[Bug 592442] Re: fopen fails on some SSL urls
Arjan, This is an upstream bug. Please leave a comment here[1]. There has been no progress (nor ack's) from the php team regarding this bug. Scott -- [1] http://bugs.php.net/bug.php?id=52106 -- fopen fails on some SSL urls https://bugs.launchpad.net/bugs/592442 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 592442] Re: fopen fails on some SSL urls
An update... I've discovered that the cas.ucdavis.edu machine does not correctly deal with fragmented IP packets. I thought this might be the problem but then I went looking for those types of packets and found none (I'll still try to get that fixed though). Then I discovered that on the client hello packet (first packet after the connection is established) on a Lucid machine shows up in wireshark as the TLSv1 protocol and on a Karmic machine it shows up as a SSLv2 protocol. I wonder why this changed? Did the defaults for openssl change or something? -- fopen fails on some SSL urls https://bugs.launchpad.net/bugs/592442 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 592442] Re: fopen fails on some SSL urls
I've filed a bug report at bugs.php.net[1] and linked to this bug report. I'll ask for more details about this specific server. I tried a bunch of other sites with a similar setup but can't reproduce it elsewhere yet. Maybe there is a firewall rule that is blocking packets? Seems strange that it would work for php 5.2.10 but not 5.3 though. Hopefully the php folks can provide some insight as to what changed between those versions. Nothing obvious (to me at least) jumps out on the changelog[2]: Fixed bug #50832 (HTTP fopen wrapper does not support passwordless HTTP authentication). (Jani) Fixed bug #50791 (Compile failure: Bad logic in defining fopencookie emulation). (Jani) Fixed bug #48637 (file fopen wrapper is overwritten when using --with-curlwrappers). (Jani) Fixed bug #43510 (stream_get_meta_data() does not return same mode as used in fopen). (Jani) Optimized require_once() and include_once() by eliminating fopen(3) on second usage. (Dmitry) Added 'n' flag to fopen to allow passing O_NONBLOCK to the underlying open(2) system call. (Mikko) Added ignore_errors option to http fopen wrapper. (David Zulke, Sara) Scott [1] http://bugs.php.net/bug.php?id=52106 [2] http://php.net/ChangeLog-5.php ** Bug watch added: bugs.php.net/ #52106 http://bugs.php.net/bug.php?id=52106 -- fopen fails on some SSL urls https://bugs.launchpad.net/bugs/592442 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 592442] Re: fopen fails on some SSL urls
This is strange... on lucid it doesn't even attempt to check for the CA file. Using the script you provided on a Karmic machine I get the following: now cas.ucdavis.edu... open(/etc/host.conf, O_RDONLY)= 3 open(/etc/resolv.conf, O_RDONLY) = 3 open(/etc/hosts, O_RDONLY|O_CLOEXEC) = 3 open(/etc/ld.so.cache, O_RDONLY) = 3 open(/lib/libnss_mdns4_minimal.so.2, O_RDONLY) = 3 open(/etc/ld.so.cache, O_RDONLY) = 3 open(/lib/tls/i686/cmov/libnss_dns.so.2, O_RDONLY) = 3 open(/etc/resolv.conf, O_RDONLY) = 3 open(/dev/urandom, O_RDONLY|O_NOCTTY|O_NONBLOCK) = 4 open(/etc/ssl/certs/594f1775.0, O_RDONLY|O_LARGEFILE) = 4 open(/etc/hosts, O_RDONLY|O_CLOEXEC) = 3 open(/etc/ssl/certs/594f1775.0, O_RDONLY|O_LARGEFILE) = 4 try ssl to google... open(/etc/hosts, O_RDONLY|O_CLOEXEC) = 3 