You are here: RE: [PHP] OpenSSL Problem « PHP « IT news, forums, messages
RE: [PHP] OpenSSL Problem

Posted by Richard Lynch on 01/06/05 22:58

Gustafson, Tim wrote:
> Actually, if you leave the code exactly as-is, but change the
> openssl_csr_sign function to create a self-signed certificate, the
> entire script executes perfectly. I know there is a lot of error
> checking needed - I'm just making a "test" script to get a feel for how
> OpenSSL operates in PHP. The certificate and key files are mode 444
> (readable by everyone) as they are just "test" certificates right now.
> I have a valid openssl.cnf file (in /etc/ssl/openssl.cnf, which is
> what's complied into OpenSSL) and I use that configuration file that I
> use with some shell scripts to do everything that I want to do in PHP,
> so I'm sure it's a valid openssl.cnf file.

Excellent!

That does narrow your focus down, hopefully.

> Does PHP restrict access to /etc/ssl for the OpenSSL library if I have
> open_basedir set? Perhaps I need to make an openssl.cnf in the
> /usr/home/ws1086 (which is the open_basedir path) so that it's readable?
> I would think that the library would have access to the whole system
> since it's not really part of PHP, but maybe I'm wrong.

You still may want to add the error-checking, at LEAST on the line that's
giving you trouble, as the error string may have more information.

Just for fun, for your test, you could even move those to a 777 directory.

You might also need to have the PHP user's .ssh directories be created and
have the right permissions for the keys to work.

Can you 'su' to the Apache/PHP user and do the OpenSSL stuff from the
command-line?

> Either way, it's not complaining about access to openssl.cnf, it's
> complaining about access to the certificate, so let's take it one step
> at a time. :)

Except that you never know if a 'warning' message may have appeared
earlier from a previous step.

Perhaps you got a warning like:
'WARNING: openssl.cnf does not contain the blah-blah you need for an
authenticated certificate'

But you're not doing your error-checking.

I've got NO IDEA if OpenSSL has different levels of errors like that, or
if that's a possible error, and I've probably got the terminology wrong.

What I *DO* know is, adding error-checking at every stage of the code
where it is possible is usually the fastest easiest way to find out what
went wrong.

Thought sometimes just the act of writing the error-checking code makes
you realize just what's going on, and prods the brain more than the actual
code output.

But error-checking is always good.

--
Like Music?
http://l-i-e.com/artists.htm

 

Navigation:

[Reply to this message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация