minchao / mitake-php

三竹簡訊 PHP SDK

MIT License

33 stars 6 forks source link

ssl error #2

Closed y2468101216 closed 6 years ago

y2468101216 commented 6 years ago

PHP Fatal error: Uncaught GuzzleHttp\Exception\ConnectException: cURL error 35: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure (see http://curl.haxx.se/libcurl/c/libcurl-errors.html) in /home/yun_chen/project/mitake-php/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php:185

Stack trace:

0 /home/yun_chen/project/mitake-php/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php(149): GuzzleHttp\Handler\CurlFactory::createRejection(Object(GuzzleHttp\Handler\EasyHandle), Array)

1 /home/yun_chen/project/mitake-php/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php(102): GuzzleHttp\Handler\CurlFactory::finishError(Object(GuzzleHttp\Handler\CurlHandler), Object(GuzzleHttp\Handler\EasyHandle), Object(GuzzleHttp\Handler\CurlFactory))

2 /home/yun_chen/project/mitake-php/vendor/guzzlehttp/guzzle/src/Handler/CurlHandler.php(43): GuzzleHttp\Handler\CurlFactory::finish(Object(GuzzleHttp\Handler\CurlHandler), Object(GuzzleHttp\Handler\EasyHandle), Object(GuzzleHttp\Handler\CurlFactory))

3 /home/yun_chen/proj in /home/yun_chen/project/mitake-php/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php on line 185

y2468101216 commented 6 years ago

想問一下我是需要做啥？跟三竹申請 ssl 憑證嗎

minchao commented 6 years ago

查詢 cURL 的錯誤代碼說明如下：

CURLE_SSL_CONNECT_ERROR (35)

A problem occurred somewhere in the SSL/TLS handshake. You really want the error buffer and read the message there as it pinpoints the problem slightly more. Could be certificates (file formats, paths, permissions), passwords, and others.

建議您可以先開啟 Guzzle 的 debug 功能，看看更詳細的錯誤訊息。

y2468101216 commented 6 years ago

我知道問題所在了，問題出在於 openssl 已經不支援有漏洞的 sslv3 憑證，我週末發一個簡單的 pr 來改進此問題。

minchao commented 6 years ago

加入強制使用 TLSv1 嗎？

y2468101216 commented 6 years ago

應該不是只是寫個 FAQ 之類的，另外增加可改為使用 http 的 url

y2468101216 commented 6 years ago

要讓 openssl 支援 sslv3 要自己 compile 太困難了

minchao commented 6 years ago

SSLv3 還是別用了 XD 如果要使用 HTTP endpoints 可以使用以下方法來設定：

$client->setBaseURL('http://smexpress.mitake.com.tw:9600');
$client->setLongMessageBaseURL('http://smexpress.mitake.com.tw:7002');

y2468101216 commented 6 years ago

我知道阿，所以我就是改寫下文件，然後加入使用 http 的選項XD

minchao commented 6 years ago

謝謝 @y2468101216 提醒，TLSv1 也棄用了，可參考 Deprecating TLSv1.0 and TLSv1.1。

cipherscan:

Target: smexpress.mitake.com.tw:9601

prio  ciphersuite      protocols    pubkey_size  signature_algoritm       trusted  ticket_hint  ocsp_staple  npn   pfs
1     IDEA-CBC-SHA     SSLv3,TLSv1  2048         sha256WithRSAEncryption  False    None         False        None  None  None
2     RC4-SHA          SSLv3,TLSv1  2048         sha256WithRSAEncryption  False    None         False        None  None  None
3     RC4-MD5          SSLv3,TLSv1  2048         sha256WithRSAEncryption  False    None         False        None  None  None
4     DES-CBC3-SHA     SSLv3,TLSv1  2048         sha256WithRSAEncryption  False    None         False        None  None  None
5     DES-CBC-SHA      SSLv3,TLSv1  2048         sha256WithRSAEncryption  False    None         False        None  None  None
6     IDEA-CBC-MD5     SSLv2        2048         sha256WithRSAEncryption  False    None         False        None  None  None
7     RC2-CBC-MD5      SSLv2        2048         sha256WithRSAEncryption  False    None         False        None  None  None
8     DES-CBC3-MD5     SSLv2        2048         sha256WithRSAEncryption  False    None         False        None  None  None
9     RC4-64-MD5       SSLv2        2048         sha256WithRSAEncryption  False    None         False        None  None  None
10    DES-CBC-MD5      SSLv2        2048         sha256WithRSAEncryption  False    None         False        None  None  None
11    EXP-RC2-CBC-MD5  SSLv2        2048         sha256WithRSAEncryption  False    None         False        None  None  None
12    EXP-RC4-MD5      SSLv2        2048         sha256WithRSAEncryption  False    None         False        None  None  None

y2468101216 commented 6 years ago

我發 pr 了，下周末我才有時間修 cli 的部分

minchao commented 6 years ago

@y2468101216 謝謝您

想了下，考慮在 Mitake 修正這個安全性問題前，先在專案上加註警語。

minchao commented 6 years ago

長簡訊的部分支援 TLSv1.2 XDD

Target: smexpress.mitake.com.tw:7102

prio  ciphersuite              protocols              pfs                 curves
1     ECDHE-RSA-AES256-SHA384  TLSv1.2                ECDH,P-256,256bits  prime256v1,secp521r1,brainpoolP512r1,brainpoolP384r1,secp384r1,brainpoolP256r1,secp256k1,sect571r1,sect571k1,sect409k1,sect409r1,sect283k1,sect283r1
2     AES256-SHA256            TLSv1.2                None                None
3     ECDHE-RSA-RC4-SHA        TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits  prime256v1,secp521r1,brainpoolP512r1,brainpoolP384r1,secp384r1,brainpoolP256r1,secp256k1,sect571r1,sect571k1,sect409k1,sect409r1,sect283k1,sect283r1
4     RC4-SHA                  TLSv1,TLSv1.1,TLSv1.2  None                None
5     ECDHE-RSA-AES256-SHA     TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits  prime256v1,secp521r1,brainpoolP512r1,brainpoolP384r1,secp384r1,brainpoolP256r1,secp256k1,sect571r1,sect571k1,sect409k1,sect409r1,sect283k1,sect283r1
6     AES256-SHA               TLSv1,TLSv1.1,TLSv1.2  None                None
7     CAMELLIA256-SHA          TLSv1,TLSv1.1,TLSv1.2  None                None
8     ECDHE-RSA-AES128-SHA256  TLSv1.2                ECDH,P-256,256bits  prime256v1,secp521r1,brainpoolP512r1,brainpoolP384r1,secp384r1,brainpoolP256r1,secp256k1,sect571r1,sect571k1,sect409k1,sect409r1,sect283k1,sect283r1
9     ECDHE-RSA-AES128-SHA     TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits  prime256v1,secp521r1,brainpoolP512r1,brainpoolP384r1,secp384r1,brainpoolP256r1,secp256k1,sect571r1,sect571k1,sect409k1,sect409r1,sect283k1,sect283r1
10    AES128-SHA256            TLSv1.2                None                None
11    AES128-SHA               TLSv1,TLSv1.1,TLSv1.2  None                None
12    CAMELLIA128-SHA          TLSv1,TLSv1.1,TLSv1.2  None                None

minchao commented 6 years ago

Closed by #3.