open(/etc/gai.conf, O_RDONLY) = 3 open(/etc/ssl/certs/7651b327.0, O_RDONLY|O_LARGEFILE) = 4 open(/dev/urandom, O_RDONLY) = 0 open(/dev/urandom, O_RDONLY) = 0 open(/dev/urandom, O_RDONLY) = 0 I'm puzzled why Lucid doesn't check for the CA. As you can see from above the server's cert is offered and verified on a Karmic machine. The file referenced above (/etc/ssl/certs/594f1775.0) exists on both machines and has the same sha1sum: 03de306e6bead81b0de390a2c47ba264139e4e69 /etc/ssl/certs/594f1775.0 Long shot, but, I did notice that the Issuer CN on the cas.ucdavis.edu cert doesn't have a value. Is it required? -- fopen fails on some SSL urls https://bugs.launchpad.net/bugs/592442 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 592442] Re: fopen fails on some SSL urls
I noticed that too. The necessary CAs are actually installed on Lucid by default though (you just have to tell openssl where to look). Incidentally, wget works fine (without --no-check-certificate): $ openssl s_client -CApath /etc/ssl/certs -connect cas.ucdavis.edu:443 CONNECTED(0003) depth=1 /C=US/O=Equifax/OU=Equifax Secure Certificate Authority verify return:1 depth=0 /C=US/ST=California/L=Davis/O=University of California Davis/OU=IET-IR/CN=cas.ucdavis.edu verify return:1 --- Certificate chain 0 s:/C=US/ST=California/L=Davis/O=University of California Davis/OU=IET-IR/CN=cas.ucdavis.edu i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority 1 s:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority --- Server certificate -BEGIN CERTIFICATE- MIIC/DCCAmWgAwIBAgIDCiCtMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0 aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDgxMTA2MjMwNDQ2WhcNMTEwMTA2MjMwNDQ2 WjCBhjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExDjAMBgNVBAcT BURhdmlzMScwJQYDVQQKEx5Vbml2ZXJzaXR5IG9mIENhbGlmb3JuaWEgRGF2aXMx DzANBgNVBAsTBklFVC1JUjEYMBYGA1UEAxMPY2FzLnVjZGF2aXMuZWR1MIGfMA0G CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDRT3t20tSOMW9sC+WYk8csHzV6JK+aMGd8 m9NDQtK3bb5STyp1AfuovU2tGKv1YD5HCIs1BzDbbN+XJIrU+zSAdrVdHKp62ZKy AWTFfwfQ0VWvBz8iKzWVpfiRutUC+RqodMBQ3DqM0YU4RX6cz9L5QFi+hQsCQ+Ha lKzseuEJnQIDAQABo4GuMIGrMA4GA1UdDwEB/wQEAwIE8DAdBgNVHQ4EFgQUZoEl UbQzpXvJyk5JVUGmVQu5Ka0wOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5n ZW90cnVzdC5jb20vY3Jscy9zZWN1cmVjYS5jcmwwHwYDVR0jBBgwFoAUSOZo+SvS spXXR9gjIBBPM5iQn9QwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0G CSqGSIb3DQEBBQUAA4GBADhAlAHFmemcwilbfWfu2//Os58jzJNCBFPNpS0d+tg4 AQTgR4Ogs7ljbJeo4+2eEnGvLHvPy1El8JkKRexwVhQSymz60Bnkg0oiQ6qIYwML r5Gfk+liSBpexjZkPp+olFO8u/d+UlW6ZPfI5RTyz5e+InrETFyjgoIJY3y3SnFQ -END CERTIFICATE- subject=/C=US/ST=California/L=Davis/O=University of California Davis/OU=IET-IR/CN=cas.ucdavis.edu issuer=/C=US/O=Equifax/OU=Equifax Secure Certificate Authority --- No client certificate CA names sent --- SSL handshake has read 2147 bytes and written 276 bytes --- New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: EDH-RSA-DES-CBC3-SHA Session-ID: 4C116E5221F8596C7B1BE3E4443D427A6234FCE19A12F6E869C3F0C536715A7D Session-ID-ctx: Master-Key: C52784FE43D5156FDB3A81670E1BF87585502BC5C38EAE214F2C93285743BB8B050B8B111751A7B16A3784159B6444B3 Key-Arg : None Start Time: 1276210770 Timeout : 300 (sec) Verify return code: 0 (ok) --- HEAD / HTTP/1.0 HTTP/1.1 302 Moved Temporarily Server: Apache-Coyote/1.1 Location: https://casweb3.ucdavis.edu:8443/login Content-Type: text/html;charset=ISO-8859-1 Content-Length: 0 Date: Thu, 10 Jun 2010 22:59:33 GMT Connection: close closed $ wget https://cas.ucdavis.edu --2010-06-10 16:01:53-- https://cas.ucdavis.edu/ Resolving cas.ucdavis.edu... 169.237.104.82 Connecting to cas.ucdavis.edu|169.237.104.82|:443... connected. HTTP request sent, awaiting response... 