• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

XF 1.4 SSL Server Error - Couldn't connect to ssl://

#1
I recently moved my Xenforo installation from an Linux/Apache machine to a Windows 2008 R2 machine running IIS 7.5. Everything is working flawlessly except for initiating remote SSL connections to services such as Google. Here's what is logged every time someone tries to log in with Google:

Code:
Zend_Http_Client_Adapter_Exception: Unable to Connect to ssl://accounts.google.com:443. Error #0: - library\Zend\Http\Client\Adapter\Socket.php:235
Stack Trace:
Code:
#0 C:\inetpub\sites\forbis_xenforo\library\Zend\Http\Client.php(973): Zend_Http_Client_Adapter_Socket->connect('accounts.google...', 443, true)
#1 C:\inetpub\sites\forbis_xenforo\library\XenForo\ControllerPublic\Register.php(1030): Zend_Http_Client->request('POST')
#2 C:\inetpub\sites\forbis_xenforo\library\XenForo\FrontController.php(347): XenForo_ControllerPublic_Register->actionGoogle()
#3 C:\inetpub\sites\forbis_xenforo\library\XenForo\FrontController.php(134): XenForo_FrontController->dispatch(Object(XenForo_RouteMatch))
#4 C:\inetpub\sites\forbis_xenforo\index.php(13): XenForo_FrontController->run()
#5 {main}
Request State:
Code:
array(3) {
  ["url"] => string(151) "http://forums.forbisgaming.com/register/google?code=4/jDPYJwhLGYTgXBaGgibyciJC2rQQajlhCbxo-Yz63Kk.kntOXrTFnYIa3oEBd8DOtNDj7LcTlwI&csrf=G4eyd6Zv1eqIFSvK"
  ["_GET"] => array(2) {
    ["code"] => string(77) "4/jDPYJwhLGYTgXBaGgibyciJC2rQQajlhCbxo-Yz63Kk.kntOXrTFnYIa3oEBd8DOtNDj7LcTlwI"
    ["csrf"] => string(16) "G4eyd6Zv1eqIFSvK"
  }
  ["_POST"] => array(0) {
  }
}
Google login isn't the only external connection that throws an error, Facebook does it as well. I'm also using the new reCaptcha feature by Google, and it throws an SSL error when someone is signing up as well.

When a user tries to log in with Google, this shows up:
upload_2015-2-14_15-58-27.png

Similarly, when Facebook is used, this shows up:
upload_2015-2-14_15-59-58.png

I have the openssl extension uncommented from my php.ini file and my extensions directory is defined properly. Any help would be greatly appreciated.
 

Jake Bunce

XenForo moderator
Staff member
#2
What version of PHP?

The error code is unspecified so we don't know the nature of the error. I searched around and found several instances of this error relating to certificate problems on the requesting server (your web server). Basically Google suggests that it is likely openssl on your server is trying to verify the connection but is unable to find a certificate authority, and this is likely because the certs are missing on your server or the path is not correctly specified.

If you are running PHP 5.6:

http://php.net/manual/en/migration56.openssl.php
> http://php.net/manual/en/context.ssl.php

Here are some relevant directives which can be used in your php.ini file.

openssl.verify_peer
openssl.cafile
openssl.capath

You might first try setting openssl.verify_peer to false. If that resolves the error then you know it is related to certificate verification in which case you can try setting the other two options. Ideally you should not leave verification disabled because it leaves you open to attack.
 
#3
What version of PHP?

The error code is unspecified so we don't know the nature of the error. I searched around and found several instances of this error relating to certificate problems on the requesting server (your web server). Basically Google suggests that it is likely openssl on your server is trying to verify the connection but is unable to find a certificate authority, and this is likely because the certs are missing on your server or the path is not correctly specified.

If you are running PHP 5.6:

http://php.net/manual/en/migration56.openssl.php
> http://php.net/manual/en/context.ssl.php

Here are some relevant directives which can be used in your php.ini file.

openssl.verify_peer
openssl.cafile
openssl.capath

You might first try setting openssl.verify_peer to false. If that resolves the error then you know it is related to certificate verification in which case you can try setting the other two options. Ideally you should not leave verification disabled because it leaves you open to attack.
I am using PHP 5.6.

I am not extremely adept in web hosting, I basically know "enough to be dangerous." Should I just define openssl.verify_peer as "false" in PHP.INI?
 

Jake Bunce

XenForo moderator
Staff member
#4
I am using PHP 5.6.

I am not extremely adept in web hosting, I basically know "enough to be dangerous." Should I just define openssl.verify_peer as "false" in PHP.INI?
If the problem is related to certificate verification then disabling openssl.verify_peer will confirm that. Leaving it disabled would avoid the problem, but you leave yourself open to attack. If some one hijacked your DNS or compromised your network then they could impersonate accounts.google.com
 
#5
If the problem is related to certificate verification then disabling openssl.verify_peer will confirm that. Leaving it disabled would avoid the problem, but you leave yourself open to attack. If some one hijacked your DNS or compromised your network then they could impersonate accounts.google.com
I set openssl.verify_peer = false in php.ini. I'm still having the issue. Do I need quotes around false? Or do you think that's not the problem?
 

Jake Bunce

XenForo moderator
Staff member
#10
Can you confirm the active value in your phpinfo? Visit admin.php?tools/phpinfo

If it's not working then I can take a look if you give me RDP access. But if your intention is to not verify certificates then you might consider just downgrading to PHP 5.5 which has verification disabled by default. Basically download and install PHP 5.5 and change your PHP handler in IIS.
 
#11
I installed PHP 5.5 as you suggested and everything seems to be working properly. I would assume this is because of it not verifying certificates by default. So, now we know what the problem is. My only question is: why is my server missing the necessary root certificates for verifying the peer's names? I'd love to use 5.6 but I am not sure how to set this up properly.