Unable to disable CA Cert verification

Question

I'm cleaning up my previous post a bit to hopefully provide some more useful information.

So I have a piece of code that pulls from a secured website using POST. I have spoken to the person who runs that host site and he said their CA cert does not cover subdomains. So, the reason my site cannot resolve the cert is because it is looking for bbs.hitechcreations.com while the cert only covers hitechcreations.com, according to him.

Therefore, I am forced to disable the verification of SSL (which is not a problem, there is no sensitive data being passed). However, no matter what I try, I can't seem to get it to disable.

PHP Error reporting kicks back the following:

Warning: file_get_contents(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed in /home4/ahevent2/public_html/components/com_jumi/views/application/view.html.php(85) : eval()'d code on line 39

Warning: file_get_contents(): Failed to enable crypto in /home4/ahevent2/public_html/components/com_jumi/views/application/view.html.php(85) : eval()'d code on line 39

Warning: file_get_contents(https://bbs.hitechcreations.com/cms/cmlogs.php): failed to open stream: operation failed in /home4/ahevent2/public_html/components/com_jumi/views/application/view.html.php(85) : eval()'d code on line 39
bool(false)

Below is my current section of code

<?php

require_once("/home4/ahevent2/public_html/jumi_src/event_logs/admin_functions.php");


if (isset($_POST["username"]) && !empty($_POST["password"]) && !isset($_POST["event_type"]))
{
$username = $_POST["username"];
$password  = $_POST["password"];
  $url = "https://bbs.hitechcreations.com/cms/cmlogs.php";
  $f1 = 'loginid'; // Name of field1(ON THE WEBSITE YOU'RE TRYING TO LOGIN ON!)
  $f2 = 'password'; // Name of field2(ON THE WEBSITE YOU'RE TRYING TO LOGIN ON!)
  $v1 = $username; // Value of field1(FROM THE WEBSITE YOU'RE TRYING TO LOGIN FROM!)
  $v2 = $password; // Value of field2(FROM THE WEBSITE YOU'RE TRYING TO LOGIN FROM!)
  //$find = 'Welcome to your account'; // String to search for in the page you've logged in on
  $postchars = http_build_query( array($f1 => $v1, $f2 => $v2) );

  $stream = stream_context_create( array('http' => array('method' => 'POST', 'header'  => 'Content-Type: application/x-www-form-urlencoded', 'content' =>  htmlspecialchars_decode( $postchars ) ) ) ); // Creates an array of the sourcecode, and inputs the values of the field1 and field2
  $arrContextOptions=array(
      "ssl"=>array(
          "verify_peer"=>false,
          "verify_peer_name"=>false,
      ),
  );  

 $fh = file_get_contents($url, false, $stream);  //for troubleshooting.
var_dump($fh);
//REALLY NEEDS A HANDLER FOR WHEN $FH DOESN"T COME BACK FOR SOME REASON.


//printf("Login wasn't completed. No file was retreived. Please check your password at the htc CM login page to verify that it's good. If it is there is a systme issue. Please let Nefarious know.");


 //FOR TROUBLESHOOTING
//  printf("<textarea rows='100' cols='100'>");
//  printf($fh);
//  printf("</textarea>");



//getting the dropdown box returned from THC to select a scenario to upload
        $a = strpos($fh, "<select name"); 
        $b = strpos($fh, "</SELECT>");     
        $c = strlen($fh) - $b;  
        $e = substr($fh, $a, -$c);

I also have the following at the bottom of my php.ini file:

extension=php_openssl.dll
allow_url_fopen = On
CURLOPT_SSL_VERIFYPEER=FALSE

Is there anything else I need to do or change in order to turn off cert verification? Nothing I've done has seemed to work thus far.

`file_get_contents` is not curl - however, I'd recommend to use curl as stated here: https://stackoverflow.com/a/12446906/4934937 — maio290, Sep 19 '18 at 14:35
@maio290 thanks for this...in which file would I place that code? And in any particular spot? — Rob Irvin, Sep 19 '18 at 14:44
You can actually put it in the file you posted here (*I'd place it under the require_once...*), or create a new file named `curl.php` and include this via `require_once("curl.php")` if you want to use it in other PHP files as well. — maio290, Sep 19 '18 at 14:46
It looks like you never use `$arrContextOptions`, which contains the option `"verify_peer"=>false` — Karsten Koop, Sep 19 '18 at 14:52
@maio290 Alrighty I've placed it there and updated, but I still get SSL errors (I updated my OP to show the errors). :( — Rob Irvin, Sep 19 '18 at 14:54
@KarstenKoop if I put `$response = file_get_contents($url, false, stream_context_create($arrContextOptions));` at the end of it, the result on the page is NULL, if I do `$fh = file_get_contents($url, false, stream_context_create($arrContextOptions));`, it pulls the whole host page but that doesn't work either. — Rob Irvin, Sep 19 '18 at 15:08
... I just saw that you POST content in there. Ignore my comment with the curl solution, I'll post an answer. — maio290, Sep 19 '18 at 15:17

maio290 · Answer 1 · 2018-09-19T15:55:45.960

So here would be my approach using curl:

