Rcls Rcls - 1 year ago 246
PHP Question

PHP TCP connection to EPP API using SSL certificate authentication

I have tried this upwards and backwards without any success. The national domain registry department has decided to change their entire system to EPP. Their documentation is very poor but to summarize:

  • Connection via TCP: epptest.ficora.fi port 700

  • To whitelist for firewall, add IP address and SSL certificate to user account on dashboard (done that)

The dashboard is a total mess. I cannot upload the same certificate to different users, I can't remove users etc. Anyhow, you are supposed to connect to that address and verify yourself using the same SSL certificate in the request (atleast that's what I've understood) but I cannot get it to work. All my requests return:

Error 7: "Failed to connect to epptest.ficora.fi port 700: Timed out"

I've created a login XML based on the documentation which I send out in the POST request.

ini_set('max_execution_time', 300);

$curl = curl_init();

curl_setopt($curl, CURLOPT_URL, 'epptest.ficora.fi');
curl_setopt($curl, CURLOPT_PORT, 700);
curl_setopt($curl, CURLOPT_POST, 1);
curl_setopt($curl, CURLOPT_POSTFIELDS, $content);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($curl, CURLOPT_CONNECTTIMEOUT ,0);
curl_setopt($curl, CURLOPT_TIMEOUT, 400);
curl_setopt($curl, CURLOPT_SSLCERT, __DIR__ . '/certificate.crt');

$output = curl_exec($curl);
echo 'Error ' . curl_errno($curl) . ': "' . curl_error($curl) .'"';

The certificate file can be found, I did a file_get_contents() test and reads OK. This is a localhost test on a Windows computer.

Testing the same code on my own (live) server I get:

Error 56: "Recv failure: Connection reset by peer"

I don't know if this sounds stupid or not but does the request have to originate from a server, from an address, where the SSL certificate is in use?

I am at a complete loss with this as to why it doesn't work. Help, anyone?


Here's the cURL verbose information:

* About to connect() to epptest.ficora.fi port 700 (#0)
* Trying <ip_address>
* connected
* Connected to epptest.ficora.fi (<ip address>) port 700 (#0)
> POST / HTTP/1.1
Host: epptest.ficora.fi:700
Accept: */*
Content-type: text/xml
Content-length: 146

* upload completely sent off: 146 out of 146 bytes
* additional stuff not fine transfer.c:1037: 0 0
* Recv failure: Connection reset by peer
* Closing connection #0

Answer Source

The answer in the end came to me through another Stackoverflow post. I actually didn't have the private key in the certificate so what I had to do was create a new .pem file (just plain text in any editor) and paste the private key and certificate in it like so:





The certificate is supposed to have the key in it. All I had was them separate. No one actually pointed this out.

HOWEVER! I was not able to make this work in cURL. The response I got was through a PHP-EPP library that uses stream_socket_client() function.