302 Moved Temporarily Location: https://cas.ucdavis.edu/login [following] --2010-06-10 16:01:53-- https://cas.ucdavis.edu/login Connecting to cas.ucdavis.edu|169.237.104.82|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 4796 (4.7K) [text/html] Saving to: `login' 100%[=] 4,796 --.-K/s in 0s 2010-06-10 16:01:53 (204 MB/s) - `login' saved [4796/4796] $ -- fopen fails on some SSL urls https://bugs.launchpad.net/bugs/592442 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 592442] Re: fopen fails on some SSL urls
** Attachment added: tcpdump of a php run with two fopen() calls to remote https servers http://launchpadlibrarian.net/50098267/out.dump -- fopen fails on some SSL urls https://bugs.launchpad.net/bugs/592442 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 592442] [NEW] fopen fails on some SSL urls
Public bug reported:
Binary package hint: php5
Description:Ubuntu 10.04 LTS
Release:10.04
php5:
Installed: 5.3.2-1ubuntu4.2
Candidate: 5.3.2-1ubuntu4.2
Version table:
*** 5.3.2-1ubuntu4.2 0
500 http://archive.ubuntu.com/ubuntu/ lucid-updates/main Packages
100 /var/lib/dpkg/status
5.3.2-1ubuntu4 0
500 http://archive.ubuntu.com/ubuntu/ lucid/main Packages
For some reason I can't seem to get the following to work. I suspect a
SSL problem. Maybe the intermediate SSL cert is not being recognized
properly? The server cert is signed by geotrust (which is an
intermediate of equifax[1]).
I put the following in a file called /tmp/fopen.php:
?php
if (fopen(https://www.google.com,r;)) { print www.google.com worked\n; }
if (fopen(https://cas.ucdavis.edu,r;)) { print cas.ucdavis.edu worked\n; }
?
Then I run the php via an apache web and/or via the php5-cli (the
results are the same in both cases):
$ php /tmp/fopen.php
www.google.com worked
PHP Warning: fopen(): SSL operation failed with code 1. OpenSSL Error messages:
error:140773F2:SSL routines:func(119):reason(1010) in /tmp/fopen.php on line 3
PHP Warning: fopen(): Failed to enable crypto in /tmp/fopen.php on line 3
PHP Warning: fopen(https://cas.ucdavis.edu): failed to open stream: operation
failed in /tmp/fopen.php on line 3
$
When I run the above command on a karmic or jaunty machine it works fine
for both fopen() calls. I've attached a tcpdump of the above script.
As you can see from the dump, Google is working but my server is not. I get an
SSL alert packet (packet #29) back with code 10
(unexpected message). Maybe this is an intermediate cert verification problem?
What is funny is that I get an ACK right before that. It seems like
maybe the server is sending an ACK, client starts talking, server isn't
ready and sends an out-of-order message.
Scott
---
[1] https://www.geotrust.com/resources/root-certificates/index.html
** Affects: php5 (Ubuntu)
Importance: Undecided
Status: New
--
fopen fails on some SSL urls
https://bugs.launchpad.net/bugs/592442
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to php5 in ubuntu.
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
