search

metaregistrar / php-epp-client

Object-oriented PHP EPP Client
https://www.metaregistrar.com/docs/
MIT License
210 stars 155 forks source link

Connection problem with nic.it #163

Closed bessone closed 5 years ago

bessone commented 5 years ago

Hello, I'm trying to use the EPP client to connect to nic.it I did a test both using the generic eppConnection class and writing a dedicated one for the IT registry.

But in both cases I get the error:

Packet size is too big: 1213486156. Closing connection

The IT registry use some custom svcExtension, i made a quick and dirty workaround to add them on XML request, just before writing the correct extension class. (Official guidelines in italian: https://www.nic.it/sites/default/files/docs/Linee_Guida_Tecniche_Sincrone_v2.4.pdf

By enabling the logs the request seems correct: epp.log

I really do not understand what I'm doing wrong, any help is appreciated.

Thanks!

metaregistrar commented 5 years ago

Hi,

Generally, when you receive 'packet too big' errors, you are not communicating with the registry with the correct encryption protocol. Either the registry expects SSL and you are not using it, or the registry expects plain-texts and you are using SSL.

In your log i see what your end has sent, but i do not see any response from NIC.IT. So it seems that on a security layer, you are not communicating properly.

Can you try the connection without ssl:// in the configuration?

bessone commented 5 years ago

Same answer without the ssl://

This is my code:

$conn = new itEppConnection(TRUE);
$conn->setLogFile('./epp.log');
$conn->setHostname('ssl://epp.pubtest.nic.it');
$conn->setPort(443);
$conn->setUsername('xxxx');
$conn->setPassword('xxxxx');

$conn->connect();
if ($conn->login()) {
  echo 'done';
  $conn->logout();
}
} catch (eppException $e) {
  echo "ERROR: " . $e->getMessage() . "\n\n";
}

The class itEppConnection just extend the eppConnection class with 3 extension required from nic.it (as you can see in the XML from the log). With a similar configuration I connect to the eurId without problems, and from the same machine an old PHP Epp Client works (but is really ugly :) )

bessone commented 5 years ago

On small update, my original code rune on Ubuntu 18.04 with PHP 7.2, I just tried on a docker container with PHP 5.6: same result.

metaregistrar commented 5 years ago

Can you give it a try with: $conn->setHostname('epp.pubtest.nic.it');

It seems like the test service of Nic.IT does not expect SSL

bessone commented 5 years ago

I was not clear in my past comment, it also does not work by removing ssl:// from the host.

The connection test with openssl ends successfully:

