2

Statement: At the beginning I would like to state, that I'm well aware (and want to inform others) that this is not the proper way of doing things. If soultion is found, use it as last resort.

My problem is Weak Algorithm. And can't find a way to skip checks.
Company which exposes me endpoint states it is secure and they're not going to upgrade SSL Certificate. I know it's insecure, but can't do anything and must obey their decision.

Error i get file_get_contents(): SSL operation failed with code 1. OpenSSL Error messages: error:14082174:SSL routines:ssl3_check_cert_and_algorithm:dh key too small
and file_get_contents(): Failed to enable crypto in...

My code is:

$context = stream_context_create([
    'http' => [
        'timeout' => 5,
    ],
    'ssl' => [
        // set some SSL/TLS specific options
        'verify_peer' => false,
        'verify_peer_name' => false,
        'allow_self_signed' => true
    ]
]);
var_dump(file_get_contents($wsdl, false, $context));

In browser i ge SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY and information about weak Diffie Hellman key.

I'm looking for a way to disable this check.

Most preferably via streamContext which I can use in SoapClient

Grzegorz
  • 3,538
  • 4
  • 29
  • 47
  • 2
    instead of `file_get_contents` use curl(), it has a flag for ignoring ssl issues –  Jan 31 '18 at 20:28
  • Dunno but check https://stackoverflow.com/questions/30701397/ssl-operation-failed-with-code-1-dh-key-too-small – AbraCadaver Jan 31 '18 at 20:29
  • @rtfm first curl does not work with `soapClient` as far as I'm aware. Can't do. Secondly, curl allows to ignore peer and server checks, but not weak algorithm checks – Grzegorz Jan 31 '18 at 20:34
  • I think the flags that curl offers are just the same verify_peer flags being used here. I believe the issue here is that your system is newer than theirs, and is refusing to use what it now knows to be an insecure technique. To get around it, you'd probably need to downgrade your openssl library to an outdated version. – Alex Howansky Jan 31 '18 at 20:34
  • @AbraCadaver Seen that post. From it I know i have to disable algorithm checks. But couldn't find how – Grzegorz Jan 31 '18 at 20:36
  • @AlexHowansky I was afraid of it... – Grzegorz Jan 31 '18 at 20:37
  • Note -- I do **not** suggest actually downgrading. I hope you can use this position as a bargaining chip to indicate to your supervisor that it's unreasonable for you to work with this client. "But boss, in order to hit their API, we'd need to intentionally cripple the security on our own system..." :) – Alex Howansky Jan 31 '18 at 20:40
  • If something is this out of date with its encryption algos, chances are it's also available under http? – apokryfos Jan 31 '18 at 20:47
  • @apokryfos Ha ha ha sad but true. – Alex Howansky Jan 31 '18 at 20:52
  • It's Intranet system with 1 exposed port. Currently writing email explaining that mozilla and other standard-creating companies removed this algorithm from support. And that it is not much more secure than plain http (Hey boss, let's disable SSL, it only wastes resoruces in state it is in now... hope that will) Main problem is, it is other company serving them SASS service written in .net or something and using SOAP instead of REST/json... I'm so mad tbh... – Grzegorz Jan 31 '18 at 21:20
  • It's worth pointing out that this message has nothing at all to do with the SSL certificate. It is about the ephemeral DH key that the server has offered to use. I don't know PHP but a solution might be to use only pure RSA ciphersuites, assuming the client offers one. – President James K. Polk Feb 03 '18 at 22:34
  • I realized it yesterday when they did not change certificate, but rather than that (i think) updated SSL/TLS libraries. – Grzegorz Feb 05 '18 at 01:26

1 Answers1

1

You need disable Diffie Hellman validation:

$context = stream_context_create(array(
    'ssl' => array(
        'ciphers' => 'DEFAULT:!DH',
...

If need disable the validation of the certificate you need:

$context = stream_context_create(array(
    'ssl' => array(
        'ciphers'           => 'DEFAULT:!DH',
        'verify_peer'       => false,
        'verify_peer_name'  => false,
        'allow_self_signed' => true
    )
);
e-info128
  • 3,727
  • 10
  • 40
  • 57