PHP 5.6 , new in Zend Server 8, enables peer verification via the OpenSSL default CA bundle. OpenSSL on IBM i, installed as part of the 5733SC1 Licensed Program, does not include a default CA bundle. This can cause a fatal error when doing internet requests from PHP using SSL. For example, a SOAP request to a server using SSL (the address starts with https://) may suddenly begin to fail after upgrading to PHP 5.6.
The message may contain this text: "certificate verify failed".
Zend Server 8 or later, using PHP 5.6 or later, running on any supported version of IBM i.
| Note | ||
|---|---|---|
| ||
Note: It is OK to use copy and paste to copy the PASE commands out of this article into the PASE shell to run them. However, the default CA bundle file name can be different depending on the version of IBM i, |
To begin, please sign on to a 5250 session as QSECOFR or a *SECOFR class user.
Run this command to start the PASE shell:
| Info | ||
|---|---|---|
| ||
call QP2TERM |
In the PASE shell, please set the current directory to the PHP bin directory. This will allow you to run PHP commands interactively using the php-cli command:
| Info | ||
|---|---|---|
| ||
cd /usr/local/zendsvr6/bin |
...
| Info | ||
|---|---|---|
| ||
php-cli -r 'ini_set("display_errors", 1); |
This command can run for a short while, so please remember to wait for the $ or # to appear before proceeding to the next command. In PASE, there is no "input inhibited", so you can run a new command before allowing the previous command to finish.
In the previous command, we set display_errors on to show any errors that might come up if the command is not successful. We also set up a context resource to set the SSL verify_peer option to false. This allows us to access the site without the .pem file, which of course we don't have until we run the command. You can see more SSL Context Options here:
You can use the cat command to view the contents of this file in your PASE shell. It is quite long, so you can also consider using the head command to display just the first lines of it. You can also open the file to view it in an editor, but be very careful not to update it. Here is an example to show just the first 25 lines (remember to use your specific cert.pem file location):
| Info | ||
|---|---|---|
| ||
head -25 /usr/local/openssl-1.0.1k/ssl/cert.pem |
...
If everything went well, there will be no errors.
...
If you
...
haven't already done so, please
...
set up the
...
Random Number Generator
...
: Enable the Pseudo Random Number Generator on IBM i to support SSL
...
You can learn more about this new feature of PHP 5.6 here:
As mentioned at the above link, it is possible to disable peer certificate verification, but it is not recommended.
The example CA bundle from cURL is extracted from the CA bundle in Mozilla, which is used in Firefox. The idea is that anyone using Firefox is already trusting this CA bundle, even though they may not be aware of it. You may feel uncomfortable downloading this CA bundle over the internet, which is a reasonable concern. There are available techniques you can use to extract the CA from Firefox yourself, and you can use the internet to learn more about those. The purpose of this article is to provide our customers with a quick resolution to the problem, and the customer may decide to continue to rely on this CA bundle, or they may decide to work on finding another resource to provide the CA bundle.
Another resource we found for a .pem file is Google. They seem to update more often, so if you need to use Google services, you might choose to use their .pem file (remember to use your specific cert.pem file location):
| Info | ||
|---|---|---|
| ||
php-cli -r 'ini_set("display_errors", 1); |
...