rackspace / php-opencloud

The PHP SDK for OpenStack clouds
developer.rackspace.com
Other
451 stars 249 forks source link

SSL Certificate is no longer trusted #740

Closed DrizzlyOwl closed 4 years ago

DrizzlyOwl commented 5 years ago

I'm unable to connect to https://lon.servers.api.rackspacecloud.com/ using guzzle anymore as the SSL certificate in use is no longer trusted.

Mozilla Firefox reports that Certificates issued by GeoTrust, RapidSSL, Symantec, Thawte, and VeriSign are no longer considered safe because these certificate authorities failed to follow security practices in the past.

I believe this is likely related to https://knowledge.digicert.com/alerts/ALERT2562.html.

https://blog.qualys.com/ssllabs/2017/09/26/google-and-mozilla-deprecating-existing-symantec-certificates https://www.ssllabs.com/ssltest/analyze.html?d=lon.servers.api.rackspacecloud.com

kynx commented 5 years ago

Dunno. You seen https://github.com/rackspace/php-opencloud/issues/727?

DrizzlyOwl commented 5 years ago

I'm not presented with the same curl error number. My factory looks like this

$this->client = new Rackspace(
            Rackspace::UK_IDENTITY_ENDPOINT,
            [
                'username' => $user,
                'apiKey' => $pass
            ],
            [
                Rackspace::CURL_OPTIONS => [
                    CURLOPT_SSL_VERIFYPEER => true,
                    CURLOPT_SSL_VERIFYHOST => 2,
                ],
                Rackspace::REQUEST_OPTIONS => [
                    'debug' => true,
                ]
            ]
        );

and I mitigated the certificate authority issue by updating guzzle's CA store

curl --remote-name --time-cond cacert.pem https://curl.haxx.se/ca/cacert.pem,
cp cacert.pem ./vendor/guzzle/guzzle/src/Guzzle/Http/Resources/cacert.pem

The debug option from guzzle reports:

Connected to lon.servers.api.rackspacecloud.com (37.188.100.146) port 443 (#1)"
ALPN, offering http/1.1"
successfully set certificate verify locations:"
CAfile: /usr/src/app/vendor/guzzle/guzzle/src/Guzzle/Http/Resources/cacert.pem"
CApath: /etc/ssl/certs"
error:1414D172:SSL routines:tls12_check_peer_sigalg:wrong signature type"
Closing connection 1"

and I get

[curl] 35: [url] https://lon.servers.api.rackspacecloud.com/v2/10018373/extensions

back from the Guzzle exception

kynx commented 5 years ago

Hrm... you're right. I don't use PHP for talking to the servers endpoint. Other endpoints and regions look OK. Sounds like one for Rackspace support.

DrizzlyOwl commented 4 years ago

OK so after a good head scratch I found out that it was the PHP OpenSSL configuration. I use Docker so I simply shipped my own copy of the default openssl.conf but with a minor amendment.

[system_default_sect]
MinProtocol = TLSv1.2
#CipherString = DEFAULT@SECLEVEL=2 <-- Comment out this line to lower the default security level

Whilst this is not the most glamorous solution, it works for my use case.