PHP socket server that uses ADH. How?

Question

I'm trying to create a socket server using stream_socket_server().

Normal connections work fine, but I want to make a server that encrypts the connection without a certificate. I know that this can be accomplished with the ADH cipher, and yes, I know it's theoretically less secure than with a certificate...

The reason I'm making this server in the first place is to mock a different server to which a client connects to (over this protocol, if you're wondering).

The client is configured to ask for a certificate first, and fallback to ADH - I've tested it with the real thing, and it connects without problems, so the problem is with the socket server.

Everything I've tried so far has resulted in a "handshake failure" error.

Some of the configurations I've tried:

<?php
$server = stream_socket_server(
        "tls://127.0.0.1:6667",
        $errorno,
        $errstr,
        STREAM_SERVER_BIND | STREAM_SERVER_LISTEN,
        stream_context_create(
            array('ssl' => array('ciphers' => 'ADH'))
        )
    );
?>

<?php
$server = stream_socket_server(
        "tls://127.0.0.1:6667",
        $errorno,
        $errstr,
        STREAM_SERVER_BIND | STREAM_SERVER_LISTEN,
        stream_context_create(
            array('ssl' => array('ciphers' => '-COMPLEMENTOFALL ADH'))
        )
    );
?>

I've also tried to adjust the client to unconditionally use ADH (as with the second example above), just for testing's sake, but that too fails.

This happens with every PHP version I've tried, the latest of which is 5.5.0.

Any ideas?

Answer 1

I would use a tool like Wireshark to examine the bits going over the wire so I could determine exactly what is going wrong with the handshake. Without that ability, you are going to be flying (or debugging) blind.

Once you know what is going wrong with your handshake, you can figure out the "why".

Answer 2

Firstly check that SSL is setup correctly in your server? Run SSL Scanner at the service. I have a test script that doesn't work at all, as the OpenSSL calls don't run without a key file. This isn't an answer, but I lack time for more investigation...

You are aware that ADH is a weak encryption? ~ most of the security advisories recommend turning it off. General reading on ADH http://wiki.openssl.org/index.php/Manual:Ciphers(1)