Disable Certificate Verification in PHP Soapclient

Disable certificate verification in PHP SoapClient

SoapClient takes a stream context in its parameters, which you can create yourself. That way you can control almost every aspect of the transport layer:

$context = stream_context_create([
    'ssl' => [
        // set some SSL/TLS specific options
        'verify_peer' => false,
        'verify_peer_name' => false,
        'allow_self_signed' => true
    ]
]);

$client  = new SoapClient(null, [
    'location' => 'https://...',
    'uri' => '...', 
    'stream_context' => $context
]);

Documentation:

• stream_context_create() ^Docs
• HTTP context options ^Docs
• SSL context options ^Docs

PHP SOAP client with certificates over SSL

I've fixed this problem. I think, due to the number of questions regarding this issue and number of different solutions, others will benefit from the solution. Here goes:

I used the openssl CLI program to convert the .p12 key-file to a .pem key-file. The trick is the way the conversion takes place.

First I converted it with this command and I had the issue as described in the question:

openssl pkcs12 -in key.p12 -out key.pem -nodes -clcerts

While the command below did the actual trick:

openssl pkcs12 -in key.p12 -out key.pem -clcerts

For more info please see the source I used: https://community.qualys.com/docs/DOC-3273

Creating a PHP SOAP request with a certificate

I managed to get this working but there are some oddities that I wonder about. Specifically the need to combine the client certificate and private key into a single file to send along with the Soap Request as well as the certificate pass-phrase was breaking the request although the PHP Soap documentation explicitly includes it as an option. If anyone has input on how to improve this I would love to hear it.

1) Create the OpenSsl client and server certificates and sign them with the certificate authority. When creating the certificate do not assign a passphrase to them, just hit the enter button at that point.

2) Import the server certificate authority file into the Machine certificate store under the trusted root. You can get to this by using the MMC command at the command prompt and then adding the Certificates snap in.

3) Import the Server certificate into the Machine store Personal certificate store

4) Import the client certificate in the local account Personal store. You can do this by typing certmgr.msc at the command prompt.

5) Make sure to have Apache with a SSL version of PHP running. If you already had a non-php version of PHP installed you can follow these steps to configure your Apache server to run using SSL.

Inside httpd.conff

a) Remove the comment ‘#’ at line : LoadModule ssl_module modules/mod_ssl.so

b) Remove the comment ‘#’ at the line inside `<IfModule ssl_module>`:  Include /extra/httpd-ssl.conf

   and move this line after the block `<IfModule ssl_module>…. </IfModule>`  

Inside php.ini

c) Remove the comment ‘;’ at the line which says: extension=php_openssl.dll

6) Configure IIS to use a certificate and SSL using the following steps:

a) Right click the 'Default Website' node choose 'Properties'

b) 'Directory Security' tab 'Server Certificate' button. Follow the wizard to select the certificate you imported into the store then complete the wizard and return to the 'Directory Security' tab.

c) Under 'Secure Communications' select the 'Edit' button. 

d) Check the 'Require Secure Channel (SSL) checkbox.

7) Creating the PHP SOAP request (the test() method should be a valid method in your Web service):

$wsdl = "https://localhost/MyService/myservices.asmx?wsdl";
$local_cert = "C:\\SoapCerts\ClientKeyAndCer.pem";

$soapClient = new SoapClient($wsdl, array('local_cert' => $local_cert));

$theResponse = $soapClient->test();

8) Place this file into your Apache directory. By Default: 'C:\Program Files\Apache Group\Apache2\htdocs'

9) You will need access to the client certificate. In the steps you took to produce the client and server certificates you also produced the private key files. Open the client_prv.pem (the client private key file) and copy the contents into a new document with a text editor. It is probably safer to use something like Textpad that will hopefully not add a bunch of special characters, certificate parsers are very picky. Immediately after the private key part place the contents of the client certificate (client_cer.pem) so that the resulting file is an un-escaped copy of the client private key and client

certificate. Save the resulting file to a directory you can get to from the php file. In the example above the resulting file is the

'C:\SoapCerts\ClientKeyAndCer.pem' file.

9) Navigate to localhost/nameOfYourFile.php. You should see a successful connection to the service with a response matching the expected results from your

Web service method.

Connecting to a SOAP service with 2 way SSL

Because the location for the login and localwsdlfile.wsdl is different, I could not do it with one call. So we created a function using curl to login and if login is successful it will proceed to the soapclient. Thanks to Brian from freelancer for his assistance here.

$client = new SoapClient('wsdl/VocusSchemas/localwsdlfile.wsdl', array(
    'trace' => 1,
    'exception' => true
));

try {

    $response = $client->Get(array(
        // "AccessKey" => "MADAITABNSAATOT1",
        "AccessKey" => "accesskey",
        "ProductID" => "SOMEPRODUCT",
        "Scope" => "SOMESCOPE",
        "Parameters" => array('Param' => array('_' => 'DATATOLOOKUP', 'id' => 'MOREDATATOLOOKUP'))
    ));

---

Related Topics