php - 使用PHP在Google Talk XMPP TCP连接上使用TLS

Question

我正在尝试使用PHP连接到Google Talk XMPP服务器。我成功建立了连接并使用X-OAUTH2登录。然后Google要求我建立TLS连接。但是，当尝试将连接升级到TLS时，出现异常:stream_socket_enable_crypto(): Peer certificate CN='gmail.com' did not match expected CN='talk.google.com'。

这是我的步骤:

$stream = stream_socket_client('tcp://talk.google.com:5222', $error_num, $error_str);
// ... I login,
//server tells me to use TLS,
//I tell it I am going to,
//it tells me to proceed ...
stream_socket_enable_crypto($stream, true, STREAM_CRYPTO_METHOD_TLS_CLIENT);

我得到这个错误:

stream_socket_enable_crypto(): Peer certificate CN='gmail.com' did not match expected CN='talk.google.com'

当然，如果我尝试通过tcp://gmail.com或tcp://www.gmail.com连接到xmpp服务器，它将无法正常工作。

我也尝试过在登录之前建立TLS(我认为这是更安全的方式)，但是我遇到了同样的问题。这是错误的整个握手过程:

Me:     <stream:stream to="gmail.com" xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" version="1.0">

Google: <stream:stream from="gmail.com" id="7373AF2152849B51" version="1.0" xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client">
            <stream:features>
                <starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls">
                    <required/>
                </starttls>
                <mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl">
                    <mechanism>X-OAUTH2</mechanism>
                    <mechanism>X-GOOGLE-TOKEN</mechanism>
                </mechanisms>
            </stream:features>

Me:     <auth xmlns="urn:ietf:params:xml:ns:xmpp-sasl" mechanism="X-OAUTH2" auth:service="oauth2" xmlns:auth="http://www.google.com/talk/protocol/auth">Encrypted user and pass</auth>

Google: <success xmlns="urn:ietf:params:xml:ns:xmpp-sasl"/>

Me:     <stream:stream to="gmail.com" xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" version="1.0">

Google: <stream:stream from="gmail.com" id="B3A6AD05178A5BF2" version="1.0" xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client">
            <stream:features>
                <starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls">
                    <required/>
                </starttls>
                <bind xmlns="urn:ietf:params:xml:ns:xmpp-bind"/>
                <session xmlns="urn:ietf:params:xml:ns:xmpp-session"/>
            </stream:features>

Me:     <starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>

Google: <proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>

Answer 1

我还没有弄清楚如何解决该问题，但我可以通过从一开始就通过tls连接并使用端口5223来完全避免该问题:

stream_socket_client('tls://talk.google.com:5223', $error_num, $error_str);