Connecting to WSS: Unable to complete SSL/TLS handshake

[JimmyPruitt]

I have a Websocket server that is running behind Apache that I'm able to connect to using Chrome, Safari, and Telnet just fine. However, when attempting to connect to that same server from PHP using Pawl, it's throwing an exception during the handshake:

Unable to complete SSL/TLS handshake: stream_socket_enable_crypto(): Peer certificate CN='*.foo.bar' did not match expected CN='local.blah.foo.bar'.

Here's my client code:

\Ratchet\Client\connect('wss://' . WEBSOCKET_SERVER_HOST . ':' . WEBSOCKET_SERVER_PORT)
    ->then(
          function ($conn) use ($message) {
              $conn->send($message);
          },
          function ($e) {
              echo $e;
          }
    );

[cboden]

Take a look at previous issues about ssl. It looks like you're using a self signed certificate? In that case you need to pass SSL context options to the Connector.

[JimmyPruitt]

It's working now, thank you.

$loop = \React\EventLoop\Factory::create();
$wsClient = new \Ratchet\Client\Connector($loop, null, ['verify_peer_name' => false, 'allow_self_signed' => true]);
$wsClient('wss://' . WEBSOCKET_SERVER_IP . ':' . WEBSOCKET_SERVER_PORT)->then(
      function ($conn) use ($message) {
          $conn->send($message);
          $conn->close();
      }
);

$loop->run();

Follow up question: this only appears to work by using the IP address in the URL. Is there a way to use the host name instead?

[mbonneau]

I didn't see the follow up question - reopening...

[mbonneau]

@JimmyPruitt - On your follow-up question - do you know if the name is able to be resolved? By default the resolver in Pawl uses 8.8.8.8.

[clue]

Unable to complete SSL/TLS handshake: stream_socket_enable_crypto(): Peer certificate CN='*.foo.bar' did not match expected CN='local.blah.foo.bar'.

This error looks correct to me, as wildcard SSL certificates should only work one level below the root domain, perhaps https://stackoverflow.com/questions/2115611/wildcard-ssl-on-sub-subdomain could help here?

Other than that, you may also pass the peer_name context option to set the expected peer name for your remote host. This parameter should have preference over the implicit domain name from the connection URI.

[mbonneau]

Closing this issue - please feel free to comment if your issue is not fixed.

[Aymkdn]

Since 2017, the way to do it changed, and I think it should now be:

require __DIR__ . '/vendor/autoload.php';

$loop = \React\EventLoop\Factory::create();
$connector = new \React\Socket\Connector($loop, [
  'timeout' => 20,
  'tls' => [ // here we define the SSL Context options (https://www.php.net/manual/en/context.ssl.php)
    'verify_peer' => false,
    'verify_peer_name' => false,
    'allow_self_signed' => true
  ]
]);
$wsClient = new \Ratchet\Client\Connector($loop, $connector);
$wsClient('wss://IP:PORT')->then(function($conn) {
    $conn->on('message', function($msg) use ($conn) {
        echo "Received: {$msg}\n";
        $conn->close();
    });

    $conn->send('Hello World!');
}, function ($e) {
    echo "Could not connect: {$e->getMessage()}\n";
});

$loop->run();