Search code examples
phpsslfsockopen

fsockopen on SSL does not working on specific host

On working production server, at some point (June 24 at 13:18), fsockopen started to fail with no seen reason.

$sock = fsockopen("ssl://mail.dupcheck.org",993, $errno, $errstr, 300);
  • it returns: $sock = false, errno = 0, errstr = "" quite fast.
  • it opens other servers.

Important to mention,

  • it does not work both, on linux web server and on windows (WAMP) development server
  • MS Outlook and other mail clients perfectly connect to this server and fetch the mail.
  • that day (June 24) we had some issues with GoDaddy SSL certificate - it started to show improper date! We called GoDaddy's support then and they say, the issue is fixed.
  • Since then, for almost a month, SOMETIMES fsockopen worked and we received emails, and nobody paid attention, nobody checked that specific mailsend log ... until today it reached 300M!

====

PHP 7.3.3-1, ubuntu16.04.1

Yes, I read manuals, googled for several hours, no relief. Nobody knows what's that, including system administrators.

Solution

  • From the comment:

    ... openssl s_client perfectly working ...

    It works in that it connects and does a TLS handshake. But it does not work perfectly since it clearly shows that the certificate validation fails:

    $ openssl s_client -connect mail.dupcheck.org:993
...
Certificate chain
 0 s:/OU=Domain Control Validated/CN=mail.dupcheck.org
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
...
    Verify return code: 10 (certificate has expired)
                       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

    Taking a closer look at the certificate:

        Serial Number:
        92:a0:2d:2a:2f:28:6a:d5
Signature Algorithm: sha256WithRSAEncryption
    Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2
    Validity
        Not Before: Jun 24 10:16:38 2016 GMT
        Not After : Jun 24 10:16:38 2019 GMT

    Thus, this certificate was expired some weeks ago. This is likely the reason the connection fails.

    ... tls.imirhil.fr/tls/mail.dupcheck.org:993 does not seem to show anything extraordinary.

    It looks like this site does not check the validity of the certificate at all.