Filename: cURL.php

<?PHP
function POST($url,$data,$headers, $type)
{
    $ch = curl_init ($url);
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 30);
    curl_setopt($ch, CURLOPT_VERBOSE, true);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);
    curl_setopt ($ch, CURLOPT_POST, 1);

    if($type === 1)
    {
        curl_setopt($ch,CURLOPT_POSTFIELDS, http_build_query($data));
    }
    else
    {
        curl_setopt($ch,CURLOPT_POSTFIELDS, $data);
    }

    curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
    curl_setopt($ch, CURLINFO_HEADER_OUT, true);
    $output = curl_exec ($ch);
    $posturl = curl_getinfo($ch,CURLINFO_EFFECTIVE_URL);
    $httpCode = curl_getinfo($ch,CURLINFO_HTTP_CODE);
    $cURLinfo = curl_getinfo($ch);
    curl_close($ch);
    return array(
        "output" => $output,
        "posturl" => $posturl,
        "httpcode" => $httpCode,
        "diagnostics" => $cURLinfo
    );
}
?>

Filename: test.php (or: how to use it)

<?PHP
    require_once("cURL.php");
    $url = "https://bbs.hitechcreations.com/cms/cmlogs.php";
    $content = array(
        "loginid" => "test",
        "password" => "test"
    );
    $headers = array("Content-Type:application/x-www-form-urlencoded");
    var_dump(POST($url,$content,$headers,1));
?>

You can access the output like

$postResponse = POST($url,$content,$headers,1)
$postResponse['output']

This approach however does store some additional information about the request, like the curl info into the diagnostics key and so one, this is an excerpt of a small request tester I've once written, hopefully you can make good use of it :)

So the proper use in your code would be:

require_once("/home4/ahevent2/public_html/jumi_src/event_logs/admin_functions.php");
require_once("cURL.php");

if (isset($_POST["username"]) && !empty($_POST["password"]) && !isset($_POST["event_type"]))
{
    $username = $_POST["username"];
    $password  = $_POST["password"];
    $url = "https://bbs.hitechcreations.com/cms/cmlogs.php";  
    $postchars = array(
            "loginid" => $username,
            "password" => $password
        );
    $headers = array("Content-Type:application/x-www-form-urlencoded");
    $postResponse = POST($url,$postchars ,$headers,1);
    $fh = $postResponse['output'];

//getting the dropdown box returned from THC to select a scenario to upload
        $a = strpos($fh, "<select name"); 
        $b = strpos($fh, "</SELECT>");     
        $c = strlen($fh) - $b;  
        $e = substr($fh, $a, -$c);

I've created the curl.php file and put the test.php script into a Jumi page, and when I input my user/pass I get this: https://i.imgur.com/nlvbJwp.png So it is actually getting into the secure site fine, but when I add the require_once portion to the NON test page, I still get the SSL error. For an example of what *should* be happening, on this image: https://i.imgur.com/XnSnTeo.png It should be pulling the drop down from Image 1, if that makes sense, and placing it where the blue box is. I apologize, I am not much on the up and up with this coding stuff... — Rob Irvin, Sep 19 '18 at 15:48
Yeah, that's the site you actually see after you logged in, isn't it? You may just want to assign the output to your fh variable and you should be done, that means the request should have worked :) — maio290, Sep 19 '18 at 15:51
Well...yes and no, it is not necessarily that I want to see the whole site, but it is supposed to pull the one dropdown from that site. That code where it is supposed to print it is here: `printf("Which log to use? "); printf("
"); printf($e); printf(""); printf("
");` perhaps I need to change something there? — Rob Irvin, Sep 19 '18 at 16:00
I tried the edited code, and some progress is made (see: https://i.imgur.com/EzPpffz.png ). So the rest of my code is designed to take all of those check boxes and automatically parse the data based on criteria. So the user logs in, selects from the dropdown, inputs the rest of the info, and the script does the rest. Of course, if I select upload, the next page gives me another whole slew of SSL errors :) Would it be easier if you saw the base script in it's entirety? — Rob Irvin, Sep 19 '18 at 16:15
I've still been poking around at this but I haven't been able to get any different result. I guess my question is, the code you provided works...but how can I get it to JUST pull that dropdown rather than the entire page? Thanks again, I do appreciate your time and effort... — Rob Irvin, Sep 21 '18 at 12:58
I'd suggest you open another question for this topic and provide the full HTML page, the faulty output and the desired output there. This is nothing for this question or the comment section (since it wasn't made to discuss such things) — maio290, Sep 21 '18 at 14:49
Done, hopefully I worded it better in the new post, thank you for your assistance again!! — Rob Irvin, Sep 21 '18 at 16:15

Unable to disable CA Cert verification

1 Answers1