Unable to set local cert chain file.pem'; Check that your cafile/capath settings include details of your certificate and its issuer"

Question

I'm facing an issue while trying to establish an SSL/TLS connection using PHP's stream_socket_client() function. I've followed the standard procedure for setting up a secure connection and have verified that my certificate and CA files (suez.pem and eko.pem) are properly formatted and accessible. However, I keep getting the following OpenSSL error:

OpenSSL Error: error: 140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small Exception caught: stream_socket_client(): Unable to set local cert chain file `/path/to/file/fileName.pem'; Check that your cafile/capath settings include details of your certificate and its issuer

I've gone through the troubleshooting steps suggested by the OpenSSL documentation and the advice provided in this Stack Overflow thread. Despite that, I'm still unable to resolve the issue.

Here's an overview of my setup:

I'm using PHP's stream_socket_client() function to create a secure socket connection. I've set up the context options for SSL, including the paths to the certificate and key files. I've verified the content and formatting of both certificate and key files. I'm allowing self-signed certificates ('allow_self_signed' => true), and peer verification is enabled. Here's a simplified version of my code:

private function createSocketConnection($host, $port)
{
    $contextOptions = [
        'ssl' => [
            'local_cert' => '/filepath/localCert.pem',
            'ca_file' => '/filepath/serverCert.pem',
            'verify_peer' => true,
            'verify_peer_name' => true,
            'allow_self_signed' => true
        ],
    ];

    try {
        $context = stream_context_create($contextOptions);

        while ($msg = openssl_error_string()) {
            echo "OpenSSL Error: $msg\n";
        }

        // Create a TCP/IP socket connection
        $socket = stream_socket_client("ssl://$host:$port", $errno, $errstr, 30, STREAM_CLIENT_CONNECT, $context);

        if ($socket === false) {
            throw new Exception("Failed to create socket: [$errno] $errstr");
        }

        return $socket;
    } catch (Exception $e) {
        echo "Exception caught: " . $e->getMessage();
    }
}

I've double-checked the certificate chain order, ensured proper line endings, and made sure that the files are accessible by the PHP process.

Could you please help me identify what might be causing this error? Are there any additional steps I can take to troubleshoot this issue? Any insights would be greatly appreciated.

Running on PHP 7.4 and OpenSSL 1.1.1f

Thank you in advance for your assistance!

Answer 1

As the key-length of your certificate is to short, you need a new one with a longer keysize.

Minimum keysize should be 2048 bit RSA

For details how to do this have a look at
How to generate a self-signed SSL certificate using OpenSSL?

UPDATE:

The problem is not the OpenSSL version 1.1.1.f. It is capable to fulfill the much stricter security requirements up to TLS 1.3.

The problem is the OpenSSL-configuration of the server. Here it is trimmed to use a depreciated level of security. — Preferably this should be solved to not run your connections with security issues.

The challenge is that the remote server (i.e the server that I am connecting to) needs RSA 1024

Telling this I assume you have no access to the configuration of the server and you have to solve it from your client view.

Your client's security level per default is "at least Level 2" requiring RSA 2048 or more (better: Requiring at least 112 bit of security).

To downgrade to "Level 1" (used by the server as it requires RSA 1024 = 80 bit security level) use in the ssl security the option

'security_level' => 1

Alternatively (but I won't do it) you can configure it in the settings of your OpenSSL by changing the value 2 to 1:

CypherString = DEFAULT@SECLEVEL=1

But doing this wrong will set the default security level for all connections of your client to the weak level.