PHP fail to connect to api-ssl - why?

RouterOS Scripting
1

I used to use https://github.com/BenMenking/routeros-api PHP class to access ROS API over the net.

It was quite well approach until I tried to use SSL protected link. I activated API-SSL in the device configuration (I used the same certificate I used to set up OVPN client), changed my code that try to access the API over SSL… nope, no luck:

PHP Warning:  fsockopen(): SSL: Connection reset by peer in routeros_api.class.php on line 111
PHP Warning:  fsockopen(): Failed to enable crypto in routeros_api.class.php on line 111
PHP Warning:  fsockopen(): unable to connect to ssl://hostname:8729 (Unknown error) in routeros_api.class.php on line 111

I tried several PHP versions (5.5, 5.6), no luck as well.

The code associated is the following:

            $PROTOCOL = ($this->ssl ? 'ssl://' : '' );
            $this->debug('Connection attempt #' . $ATTEMPT . ' to ' . $PROTOCOL . $ip . ':' . $this->port . '...');
            $this->socket = fsockopen($PROTOCOL . $ip, $this->port, $this->error_no, $this->error_str, $this->timeout);

(I’ve stripped @ from the beginning of fsockopen)

I tried to add the following:

            $contextOptions = [
                'ssl' => [
                    'verify_peer' => false,
                    'allow_self_signed' => true,
                    'verify_peer_name' => false
                ]
            ];
            $context = stream_context_create($contextOptions);

right before fsockopen call, and it won’t helped, too.

Have you ever seen that problem? Is there any way to get over it? I suspect this is not a PHP problem, but this is not a ROS problem, too - but theit mutual “misunderstanding”.

2

You need to use TLS, not SSL.

Currently, PHP TLS streams are sometimes unstable though. After a lot of workarounds in my PHP API client, and two reports to PHP, today, with the most recent PHP 5.6 version (or 7.0), you can safely read and write a few KBs at a time (that is, ALL data received from the router from the last send), which is enough for many cases, but far from “most”. Beyond that, connections spontaneously become either disconnected, or stuck in an infinite loop, due to internal PHP problems.

I was told that to really fix those issues for good, the internal PHP streams API needs changes,… which in turn means changes to many extensions and an RFC vote before that. All of that means that unless a rockstar, persuasive and extremely prolific C developer arrives on the scene, TLS streams will remain unstable for a long while now.

3

That is, I need to change “ssl://” to “tls://” in the code, like that:

instead of

$PROTOCOL = ($this->ssl ? 'ssl://' : '' );

to use

$PROTOCOL = ($this->ssl ? 'tls://' : '' );

right? I tried that but the error was the same.

The problem is in every 5.x version, or just at 5.6 branch? I can afford myself to downgrade to 5.5 or even 5.4, if that can help.

Anyway, thank you very much for your reply! I’ve never imagine PHP so poor in SSL/TLS handle :frowning:

4

Like I said, “a lot of workarounds”. There’s more to it than just replacing the scheme. So much in fact, that I have it moved away in its dedicated package. Its sole job is to make sure that asking for N bytes returns N bytes, always.