openssl s_client -connect epp.pubtest.nic.it:443

CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Assured ID Root CA
verify return:1
depth=1 C = NL, ST = Noord-Holland, L = Amsterdam, O = TERENA, CN = TERENA SSL CA 3
verify return:1
depth=0 C = IT, L = Pisa, O = Registro del ccTLD  .it, OU = Registro .it, CN = api.pubtest.nic.it
verify return:1
---
Certificate chain
 0 s:/C=IT/L=Pisa/O=Registro del ccTLD  .it/OU=Registro .it/CN=api.pubtest.nic.it
   i:/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 3
 1 s:/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 3
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFLTCCBBWgAwIBAgIQA+V09Hows0y+v/jXETnL5TANBgkqhkiG9w0BAQ0FADBk
MQswCQYDVQQGEwJOTDEWMBQGA1UECBMNTm9vcmQtSG9sbGFuZDESMBAGA1UEBxMJ
QW1zdGVyZGFtMQ8wDQYDVQQKEwZURVJFTkExGDAWBgNVBAMTD1RFUkVOQSBTU0wg
Q0EgMzAeFw0xNzExMjkwMDAwMDBaFw0yMDEyMDMxMjAwMDBaMHIxCzAJBgNVBAYT
AklUMQ0wCwYDVQQHEwRQaXNhMSAwHgYDVQQKExdSZWdpc3RybyBkZWwgY2NUTEQg
IC5pdDEVMBMGA1UECxMMUmVnaXN0cm8gLml0MRswGQYDVQQDExJhcGkucHVidGVz
dC5uaWMuaXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC8rEXscvez
75L3cm2pHaR5yvbYFE9nXVS9TNhNJlWZumODAcHbjNooKvn87BYMGGvSCVEG8FON
R8gjSLfx7quI1RF9SIcfxFkgO6F8W1l+2pZXr3tzQnFN9SfKw8qyABFQdwZosW1C
SPZjk8MNcJdguZb7Isat94d1GVcqVXk9EI62PdEcRpp2ZLrwYyE9KNxo6bK8AOmO
vV6tqYGBU7wutOxVhhOvxW+0RMD23kxWcaSTo3kAT8Xn2VeWj7Wh9tUeBLXSXlCe
Kmon/0cjro7CqqktAX67ep3vp3jvjy7pWvTiA/HI8avNfqTIqL42YeamSYLwS+Cw
V13+fgb4lxnpAgMBAAGjggHLMIIBxzAfBgNVHSMEGDAWgBRn/YggFCeYxwnSJRm7
6VERY3VQYjAdBgNVHQ4EFgQUFNREg9TqwdAXLSgWmcI4dWcZQMIwHQYDVR0RBBYw
FIISYXBpLnB1YnRlc3QubmljLml0MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAU
BggrBgEFBQcDAQYIKwYBBQUHAwIwawYDVR0fBGQwYjAvoC2gK4YpaHR0cDovL2Ny
bDMuZGlnaWNlcnQuY29tL1RFUkVOQVNTTENBMy5jcmwwL6AtoCuGKWh0dHA6Ly9j
cmw0LmRpZ2ljZXJ0LmNvbS9URVJFTkFTU0xDQTMuY3JsMEwGA1UdIARFMEMwNwYJ
YIZIAYb9bAEBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNv
bS9DUFMwCAYGZ4EMAQICMG4GCCsGAQUFBwEBBGIwYDAkBggrBgEFBQcwAYYYaHR0
cDovL29jc3AuZGlnaWNlcnQuY29tMDgGCCsGAQUFBzAChixodHRwOi8vY2FjZXJ0
cy5kaWdpY2VydC5jb20vVEVSRU5BU1NMQ0EzLmNydDAMBgNVHRMBAf8EAjAAMA0G
CSqGSIb3DQEBDQUAA4IBAQBq/YvbRmU/WYPNnhn9+PQaOnsIgsTHslYuCWlobHk1
Ho0xpbiJdUh7xZdIdIvHpF9v6MoVmsQvhphR4yd9TM1UwN2Qg2DKNC0SSmrTnrGq
NDYyS6kYf20Ml6H26ZtuWADzuZeqvHzakPqEA43DsGJ9N4SHQhWj6oX7DnJmfyz6
U0FKOLGi7yBXk8RLYKki5B6/qWxGjpmcGfHCwVoauoHEiPnDvxY2g5ifOwDpHW0C
sTQFyDPvdVWETlqX6+aXnadjj16zEcZ1U7TEByDmpZxgqFlAj8+Ve8+PBHg39mny
JiFUjwDKESMqmBoLLbHOfy0SkJMJjOkWoZqFlItjQaPo
-----END CERTIFICATE-----
subject=/C=IT/L=Pisa/O=Registro del ccTLD  .it/OU=Registro .it/CN=api.pubtest.nic.it
issuer=/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3281 bytes and written 302 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: D47F94B8E11264CD2093D93A1E19992C33BC5E360BCA1D1147CAA33443DDC254
    Session-ID-ctx:
    Master-Key: 651D6ADAB73EA5768412957C3105DB5271F39CE23AB0780EB4905C208E3663FAD2F93508E49EE5C45EDFC463D960B22E
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 27 fa cd 72 9a 32 6f f2-b4 41 d0 d8 47 85 57 17   '..r.2o..A..G.W.
    0010 - ee dc 71 9e 2d 18 20 65-5a 75 28 33 fa 9c d6 7c   ..q.-. eZu(3...|
    0020 - b8 c3 81 ed 5d 62 ea 73-a1 cb 85 0b f0 3c e5 c2   ....]b.s.....<..
    0030 - fc 21 a1 4d f9 33 fc 98-a7 17 14 78 5a 82 20 95   .!.M.3.....xZ. .
    0040 - 1c aa 43 23 26 20 dd 41-0c a8 b5 34 79 56 6c 0a   ..C#& .A...4yVl.
    0050 - a4 7e 3f bc be 39 26 ed-4c e1 b2 cf 46 32 1b be   .~?..9&.L...F2..
    0060 - 5e 22 62 90 2d 8d 63 2c-fd 82 5f b2 c6 8c f2 e4   ^"b.-.c,.._.....
    0070 - 40 6d c3 2a ed 65 06 69-f7 11 10 48 44 c0 97 77   @m.*.e.i...HD..w
    0080 - 4a ec 3b d1 c0 6e b6 10-31 ba 64 5d 68 15 6a 6d   J.;..n..1.d]h.jm
    0090 - ad 54 b9 87 89 19 48 d3-27 ed 84 07 2c bf 30 b5   .T....H.'...,.0.
    00a0 - a1 53 e1 ed 6f ed 84 b4-74 09 be 93 37 e7 ac 55   .S..o...t...7..U

    Start Time: 1540294295
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
metaregistrar commented 5 years ago

I have tested the configuration, and i get exactly the same error as you do. Will do some further tests.

metaregistrar commented 5 years ago

Are you sure that you are using the correct port (443)?. Because to me it seems that you are communicating with a web server, not with an EPP server. The live interface of nic.it uses port 60125, i presume that they use a similar port number for the test server.

metaregistrar commented 5 years ago

OK, found it Please use this: $conn = new eppHttpsConnection(TRUE);

This will use the https:// protocol to connect to the service.

metaregistrar commented 5 years ago

If you use eppHttpsConnection, you do not have to use ssl://, can only use the hostname. $conn->setHostname('epp.pubtest.nic.it');

metaregistrar commented 5 years ago

So when creating a new itEppConnection, make sure it descends from eppHttpsConnection, and then it will work.