TLDR
The author is having trouble connecting to a SOAP server through HTTPS/SSL using a PHP SoapClient. They suspect the issue is with the SSL connection and have tried various solutions without success.
complete
The author is attempting to connect to a SOAP server via HTTPS using a PHP SoapClient, but is encountering "Could not connect to host" errors. They believe the problem lies with the SSL connection, as they are able to reach another server using the same connection method. The author has tried various solutions, including creating a stream_context for the WSDL options, but has not had success.
Situation
- The author is creating a PHP SoapClient based on a local WSDL.
- Changing the endpoint results in successful request and response headers.
- The machine is reachable from their server, but there is an SSL connection issue when using wget or openssl to connect.
What I tried.
The author has attempted various suggested solutions for similar issues, but without success. This includes creating a stream_context for the WSDL options.
$context = stream_context_create(
array(
'ssl' => array(
'verify_peer' => false, //default
'allow_self_signed' => true, //needs verify peer, tried that
'ciphers'=>"SHA1", // quite random.
),
'https' => array(
'curl_verify_ssl_peer' => false,
'curl_verify_ssl_host' => false
)
)
);
$options['stream_context'] = $context;
首先,只使用 verify_peer 和 allow_self_signed 选项的 ssl。然后我添加了 https 数组,最后我在 ssl 中添加了 ciphers 键。
我找到了对 这个 bug 的参考,但是1)我没有收到那个警告,2)它似乎与代理有关,3)我的版本不应该再有这个 bug。我正在运行 php 5.3.10
当我尝试使用 wget 获取 URL 时,我得到:
wget https://[[servername]]/SOAP
Resolving [[servername]] ([[servername]])... xxx.xxx.xxx.xxx
Connecting to [[servername]]([[servername]])|xxx.xxx.xxx.xxx|:443... connected.
OpenSSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
$ openssl s_client -connect [[server]]:443 -state
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:unknown state
SSL3 alert read:fatal:handshake failure
SSL_connect:error in unknown state
3074463944:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:724:
但是如果我强制使用 SSL3,就会得到预期的结果。
$ openssl s_client -ssl3 -connect [[server]]:443 -state
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL_connect:SSLv3 read server hello A
**happy certificate stuff. this is good**
Protocol : SSLv3
Cipher : DHE-RSA-AES256-SHA
**more happy certificate stuff. **
我尝试添加 这个问题 中设置 ssl_version 为 3 的 curl-wrapper(因为似乎在上面的 openssl 命令中可以工作)。但是该包装器会放弃一些参数,因此我不确定这会有多完整。此外,除非我明确将检查设置为 false,否则仍会出现握手错误。如果我这样做(见下文),我将获得一个空响应。
curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, false);
原因
如上所述,我怀疑是ssl握手问题,但我不知道该如何解决。我并不怀疑wsdl或客户端创建存在问题,因为连接使用另一个wsdl、相同的wsdl和不同位置设置等都可以正常工作。纯粹是这个(https)端点让我感到头痛。
额外测试
就像上面用curl包装器进行的测试一样,我尝试发送一个最小的soap信封,如@halfwarr在评论中建议的那样。也返回了空响应。
因此,看起来我确实有一种方法可以从服务器中挤出一个http 204,但这几乎不能算是成功。但它可能是第二个问题吗?不确定。
我想我需要尝试强制使用ssl3,但我不知道如何做到这一点(而且这可能也是错误的路径,所以我在这里尽力避免XY问题 :)
SoapClient面临的问题,但我不确定。 - Nanne