[ZendTo] google, recaptcha, certificate verification error

[Kyle Dippery]

A few days ago I upgraded ports on the FreeBSD (9.3) system I have 
ZendTo (4.12-5) on.  Then I started getting errors when I tried to pick 
up files.  The log lines from apache:

     [Mon Oct 10 14:52:36 2016] [error] [client 10.163.140.48] PHP 
Warning:  fsockopen(): SSL operation failed with code 1. OpenSSL Error 
messages:\nerror:14090086:SSL 
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed in 
/usr/local/www/apache22/data/ZendTo-4.12-5/www/recaptchalib.php on line 110
     [Mon Oct 10 14:52:36 2016] [error] [client 10.163.140.48] PHP 
Warning:  fsockopen(): Failed to enable crypto in 
/usr/local/www/apache22/data/ZendTo-4.12-5/www/recaptchalib.php on line 110
     [Mon Oct 10 14:52:36 2016] [error] [client 10.163.140.48] PHP 
Warning:  fsockopen(): unable to connect to ssl://www.google.com:443 
(Unknown error) in 
/usr/local/www/apache22/data/ZendTo-4.12-5/www/recaptchalib.php on line 110

It's possible that the new certificate bundle (one of the ports that got 
upgraded) left out Google's certificate, but I put the pre-upgrade 
bundle back in place and got the same errors.  So, apparently, something 
in the port upgrade turned on PHP's certificate verification, and it's 
failing on Google's certificate. I've poked around and found that by 
replacing fsockopen() in recaptchalib.php line 110 with 
stream_socket_client(), along with some appropriate stream context 
options (lots of new concepts for me, yesterday), I could get it to work 
again:

zendto/www/recaptcha.php:
     110                 //$fs = fsockopen("ssl://" . $hostname, 443, 
$errno, $errstr, 10);
     111                 /* new stuff 2016-10-10 */
     112                 $kd_contextOptions = array(
     113                         'ssl' => array(
     114                                 'verify_peer' => false,
     115                                 'verify_name' => false,
     116                                 'allow_self_signed' => true,
     117                         )
     118                 );
     119                 $kd_context = 
stream_context_create($kd_contextOptions);
     120                 $fs = 
stream_socket_client("ssl://{$hostname}:443", $errno, $errstr, 20, 
STREAM_CLIENT_CONNECT, $kd_context);
     121                 /* end new stuff 2016-10-10 */
     122                 if( false == $fs ) {
     123                         // fsockopen failed
     124                 } else {
     125                         fwrite($fs, $http_request);
     126                         while (!feof($fs)) {
     127                                 $result .= fgets($fs, 4096);
     128                         }
     129
     130                         $result = explode("\r\n\r\n", $result, 2);
     131                         $result = $result[1];
     132                 }
     133         }
     134
     135         // Return the result.
     136         return $result;

but it was a bit of a fight getting there.

I don't know if this is a bug report, an FYI, or just a war story, but 
there it is.  It seems like, if I've run into this, someone else has, 
too, or will, so there's how I fixed it.  Has anyone else seen this?  Is 
there a better way around it?

Thanks,
Kyle

References:

http://www.herongyang.com/PKI/HTTPS-PHP-OpenSSL-Verify-Server-Certificate-Failed.html 
(seems to imply that Google's certificate has been failing verification 
for a while)

https://github.com/PHPMailer/PHPMailer/wiki/Troubleshooting (in the "PHP 
5.6 certificate verification failure", for the stream context options)

http://php.net/manual/en/function.stream-socket-client.php 
(stream_socket_client notes; see down in the comments for using 'ssl://' 
instead of 'tcp://'; with 'tcp://' I successfully connected but never 
got any response, so all of my recaptcha tests failed)

-- 
Kyle Dippery
Engineering Computing Services
219 RMB
859-257-1346