Use of self signed certificate

[Foolson]

Hi,

Is it possible to use this project with self signed certificates?

I'm trying to connect to IIS and it works with: openssl s_client -connect epptest.iis.se:700 -cert certfile.pem

But not with php-epp-client.

settings.ini

interface=iisEppConnection
hostname=epptest.iis.se
port=700
userid=username
certificatefile=certfile.pem

Errors

PHP Notice:  Undefined index: password in /var/www/html/vendor/metaregistrar/php-epp-client/Protocols/EPP/eppConnection.php on line 1052
==== LOG ====
PHP Warning:  stream_socket_client(): Peer certificate CN=`epp.iis.se' did not match expected CN=`epptest.iis.se' in /var/www/html/vendor/metaregistrar/php-epp-client/Protocols/EPP/eppConnection.php on line 395
PHP Warning:  stream_socket_client(): Failed to enable crypto in /var/www/html/vendor/metaregistrar/php-epp-client/Protocols/EPP/eppConnection.php on line 395
PHP Warning:  stream_socket_client(): unable to connect to ssl://epptest.iis.se:700 (Unknown error) in /var/www/html/vendor/metaregistrar/php-epp-client/Protocols/EPP/eppConnection.php on line 395
PHP Fatal error:  Uncaught Metaregistrar\EPP\eppException: Error connecting to ssl://epptest.iis.se:700:  (code 0) in /var/www/html/vendor/metaregistrar/php-epp-client/Protocols/EPP/eppConnection.php:401
Stack trace:
#0 /var/www/html/vendor/metaregistrar/php-epp-client/Protocols/EPP/eppConnection.php(441): Metaregistrar\EPP\eppConnection->connect()
#1 /var/www/html/index.php(5): Metaregistrar\EPP\eppConnection->login()
#2 {main}
  thrown in /var/www/html/vendor/metaregistrar/php-epp-client/Protocols/EPP/eppConnection.php on line
401

[metaregistrar]

We have not tested a connection with a self-signed certificate yet. But the error messages you are getting look as if they have more to do with the response from the registry than with php-epp-client itself. In addition to 'certificatefile' you can also specify 'certificatepassword=' in the ini file if the certificate has a password.

[Foolson]

We have not tested a connection with a self-signed certificate yet.

IIS ignores the certificate authority so there is no need for properly signed certificates.

But the error messages you are getting look as if they have more to do with the response from the registry than with php-epp-client itself.

Can I do any further tests to check this?

In addition to 'certificatefile' you can also specify 'certificatepassword=' in the ini file if the certificate has a password.

The certificatefile is unencrypted.

[metaregistrar]

The error message "Peer certificate CN=epp.iis.se' did not match expected CN=epptest.iis.se'" does not come from php-epp-client and seems to be the issue with the certificate.

Can you try to alter line 131 of Protocols/EPP/eppConnection.php to: protected $allow_self_signed = true;

If this works, i can make a change to that a keyword in the ini file allows for self-signed certificates.

[Foolson]

The error message "Peer certificate CN=epp.iis.se' did not match expected CN=epptest.iis.se'" does not come from php-epp-client and seems to be the issue with the certificate.

My certificatefile does not contain epp.iis.se or epptest.iis.se so I guess that's IIS's certificate.

Can you try to alter line 131 of Protocols/EPP/eppConnection.php to: protected $allow_self_signed = true;

If this works, i can make a change to that a keyword in the ini file allows for self-signed certificates.

Sadly it didn't work.

PHP Notice:  Undefined index: password in /var/www/html/vendor/metaregistrar/php-epp-client/Protocols/EPP/eppConnection.php on line 1052
==== LOG ====
PHP Warning:  stream_socket_client(): Peer certificate CN=`epp.iis.se' did not match expected CN=`epptest.iis.se' in /var/www/html/vendor/metaregistrar/php-epp-client/Protocols/EPP/eppConnection.php on line 395
PHP Warning:  stream_socket_client(): Failed to enable crypto in /var/www/html/vendor/metaregistrar/php-epp-client/Protocols/EPP/eppConnection.php on line 395
PHP Warning:  stream_socket_client(): unable to connect to ssl://epptest.iis.se:700 (Unknown error) in /var/www/html/vendor/metaregistrar/php-epp-client/Protocols/EPP/eppConnection.php on line 395
PHP Fatal error:  Uncaught Metaregistrar\EPP\eppException: Error connecting to ssl://epptest.iis.se:700:  (code 0) in /var/www/html/vendor/metaregistrar/php-epp-client/Protocols/EPP/eppConnection.php:401
Stack trace:
#0 /var/www/html/vendor/metaregistrar/php-epp-client/Protocols/EPP/eppConnection.php(441): Metaregistrar\EPP\eppConnection->connect()
#1 /var/www/html/index.php(5): Metaregistrar\EPP\eppConnection->login()
#2 {main}
  thrown in /var/www/html/vendor/metaregistrar/php-epp-client/Protocols/EPP/eppConnection.php on line 401

[metaregistrar]

Can you check if you have the latest version? In my version, line 395 of eppConnection.php is within the logout() command, so it seems that you are working with a different version.

