XF 1.4 SSL Server Error - Couldn't connect to ssl://

S

Sam Forbis

Member
I recently moved my Xenforo installation from an Linux/Apache machine to a Windows 2008 R2 machine running IIS 7.5. Everything is working flawlessly except for initiating remote SSL connections to services such as Google. Here's what is logged every time someone tries to log in with Google:

Code: 
Zend_Http_Client_Adapter_Exception: Unable to Connect to ssl://accounts.google.com:443. Error #0: - library\Zend\Http\Client\Adapter\Socket.php:235

Stack Trace:
Code: 
#0 C:\inetpub\sites\forbis_xenforo\library\Zend\Http\Client.php(973): Zend_Http_Client_Adapter_Socket->connect('accounts.google...', 443, true)
#1 C:\inetpub\sites\forbis_xenforo\library\XenForo\ControllerPublic\Register.php(1030): Zend_Http_Client->request('POST')
#2 C:\inetpub\sites\forbis_xenforo\library\XenForo\FrontController.php(347): XenForo_ControllerPublic_Register->actionGoogle()
#3 C:\inetpub\sites\forbis_xenforo\library\XenForo\FrontController.php(134): XenForo_FrontController->dispatch(Object(XenForo_RouteMatch))
#4 C:\inetpub\sites\forbis_xenforo\index.php(13): XenForo_FrontController->run()
#5 {main}

Request State:
Code: 
array(3) {
  ["url"] => string(151) "http://forums.forbisgaming.com/register/google?code=4/jDPYJwhLGYTgXBaGgibyciJC2rQQajlhCbxo-Yz63Kk.kntOXrTFnYIa3oEBd8DOtNDj7LcTlwI&csrf=G4eyd6Zv1eqIFSvK"
  ["_GET"] => array(2) {
    ["code"] => string(77) "4/jDPYJwhLGYTgXBaGgibyciJC2rQQajlhCbxo-Yz63Kk.kntOXrTFnYIa3oEBd8DOtNDj7LcTlwI"
    ["csrf"] => string(16) "G4eyd6Zv1eqIFSvK"
  }
  ["_POST"] => array(0) {
  }
}

Google login isn't the only external connection that throws an error, Facebook does it as well. I'm also using the new reCaptcha feature by Google, and it throws an SSL error when someone is signing up as well.

When a user tries to log in with Google, this shows up:
upload_2015-2-14_15-58-27.webp

Similarly, when Facebook is used, this shows up:
upload_2015-2-14_15-59-58.webp

I have the openssl extension uncommented from my php.ini file and my extensions directory is defined properly. Any help would be greatly appreciated.
 
Sort by date Sort by votes
What version of PHP?

The error code is unspecified so we don't know the nature of the error. I searched around and found several instances of this error relating to certificate problems on the requesting server (your web server). Basically Google suggests that it is likely openssl on your server is trying to verify the connection but is unable to find a certificate authority, and this is likely because the certs are missing on your server or the path is not correctly specified.

If you are running PHP 5.6:

http://php.net/manual/en/migration56.openssl.php
> http://php.net/manual/en/context.ssl.php

Here are some relevant directives which can be used in your php.ini file.

openssl.verify_peer
openssl.cafile
openssl.capath

You might first try setting openssl.verify_peer to false. If that resolves the error then you know it is related to certificate verification in which case you can try setting the other two options. Ideally you should not leave verification disabled because it leaves you open to attack.
 
Upvote 0 Downvote
Jake Bunce said:
What version of PHP?

The error code is unspecified so we don't know the nature of the error. I searched around and found several instances of this error relating to certificate problems on the requesting server (your web server). Basically Google suggests that it is likely openssl on your server is trying to verify the connection but is unable to find a certificate authority, and this is likely because the certs are missing on your server or the path is not correctly specified.

If you are running PHP 5.6:

http://php.net/manual/en/migration56.openssl.php
> http://php.net/manual/en/context.ssl.php

Here are some relevant directives which can be used in your php.ini file.

openssl.verify_peer
openssl.cafile
openssl.capath

You might first try setting openssl.verify_peer to false. If that resolves the error then you know it is related to certificate verification in which case you can try setting the other two options. Ideally you should not leave verification disabled because it leaves you open to attack.
Click to expand...
I am using PHP 5.6.

I am not extremely adept in web hosting, I basically know "enough to be dangerous." Should I just define openssl.verify_peer as "false" in PHP.INI?
 
Upvote 0 Downvote
Sam Forbis said:
I am using PHP 5.6.

I am not extremely adept in web hosting, I basically know "enough to be dangerous." Should I just define openssl.verify_peer as "false" in PHP.INI?
Click to expand...

If the problem is related to certificate verification then disabling openssl.verify_peer will confirm that. Leaving it disabled would avoid the problem, but you leave yourself open to attack. If some one hijacked your DNS or compromised your network then they could impersonate accounts.google.com
 
Upvote 0 Downvote
Jake Bunce said:
If the problem is related to certificate verification then disabling openssl.verify_peer will confirm that. Leaving it disabled would avoid the problem, but you leave yourself open to attack. If some one hijacked your DNS or compromised your network then they could impersonate accounts.google.com
Click to expand...
I set openssl.verify_peer = false in php.ini. I'm still having the issue. Do I need quotes around false? Or do you think that's not the problem?
 
Upvote 0 Downvote
Can you confirm the active value in your phpinfo? Visit admin.php?tools/phpinfo

If it's not working then I can take a look if you give me RDP access. But if your intention is to not verify certificates then you might consider just downgrading to PHP 5.5 which has verification disabled by default. Basically download and install PHP 5.5 and change your PHP handler in IIS.
 
Upvote 0 Downvote
I installed PHP 5.5 as you suggested and everything seems to be working properly. I would assume this is because of it not verifying certificates by default. So, now we know what the problem is. My only question is: why is my server missing the necessary root certificates for verifying the peer's names? I'd love to use 5.6 but I am not sure how to set this up properly.
 
Upvote 0 Downvote
You must log in or register to reply here.

Similar threads

Mert
  • Question Question
XF 1.5 Unable to Connect to ssl://a.klaviyo.com:443. Error #0:" error
Replies
5
Views
86
mattrogowski
mattrogowski
oleksii-syvokhin
  • Question Question
XF 2.2 Connection could not be established with host smtp.gmail.com :stream_socket_client(): unable to connect to ssl://smtp.gmail.com:465
Replies
3
Views
4K
FedericoS
F
BassMan
  • Question Question
XF 2.1 Bounce connection error: cannot connect to host ; error = fsockopen(): unable to connect to ssl
Replies
2
Views
680
BassMan
BassMan
Okenyon
  • Question Question
XF 1.5 cannot connect to host; error = Connection refused (errno = 111 )
Replies
3
Views
660
Okenyon
Okenyon
vwts
  • Question Question
XF 2.1 Bounce connection error: cannot connect to host ; error = fsockopen(): unable to connect to ssl://:995
Replies
7
Views
2K
Ozzy47
Ozzy47
Back
Top Bottom