Closed bessone closed 5 years ago
Hi,
Generally, when you receive 'packet too big' errors, you are not communicating with the registry with the correct encryption protocol. Either the registry expects SSL and you are not using it, or the registry expects plain-texts and you are using SSL.
In your log i see what your end has sent, but i do not see any response from NIC.IT. So it seems that on a security layer, you are not communicating properly.
Can you try the connection without ssl:// in the configuration?
Same answer without the ssl://
This is my code:
$conn = new itEppConnection(TRUE);
$conn->setLogFile('./epp.log');
$conn->setHostname('ssl://epp.pubtest.nic.it');
$conn->setPort(443);
$conn->setUsername('xxxx');
$conn->setPassword('xxxxx');
$conn->connect();
if ($conn->login()) {
echo 'done';
$conn->logout();
}
} catch (eppException $e) {
echo "ERROR: " . $e->getMessage() . "\n\n";
}
The class itEppConnection just extend the eppConnection class with 3 extension required from nic.it (as you can see in the XML from the log). With a similar configuration I connect to the eurId without problems, and from the same machine an old PHP Epp Client works (but is really ugly :) )
On small update, my original code rune on Ubuntu 18.04 with PHP 7.2, I just tried on a docker container with PHP 5.6: same result.
Can you give it a try with: $conn->setHostname('epp.pubtest.nic.it');
It seems like the test service of Nic.IT does not expect SSL
I was not clear in my past comment, it also does not work by removing ssl:// from the host.
The connection test with openssl ends successfully:
openssl s_client -connect epp.pubtest.nic.it:443
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Assured ID Root CA
verify return:1
depth=1 C = NL, ST = Noord-Holland, L = Amsterdam, O = TERENA, CN = TERENA SSL CA 3
verify return:1
depth=0 C = IT, L = Pisa, O = Registro del ccTLD .it, OU = Registro .it, CN = api.pubtest.nic.it
verify return:1
---
Certificate chain
0 s:/C=IT/L=Pisa/O=Registro del ccTLD .it/OU=Registro .it/CN=api.pubtest.nic.it
i:/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 3
1 s:/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 3
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFLTCCBBWgAwIBAgIQA+V09Hows0y+v/jXETnL5TANBgkqhkiG9w0BAQ0FADBk
MQswCQYDVQQGEwJOTDEWMBQGA1UECBMNTm9vcmQtSG9sbGFuZDESMBAGA1UEBxMJ
QW1zdGVyZGFtMQ8wDQYDVQQKEwZURVJFTkExGDAWBgNVBAMTD1RFUkVOQSBTU0wg
Q0EgMzAeFw0xNzExMjkwMDAwMDBaFw0yMDEyMDMxMjAwMDBaMHIxCzAJBgNVBAYT
AklUMQ0wCwYDVQQHEwRQaXNhMSAwHgYDVQQKExdSZWdpc3RybyBkZWwgY2NUTEQg
IC5pdDEVMBMGA1UECxMMUmVnaXN0cm8gLml0MRswGQYDVQQDExJhcGkucHVidGVz
dC5uaWMuaXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC8rEXscvez
75L3cm2pHaR5yvbYFE9nXVS9TNhNJlWZumODAcHbjNooKvn87BYMGGvSCVEG8FON
R8gjSLfx7quI1RF9SIcfxFkgO6F8W1l+2pZXr3tzQnFN9SfKw8qyABFQdwZosW1C
SPZjk8MNcJdguZb7Isat94d1GVcqVXk9EI62PdEcRpp2ZLrwYyE9KNxo6bK8AOmO
vV6tqYGBU7wutOxVhhOvxW+0RMD23kxWcaSTo3kAT8Xn2VeWj7Wh9tUeBLXSXlCe
Kmon/0cjro7CqqktAX67ep3vp3jvjy7pWvTiA/HI8avNfqTIqL42YeamSYLwS+Cw
V13+fgb4lxnpAgMBAAGjggHLMIIBxzAfBgNVHSMEGDAWgBRn/YggFCeYxwnSJRm7
6VERY3VQYjAdBgNVHQ4EFgQUFNREg9TqwdAXLSgWmcI4dWcZQMIwHQYDVR0RBBYw
FIISYXBpLnB1YnRlc3QubmljLml0MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAU
BggrBgEFBQcDAQYIKwYBBQUHAwIwawYDVR0fBGQwYjAvoC2gK4YpaHR0cDovL2Ny
bDMuZGlnaWNlcnQuY29tL1RFUkVOQVNTTENBMy5jcmwwL6AtoCuGKWh0dHA6Ly9j