[Foolson]

Can you check if you have the latest version? In my version, line 395 of eppConnection.php is within the logout() command, so it seems that you are working with a different version.

I use Composer and from what I can find php-epp-client is version 1.0.6.

{
            "name": "metaregistrar/php-epp-client",
            "version": "1.0.6",
            "source": {
                "type": "git",
                "url": "https://github.com/metaregistrar/php-epp-client.git",
                "reference": "febe4dc34aff8b5a377689ed80e35db83c60f614"
                },

[metaregistrar]

That is the latest version.

But weird, if you check https://github.com/metaregistrar/php-epp-client/blob/master/Protocols/EPP/eppConnection.php, you see that line 395 is in the logout() function, and your procedure does not seem to come there.

[Foolson]

That is the latest version. But weird, if you check https://github.com/metaregistrar/php-epp-client/blob/master/Protocols/EPP/eppConnection.php, you see that line 395 is in the logout() function, and your procedure does not seem to come there.

Yeah that row is on row 466 for me. Tested to redownload php-epp-client but it's still on 466.

[metaregistrar]

The latest version 1.0.6 is a version where a number of obsolete functions are removed, so that would make sense if your version is older, then the logout() code would be about 60 lines further up.

The reason that i ask is because in the old version there were 2 different ways to connect, making debugging a lot more difficult. Only one of those 2 ways allowed for certificates to be used.

[Foolson]

The latest version 1.0.6 is a version where a number of obsolete functions are removed, so that would make sense if your version is older, then the logout() code would be about 60 lines further up.

So I dont have version 1.0.6?

The reason that i ask is because in the old version there were 2 different ways to connect, making debugging a lot more difficult. Only one of those 2 ways allowed for certificates to be used.

So I should check if I use the wrong one?

[Foolson]

Did a git clone instead and used the same settings.ini and the same self signed cert.

And the result looks different:

$ php checkdomain.php test.se
Checking 1 domain names
PHP Notice:  Undefined index: password in /home/jo/git/php-epp-client/Protocols/EPP/eppConnection.php
on line 980
ERROR: No password specified for login attempt

==== LOG ====
-----Connection made-----2019-02-12 10:31:50-----
Stream opened
-----END-----2019-02-12 10:31:50-----

-----DISCONNECT-----2019-02-12 10:32:00-----
Disconnected
-----END-----2019-02-12 10:32:00-----

I guess that Composer downloads a older version?

[Foolson]

I feel like an idiot that I thought that no password was needed. Fixed that and it seems like I got one step closer to a solution.

$ php checkdomain.php test.se test2.se
Checking 2 domain names
ERROR: Unexpected closed connection by remote host...

==== LOG ====
-----Connection made-----2019-02-12 11:11:24-----
Stream opened
-----END-----2019-02-12 11:11:24-----

-----WRITE-----2019-02-12 11:11:34-----
<?xml version="1.0" encoding="UTF-8"?>
<epp xmlns="urn:ietf:params:xml:ns:epp-1.0">
  <command>
    <login>
      <clID>XXXXXXXXXXXXXXXX</clID>
      <pw>XXXXXXXXXXXXXXXX</pw>
      <options>
        <version>1.0</version>
        <lang>en</lang>
      </options>
      <svcs>
        <objURI>urn:ietf:params:xml:ns:domain-1.0</objURI>
        <objURI>urn:ietf:params:xml:ns:contact-1.0</objURI>
        <objURI>urn:ietf:params:xml:ns:host-1.0</objURI>
        <svcExtension>
          <extURI>urn:ietf:params:xml:ns:secDNS-1.1</extURI>
          <extURI>urn:se:iis:xml:epp:iis-1.2</extURI>
        </svcExtension>
      </svcs>
    </login>
    <clTRID>5c629bd601296</clTRID>
  </command>
</epp>

-----END-----2019-02-12 11:11:34-----

[metaregistrar]

Hi Johan,

I am pleased that you at least are closer to a solution. Please let me know if you need additional help.

[Foolson]

So I guess that checkdomain.php should return some sort of status from the registrar?

Looks like the registrar never responds.

ERROR: Unexpected closed connection by remote host...

