Unable to enable crypto on TCP connection

Questions Components & MVC
1

I would like to connect server A and server B using TLS v1.2,
but I got an error “Unable to enable crypto on TCP connection”.

It is implemented as follows,
When I looked at the packet with tcpdump, and found that server A and server B failed to connect with SSLv3 instead of TLS v1.2.

Could you tell me how to solve this problem?

Zend Framework 3
PHP 7.3
apache2.4

        $config = array(
            'adapter' => Zend\Http\Client\Adapter\Socket::class,
            'ssltransport' => 'tlsv1.2',
            'sslverifypeer' => false,
            'timeout' => 3
        );
        $options = array(
            'ssl' => array(
                'allow_self_signed' => TRUE,
                'capture_peer_cert' => FALSE,
                'cafile' =>xxx.crt'
            )
        );
        $options['ssl']['verify_peer'] = FALSE;
        $options['ssl']['verify_peer_name'] = FALSE;

        $adapter = new Zend\Http\Client\Adapter\Socket();
        $context = stream_context_create($options);
        $adapter->setStreamContext($context);
        $client = new Zend\Http\Client();
        $client->setAdapter($adapter);
        $client->setOptions($config);
        $client->setUri($urls['xxx']);
        $client->setMethod(Zend\Http\Request::METHOD_POST);
        $client->setRawBody($wsdl);
        $client->setEncType('text/xml');

        $response = $client->send();

Thanks for your insights.

2

The socket adapter unfortunately does not complain when you indicate an invalid ssltransport option and “tlsv1.2” is invalid. In that case, it falls back to sslv3:

Here are the defined supported transports:

Fortunately, you can config it to use tls1.2 by specifying 'ssltransport' => 'ssl'. Under the hood, that option will negotiate the best protocol that the server supports. You’ll likely find that it uses tls1.2 in your case.

Forcing tls1.2 takes a bit more work. If you need to do that, you’ll need to build your own stream context and provide it to the socket adapter. Here’s the docs on how to do that:

https://docs.zendframework.com/zend-http/client/adapters/#customizing-and-accessing-the-socket-adapter-stream-context

Now that I’ve typed all that up… I suggest using a different http client. This lib is a little outdated and you can see that it has limitations. I’m sure it doesn’t have much hope of being improved or supported long-term. Take a look at php-http and Guzzle. Both support PSR-7 and will likely be supported by their respective communities far longer than zend-http.

1 Like
3

Hi! marcguyer

Thank you for your quick response.
By using ‘ssltransport’ => ‘ssl’, we were able to connect with TLS v1.2! !
I also check your other useful comments!