1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

XF 1.4 SSL Server Error - Couldn't connect to ssl://

Discussion in 'Troubleshooting and Problems' started by Sam Forbis, Feb 14, 2015.

  1. Sam Forbis

    Sam Forbis Member

    I recently moved my Xenforo installation from an Linux/Apache machine to a Windows 2008 R2 machine running IIS 7.5. Everything is working flawlessly except for initiating remote SSL connections to services such as Google. Here's what is logged every time someone tries to log in with Google:

    Code:
    Zend_Http_Client_Adapter_Exception: Unable to Connect to ssl://accounts.google.com:443. Error #0: - library\Zend\Http\Client\Adapter\Socket.php:235
    Stack Trace:
    Code:
    #0 C:\inetpub\sites\forbis_xenforo\library\Zend\Http\Client.php(973): Zend_Http_Client_Adapter_Socket->connect('accounts.google...', 443, true)
    #1 C:\inetpub\sites\forbis_xenforo\library\XenForo\ControllerPublic\Register.php(1030): Zend_Http_Client->request('POST')
    #2 C:\inetpub\sites\forbis_xenforo\library\XenForo\FrontController.php(347): XenForo_ControllerPublic_Register->actionGoogle()
    #3 C:\inetpub\sites\forbis_xenforo\library\XenForo\FrontController.php(134): XenForo_FrontController->dispatch(Object(XenForo_RouteMatch))
    #4 C:\inetpub\sites\forbis_xenforo\index.php(13): XenForo_FrontController->run()
    #5 {main}
    Request State:
    Code:
    array(3) {
      ["url"] => string(151) "http://forums.forbisgaming.com/register/google?code=4/jDPYJwhLGYTgXBaGgibyciJC2rQQajlhCbxo-Yz63Kk.kntOXrTFnYIa3oEBd8DOtNDj7LcTlwI&csrf=G4eyd6Zv1eqIFSvK"
      ["_GET"] => array(2) {
        ["code"] => string(77) "4/jDPYJwhLGYTgXBaGgibyciJC2rQQajlhCbxo-Yz63Kk.kntOXrTFnYIa3oEBd8DOtNDj7LcTlwI"
        ["csrf"] => string(16) "G4eyd6Zv1eqIFSvK"
      }
      ["_POST"] => array(0) {
      }
    }
    Google login isn't the only external connection that throws an error, Facebook does it as well. I'm also using the new reCaptcha feature by Google, and it throws an SSL error when someone is signing up as well.

    When a user tries to log in with Google, this shows up:
    upload_2015-2-14_15-58-27.png

    Similarly, when Facebook is used, this shows up:
    upload_2015-2-14_15-59-58.png

    I have the openssl extension uncommented from my php.ini file and my extensions directory is defined properly. Any help would be greatly appreciated.
     
  2. Jake Bunce

    Jake Bunce XenForo Moderator Staff Member

    What version of PHP?

    The error code is unspecified so we don't know the nature of the error. I searched around and found several instances of this error relating to certificate problems on the requesting server (your web server). Basically Google suggests that it is likely openssl on your server is trying to verify the connection but is unable to find a certificate authority, and this is likely because the certs are missing on your server or the path is not correctly specified.

    If you are running PHP 5.6:

    http://php.net/manual/en/migration56.openssl.php
    > http://php.net/manual/en/context.ssl.php

    Here are some relevant directives which can be used in your php.ini file.

    openssl.verify_peer
    openssl.cafile
    openssl.capath

    You might first try setting openssl.verify_peer to false. If that resolves the error then you know it is related to certificate verification in which case you can try setting the other two options. Ideally you should not leave verification disabled because it leaves you open to attack.
     
  3. Sam Forbis

    Sam Forbis Member

    I am using PHP 5.6.

    I am not extremely adept in web hosting, I basically know "enough to be dangerous." Should I just define openssl.verify_peer as "false" in PHP.INI?
     
  4. Jake Bunce

    Jake Bunce XenForo Moderator Staff Member

    If the problem is related to certificate verification then disabling openssl.verify_peer will confirm that. Leaving it disabled would avoid the problem, but you leave yourself open to attack. If some one hijacked your DNS or compromised your network then they could impersonate accounts.google.com
     
  5. Sam Forbis

    Sam Forbis Member

    I set openssl.verify_peer = false in php.ini. I'm still having the issue. Do I need quotes around false? Or do you think that's not the problem?
     
  6. Jake Bunce

    Jake Bunce XenForo Moderator Staff Member

    1/0, Yes/No, On/Off, or True/False should work.

    You must restart the web server after editing the php.ini file.
     
  7. Sam Forbis

    Sam Forbis Member

    Would restarting the IIS service suffice?
     
  8. Jake Bunce

    Jake Bunce XenForo Moderator Staff Member

    Yes.
     
  9. Sam Forbis

    Sam Forbis Member

    I tried each and restarted the server after each edit. The server still gives the same error.
    upload_2015-2-15_1-3-27.png
     
  10. Jake Bunce

    Jake Bunce XenForo Moderator Staff Member

    Can you confirm the active value in your phpinfo? Visit admin.php?tools/phpinfo

    If it's not working then I can take a look if you give me RDP access. But if your intention is to not verify certificates then you might consider just downgrading to PHP 5.5 which has verification disabled by default. Basically download and install PHP 5.5 and change your PHP handler in IIS.
     
  11. Sam Forbis

    Sam Forbis Member

    I installed PHP 5.5 as you suggested and everything seems to be working properly. I would assume this is because of it not verifying certificates by default. So, now we know what the problem is. My only question is: why is my server missing the necessary root certificates for verifying the peer's names? I'd love to use 5.6 but I am not sure how to set this up properly.
     
  12. Jake Bunce

    Jake Bunce XenForo Moderator Staff Member

Share This Page