Could it be a firewall problem?

[metaregistrar]

Yes, might be firewalling either on your own side (make sure port 700 is open) or on the side of the registry.

[Foolson]

I have confirmed that 700 is open on both sides.

I can't see anything about ssl or certificates in the communication and the password is sent i cleartext.

[metaregistrar]

When you use openssl to connect, do you see the "hello" message from the registry? That would indicate that all communications is correct, and that the userid/password is not accepted.

Maybe you can ask the Swedish guys if they see something happening at their side....

[Foolson]

When you use openssl to connect, do you see the "hello" message from the registry? That would indicate that all communications is correct, and that the userid/password is not accepted.

openssl s_client -connect epptest.iis.se:700 -cert certfile.pem

At the end of the output I get the following XML:

 ║"<?xml version="1.0" encoding="UTF-8" standalone="no"?>

<epp xsi:schemaLocation="urn:ietf:params:xml:ns:epp-1.0 epp-1.0.xsd" xmlns="urn:ietf:params:xml:ns:epp-1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <greeting>
        <svID>epptest.iis.se</svID>
        <svDate>2019-02-13T11:10:39.0Z</svDate>
        <svcMenu>
            <version>1.0</version>
            <lang>en</lang>
            <objURI>urn:ietf:params:xml:ns:domain-1.0</objURI>
            <objURI>urn:ietf:params:xml:ns:contact-1.0</objURI>
            <objURI>urn:ietf:params:xml:ns:host-1.0</objURI>
            <svcExtension>
                <extURI>urn:ietf:params:xml:ns:secDNS-1.1</extURI>
                <extURI>urn:ietf:params:xml:ns:secDNS-1.0</extURI>
                <extURI>urn:se:iis:xml:epp:iis-1.2</extURI>
            </svcExtension>
        </svcMenu>
        <dcp>
            <access>
                <all />
            </access>
            <statement>
                <purpose>
                    <prov />
                </purpose>
                <recipient>
                    <ours />
                    <public />
                </recipient>
                <retention>
                    <stated />
                </retention>
            </statement>
        </dcp>
    </greeting>
</epp>

[metaregistrar]

Yes, that is the greeting from the registry, so the encryption and the certificate and the open ports are correct. The only thing that might be wrong is username/password not accepted. Any ampersands or greater-then or smaller-then signs in the password? In that case you must use $conn->login(true). The password that contains difficult characters is then wrapped in a [CDATA[ structure. I have made this optional, because i found out that not all registries accept a password wrapped in a [CDATA[ block.

[Foolson]

The password contains $, !, numbers and letters.

I could change to a password without any special characters.

One thing I'm still confused about is that the password and username is sent in cleartext. Shouldn't it be encrypted if I do a packet capture?

[metaregistrar]

If you have an SSL connection, the whole packet is encrypted before it goes out on the internet - not only the username and password.

Can you try hostname=ssl://epptest.iis.se and see if that works?

[Foolson]

It works perfectly with ssl://epptest.iis.se.

So, I testet that with the outdated version I downloaded with Composer. It then tried to connect to ssl://ssl://epptest.iis.se. But I forgot to try it again with the version I downloaded with git…

Also, everything is now encrypted in the packet capture.

[metaregistrar]

So the only question left is why composer would feed you an old version.

[Foolson]

Yep, and the only fault beside my mistakes.

[Foolson]

But that issue is not connected to self signed certificates so I will close this issue now.

[metaregistrar]

Installed php-epp-client with composer, and indeed received an old version. Will fix this.

[metaregistrar]

Fixed it in 1.0.7.

There was an error in composer.json where packagist would refuse to update the package.

[mohamedammar940]

hello i have same error

ERROR: Unexpected closed connection by remote host... my code is
$conn = new \Metaregistrar\EPP\eppConnection(); $conn->addExtension( 'allocationToken','urn:ietf:params:xml:ns:allocationToken-1.0'); $conn->useExtension('secDNS-1.1'); $conn->setHostname('epp.sandbox.nic.sa'); //also trying ssl://epp.sandbox.nic.sa $conn->setPort(700); $conn->setUsername('xxx'); $conn->setPassword('xxxxxx'); $context = stream_context_create(array( 'ssl' => array( 'local_cert' => $sslCert, 'local_pk' => $sslKey, 'passphrase'=>'', ) )); $conn->setSslContext($context); $conn->connect(); $conn->login(); but i get same error i can connect to NIC epp end point service via cmd using the SSL certificates openssl s_client -connect epp.sandbox.nic.sa:700 -cert registrar.crt -key registrar.key

CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = *.sandbox.nic.sa
verify return:1

and other xml resonse