4

I am attempting to create a server and client using PHP Sockets with SSL / TLS. However, when sending data to the server, I receive the following error:

PHP Warning: stream_socket_accept(): SSL_R_NO_SHARED_CIPHER: no suitable shared cipher could be used. This could be because the server is missing an SSL certificate (local_cert context option) in server.php on line 32

I've looked at other examples and tried various changes to no avail. Any help could be much appreciated.

client.php

<?php

$host = '192.168.10.10';
$port = 8080;
$timeout = 30;
$cert = 'assets/cert.pem';

$context = stream_context_create(
    [ 'ssl'=> [ 'local_cert'=> $cert, "crypto_method" => STREAM_CRYPTO_METHOD_TLS_CLIENT ] ]
);

stream_context_set_option($context, 'ssl', 'allow_self_signed', true);
stream_context_set_option($context, 'ssl', 'verify_peer', false);
stream_context_set_option($context, 'ssl', 'verify_peer_name', false);

if ($socket = stream_socket_client( 'tls://'.$host.':'.$port, $errno, $errstr, 30, STREAM_CLIENT_CONNECT, $context) ) {
    $meta = stream_get_meta_data($socket);

    print_r( $meta );

    fwrite($socket, "Hello, World!\n");
    echo stream_socket_recvfrom($socket,8192);
    fclose($socket);
} else {
   echo "ERROR: $errno - $errstr\n";
}

server.php

<?php

// Set the ip and port we will listen on
$address = '192.168.10.10';
$port = 8080;

$cert = 'assets/cert.pem';

$context = stream_context_create();

stream_context_set_option($context, 'ssl', 'local_cert', $cert);
stream_context_set_option($context, 'ssl', 'crypto_method', STREAM_CRYPTO_METHOD_TLS_SERVER);

stream_context_set_option($context, 'ssl', 'allow_self_signed', true);
stream_context_set_option($context, 'ssl', 'verify_peer', false);
stream_context_set_option($context, 'ssl', 'verify_peer_name', false);

$server = stream_socket_server('tls://'.$address.':'.$port, $errno, $errstr, STREAM_SERVER_BIND|STREAM_SERVER_LISTEN, $context);

// Display server start time
echo "PHP Socket Server started at " . $address . " " . $port . ", at ". date( 'Y-m-d H:i:s' ) ."\n";

// loop and listen
while (true) {
    /* Accept incoming requests and handle them as child processes */
    $client = stream_socket_accept($server);

    $ip = stream_socket_get_name( $client, true );

    echo "New connection from " . $ip;

    stream_set_blocking($client, true); // block the connection until SSL is done
    stream_socket_enable_crypto($client, true, STREAM_CRYPTO_METHOD_TLS_SERVER);

    // Read the input from the client – 1024 bytes
    $input = fread($client, 1024);

    // unblock connection
    stream_set_blocking($client, false);

    // Strip all white spaces from input
    $output = preg_replace("[ \t\n\r]", "", $input) . "\0";

    $new = $input;

    // Display Date, IP and Msg received
    echo date( 'Y-m-d H:i:s' ) . " | " . $ip . ": \033[0;32m" . $input . "\033[0m" . PHP_EOL;

    fclose($client);
}

// Close the master sockets
socket_close($sock);
Niraj Shah
  • 15,087
  • 3
  • 41
  • 60
  • I carefully know nothing about SSL servers in PHP, but surely you need to set a private key option somewhere? – user207421 May 31 '17 at 23:14
  • The `cert.pem` contains both the private key and certificate (as `local_cert`), as per the PHP documentation. – Niraj Shah Jun 01 '17 at 10:03
  • Not according to the error message, and you haven't actually *told* it the key is in there. – user207421 Jun 04 '17 at 23:35
  • If the private key wasn't set, the error would be "Unable to set private key file". Since the pem has both included, this error is not displayed, – Niraj Shah Jun 06 '17 at 20:54
  • As I said, I carefully know nothing about SSL in PHP, but this is one of the symptoms of the server not having a private key. – user207421 Jun 09 '17 at 11:43
  • That message is saying that during the handshake between the client and the server they don't get to an agreement on the cipher suite to use (how the channel will be encrypted). One reason is that the client is requiring more secure cipher than the server has or the server is enforcing a more secure cipher that the client support. – Juan Jun 11 '17 at 16:27
  • See this question to check the cipher suits the server supports: https://superuser.com/questions/109213/how-do-i-list-the-ssl-tls-cipher-suites-a-particular-website-offers – Juan Jun 11 '17 at 16:32
  • And this one which seems related to your problem: https://stackoverflow.com/questions/16547163/how-to-force-a-certain-tls-version-in-a-php-stream-context-for-the-ssl-transp – Juan Jun 11 '17 at 16:38

3 Answers3

3

It turns out that the issue was related to OpenSSL and the transport streams available. The issue was resolved by:

  • Updating OpenSSL to the latest version (1.0.2k, to support TLS v1.2)
  • Recompiling PHP to enable tlsv1.2 transport stream

  • Updating the code to use tlsv1.2:// as the protocol on both the server and the client, e.g.

    $server = stream_socket_server('tlsv1.2://'.$address.':'.$port, $errno, 
  $errstr, STREAM_SERVER_BIND|STREAM_SERVER_LISTEN, $context);

    and 

    $socket = stream_socket_client( 'tlsv1.2://'.$host.':'.$port, $errno,
  $errstr, 30, STREAM_CLIENT_CONNECT, $context)

Once the transport stream was updated to TLSv1.2, there was no need for the cipher option, and the scripts successfully negotiated a TLS connection.

Niraj Shah
  • 15,087
  • 3
  • 41
  • 60
1

I experienced similar problems. However my certificate and private key were in seperate files. According to the PHP documentation you should be able to load the private key seperately:

stream_context_set_option($context, 'ssl', 'local_cert', '/etc/apache2/ssl/public_crt.cert');
stream_context_set_option($context, 'ssl', 'local_pk', '/etc/apache2/ssl/private_key.pem');

Turns out this did not work for me resulting in the same error message in the original post. Combining the certificate and key in one file did the trick:

cat public_crt.cert private_key.pem > combined_cert.pem

And setting the new combo cert in PHP, made the thing work:

stream_context_set_option($context, 'ssl', 'local_cert', '/etc/apache2/ssl/combined_cert.pem');
Guruniverse
  • 196
  • 2
  • 6
-1

PHP has pathetic problems with SSL. At worse they are OS dependent, most fixes are for REHL. I am supplying you sample full code and other guides. They will possibly help you. To avoid those errors, this library is commonly used. That is not always practical.

Line 32 should be this :

stream_set_blocking($client, true); // block the connection until SSL is done

Here is stream blocking doc on PHP manual, also read this. Here is a good guide on using SSL with PHP, here is example of client-server. Cipher can be added in this fashion :

$context = stream_context_create(
    [
        'ssl' => [
            'ciphers' => 'DHE-RSA-AES256-SHA:LONG-CIPHER',
        ],
    ]
);
Abhishek Ghosh
  • 1,161
  • 9
  • 19