epptest.ficora.fi port 700
• To whitelist for firewall, add IP address and SSL certificate to user account on dashboard (done that)

The dashboard is a total mess. I cannot upload the same certificate to different users, I can't remove users etc. Anyhow, you are supposed to connect to that address and verify yourself using the same SSL certificate in the request (atleast that's what I've understood) but I cannot get it to work. All my requests return:

Error 7: "Failed to connect to epptest.ficora.fi port 700: Timed out"

I've created a login XML based on the documentation which I send out in the POST request.

    ini_set('max_execution_time', 300);
    set_time_limit(0);

    $curl = curl_init();

    curl_setopt($curl, CURLOPT_URL, 'epptest.ficora.fi');
    curl_setopt($curl, CURLOPT_PORT, 700);
    curl_setopt($curl, CURLOPT_POST, 1);
    curl_setopt($curl, CURLOPT_POSTFIELDS, $content);
    curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 0);
    curl_setopt($curl, CURLOPT_CONNECTTIMEOUT ,0);
    curl_setopt($curl, CURLOPT_TIMEOUT, 400);
    curl_setopt($curl, CURLOPT_SSLCERT, __DIR__ . '/certificate.crt');

    $output = curl_exec($curl);
    echo 'Error ' . curl_errno($curl) . ': "' . curl_error($curl) .'"';
    curl_close($curl);

The certificate file can be found, I did a file_get_contents() test and reads OK. This is a localhost test on a Windows computer.

Testing the same code on my own (live) server I get:

Error 56: "Recv failure: Connection reset by peer"

I don't know if this sounds stupid or not but does the request have to originate from a server, from an address, where the SSL certificate is in use?

I am at a complete loss with this as to why it doesn't work. Help, anyone?

EDIT

Here's the cURL verbose information:

* About to connect() to epptest.ficora.fi port 700 (#0)
* Trying <ip_address>
* connected
* Connected to epptest.ficora.fi (<ip address>) port 700 (#0)
> POST / HTTP/1.1
Host: epptest.ficora.fi:700
Accept: */*
Content-type: text/xml
Content-length: 146

* upload completely sent off: 146 out of 146 bytes
* additional stuff not fine transfer.c:1037: 0 0
* Recv failure: Connection reset by peer
* Closing connection #0

Answer 1

The answer in the end came to me through another Stackoverflow post. I actually didn't have the private key in the certificate so what I had to do was create a new .pem file (just plain text in any editor) and paste the private key and certificate in it like so:

-----BEGIN RSA PRIVATE KEY-----

-----END RSA PRIVATE KEY-----

-----BEGIN CERTIFICATE----

-----END CERTIFICATE-----

The certificate is supposed to have the key in it. All I had was them separate. No one actually pointed this out.

HOWEVER! I was not able to make this work in cURL. The response I got was through a PHP-EPP library that uses stream_socket_client() function.

Answer 2

I've seen two kinds of errors from epptest.ficora fi:

• Connection timeout indicates the IP address is not allowed to connect.

• Connection reset by peer indicates the certificate is invalid.

This weekend all my connections failed with Connection reset by peer. Today (29.8.2016) it started working again, so this was probably a temporary issue. So far I have seen successful authentication with CAcert server certificates and Comodo FreeSSL certificates.

However, an IP address that I enabled two days ago is still blocked. It's possible that their automatic firewall updating every 8 hours is not working as documented and that you'll need to contact Ficora support (fi-domain-tech@ficora.fi) to open the IP.

Also, I don't believe curl supports EPP, so it's probably not useful in this case. (EPP is a custom protocol used over TCP port 700. It's not based on HTTP.)