cmw0LmRpZ2ljZXJ0LmNvbS9URVJFTkFTU0xDQTMuY3JsMEwGA1UdIARFMEMwNwYJ
YIZIAYb9bAEBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNv
bS9DUFMwCAYGZ4EMAQICMG4GCCsGAQUFBwEBBGIwYDAkBggrBgEFBQcwAYYYaHR0
cDovL29jc3AuZGlnaWNlcnQuY29tMDgGCCsGAQUFBzAChixodHRwOi8vY2FjZXJ0
cy5kaWdpY2VydC5jb20vVEVSRU5BU1NMQ0EzLmNydDAMBgNVHRMBAf8EAjAAMA0G
CSqGSIb3DQEBDQUAA4IBAQBq/YvbRmU/WYPNnhn9+PQaOnsIgsTHslYuCWlobHk1
Ho0xpbiJdUh7xZdIdIvHpF9v6MoVmsQvhphR4yd9TM1UwN2Qg2DKNC0SSmrTnrGq
NDYyS6kYf20Ml6H26ZtuWADzuZeqvHzakPqEA43DsGJ9N4SHQhWj6oX7DnJmfyz6
U0FKOLGi7yBXk8RLYKki5B6/qWxGjpmcGfHCwVoauoHEiPnDvxY2g5ifOwDpHW0C
sTQFyDPvdVWETlqX6+aXnadjj16zEcZ1U7TEByDmpZxgqFlAj8+Ve8+PBHg39mny
JiFUjwDKESMqmBoLLbHOfy0SkJMJjOkWoZqFlItjQaPo
-----END CERTIFICATE-----
subject=/C=IT/L=Pisa/O=Registro del ccTLD .it/OU=Registro .it/CN=api.pubtest.nic.it
issuer=/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3281 bytes and written 302 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: D47F94B8E11264CD2093D93A1E19992C33BC5E360BCA1D1147CAA33443DDC254
Session-ID-ctx:
Master-Key: 651D6ADAB73EA5768412957C3105DB5271F39CE23AB0780EB4905C208E3663FAD2F93508E49EE5C45EDFC463D960B22E
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 27 fa cd 72 9a 32 6f f2-b4 41 d0 d8 47 85 57 17 '..r.2o..A..G.W.
0010 - ee dc 71 9e 2d 18 20 65-5a 75 28 33 fa 9c d6 7c ..q.-. eZu(3...|
0020 - b8 c3 81 ed 5d 62 ea 73-a1 cb 85 0b f0 3c e5 c2 ....]b.s.....<..
0030 - fc 21 a1 4d f9 33 fc 98-a7 17 14 78 5a 82 20 95 .!.M.3.....xZ. .
0040 - 1c aa 43 23 26 20 dd 41-0c a8 b5 34 79 56 6c 0a ..C#& .A...4yVl.
0050 - a4 7e 3f bc be 39 26 ed-4c e1 b2 cf 46 32 1b be .~?..9&.L...F2..
0060 - 5e 22 62 90 2d 8d 63 2c-fd 82 5f b2 c6 8c f2 e4 ^"b.-.c,.._.....
0070 - 40 6d c3 2a ed 65 06 69-f7 11 10 48 44 c0 97 77 @m.*.e.i...HD..w
0080 - 4a ec 3b d1 c0 6e b6 10-31 ba 64 5d 68 15 6a 6d J.;..n..1.d]h.jm
0090 - ad 54 b9 87 89 19 48 d3-27 ed 84 07 2c bf 30 b5 .T....H.'...,.0.
00a0 - a1 53 e1 ed 6f ed 84 b4-74 09 be 93 37 e7 ac 55 .S..o...t...7..U
Start Time: 1540294295
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
I have tested the configuration, and i get exactly the same error as you do. Will do some further tests.
Are you sure that you are using the correct port (443)?. Because to me it seems that you are communicating with a web server, not with an EPP server. The live interface of nic.it uses port 60125, i presume that they use a similar port number for the test server.
OK, found it Please use this: $conn = new eppHttpsConnection(TRUE);
This will use the https:// protocol to connect to the service.
If you use eppHttpsConnection, you do not have to use ssl://, can only use the hostname. $conn->setHostname('epp.pubtest.nic.it');
So when creating a new itEppConnection, make sure it descends from eppHttpsConnection, and then it will work.
Hello, I'm trying to use the EPP client to connect to nic.it I did a test both using the generic eppConnection class and writing a dedicated one for the IT registry.
But in both cases I get the error:
The IT registry use some custom svcExtension, i made a quick and dirty workaround to add them on XML request, just before writing the correct extension class. (Official guidelines in italian: https://www.nic.it/sites/default/files/docs/Linee_Guida_Tecniche_Sincrone_v2.4.pdf
By enabling the logs the request seems correct: epp.log
I really do not understand what I'm doing wrong, any help is appreciated.
Thanks!