[Bug 592442] Re: fopen fails on some SSL urls
Finjon Kiang
592442 at bugs.launchpad.net
Fri Dec 2 15:28:56 UTC 2011
Three environments:
# PHP Version 5.3.5-1ubuntu7.3
Suhosin Patch 0.9.10
Apache/2.2.17 (Ubuntu)
OpenSSL 0.9.8o 01 Jun 2010
$ uname -a
Linux xxx #50-Ubuntu SMP Mon Sep 12 21:51:23 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux
$ openssl s_client -host aquarius.neweb.com.tw -port 443
CONNECTED(00000003)
28269:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
---
# PHP Version 5.3.6-13ubuntu3.2
Suhosin Patch 0.9.10
Apache/2.2.20 (Ubuntu)
OpenSSL 1.0.0e 6 Sep 2011
$ uname -a
Linux xxx 3.0.0-13-generic #22-Ubuntu SMP Wed Nov 2 13:27:26 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux
$ openssl s_client -host aquarius.neweb.com.tw -port 443
CONNECTED(00000003)
140055608010400:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:591:
---
# PHP Version 5.2.4-2ubuntu5.17
Suhosin Patch 0.9.6.2
Apache/2.2.8 (Ubuntu)
OpenSSL 0.9.8g 19 Oct 2007
$ uname -a
Linux xxx 2.6.24-17-server #1 SMP Thu May 1 14:28:06 UTC 2008 x86_64 GNU/Linux
$ openssl s_client -host aquarius.neweb.com.tw -port 443
CONNECTED(00000003)
depth=2 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
verify error:num=19:self signed certificate in certificate chain
verify return:0
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/592442
Title:
fopen fails on some SSL urls
Status in PHP: Hypertext Preprocessor:
Unknown
Status in “openssl” package in Ubuntu:
Confirmed
Status in “php5” package in Ubuntu:
Fix Released
Bug description:
Binary package hint: php5
Description: Ubuntu 10.04 LTS
Release: 10.04
php5:
Installed: 5.3.2-1ubuntu4.2
Candidate: 5.3.2-1ubuntu4.2
Version table:
*** 5.3.2-1ubuntu4.2 0
500 http://archive.ubuntu.com/ubuntu/ lucid-updates/main Packages
100 /var/lib/dpkg/status
5.3.2-1ubuntu4 0
500 http://archive.ubuntu.com/ubuntu/ lucid/main Packages
For some reason I can't seem to get the following to work. I suspect a
SSL problem. Maybe the intermediate SSL cert is not being recognized
properly? The server cert is signed by geotrust (which is an
intermediate of equifax[1]).
I put the following in a file called /tmp/fopen.php:
<?php
if (fopen("https://www.google.com","r")) { print "www.google.com worked\n"; }
if (fopen("https://cas.ucdavis.edu","r")) { print "cas.ucdavis.edu worked\n"; }
?>
Then I run the php via an apache web and/or via the php5-cli (the
results are the same in both cases):
$ php /tmp/fopen.php
www.google.com worked
PHP Warning: fopen(): SSL operation failed with code 1. OpenSSL Error messages:
error:140773F2:SSL routines:func(119):reason(1010) in /tmp/fopen.php on line 3
PHP Warning: fopen(): Failed to enable crypto in /tmp/fopen.php on line 3
PHP Warning: fopen(https://cas.ucdavis.edu): failed to open stream: operation failed in /tmp/fopen.php on line 3
$
When I run the above command on a karmic or jaunty machine it works
fine for both fopen() calls. I've attached a tcpdump of the above
script.
As you can see from the dump, Google is working but my server is not. I get an SSL alert packet (packet #29) back with code 10
(unexpected message). Maybe this is an intermediate cert verification problem?
What is funny is that I get an ACK right before that. It seems like
maybe the server is sending an ACK, client starts talking, server
isn't ready and sends an out-of-order message.
Scott
-----------
[1] https://www.geotrust.com/resources/root-certificates/index.html
To manage notifications about this bug go to:
https://bugs.launchpad.net/php/+bug/592442/+subscriptions
More information about the foundations-bugs
mailing list