[Bug 592442] Re: fopen fails on some SSL urls

Clint Byrum clint at fewbar.com
Fri Dec 2 18:09:37 UTC 2011


Excerpts from Finjon Kiang's message of Fri Dec 02 15:28:56 UTC 2011:
> Three environments:
> # PHP Version 5.3.5-1ubuntu7.3
> Suhosin Patch 0.9.10
> Apache/2.2.17 (Ubuntu)
> OpenSSL 0.9.8o 01 Jun 2010
> 
> $ uname -a
> Linux xxx #50-Ubuntu SMP Mon Sep 12 21:51:23 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux
> $ openssl s_client -host aquarius.neweb.com.tw -port 443
> CONNECTED(00000003)
> 28269:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
> 

The site doesn't seem to support SSLv3

$ openssl s_client -host aquarius.neweb.com.tw -port 443
CONNECTED(00000003)
140489793156768:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:591:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1322848731
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

On an older openssl:

$ openssl s_client -host aquarius.neweb.com.tw -port 443
CONNECTED(00000003)
depth=2 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
verify return:1
depth=1 /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
verify return:1
depth=0 /C=TW/postalCode=11510/ST=Taiwan/L=Taipei/streetAddress=7F., No.52, Sec. 3, Nangang Rd., Nangang Dist., Taipei City 11510, Taiwan (R.O.C.)/O=Neweb Technologies Co., Ltd./OU=MIS/OU=Provided by Global Digital Inc./OU=GlobalTrustSSLWildcard/CN=*.neweb.com.tw
verify return:1
---
Certificate chain
 0 s:/C=TW/postalCode=11510/ST=Taiwan/L=Taipei/streetAddress=7F., No.52, Sec. 3, Nangang Rd., Nangang Dist., Taipei City 11510, Taiwan (R.O.C.)/O=Neweb Technologies Co., Ltd./OU=MIS/OU=Provided by Global Digital Inc./OU=GlobalTrustSSLWildcard/CN=*.neweb.com.tw
   i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
 1 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
 2 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGPjCCBSagAwIBAgIRAPzAoe3QmtGF36gPqlNpvCwwDQYJKoZIhvcNAQEFBQAw
gZcxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJVVDEXMBUGA1UEBxMOU2FsdCBMYWtl
IENpdHkxHjAcBgNVBAoTFVRoZSBVU0VSVFJVU1QgTmV0d29yazEhMB8GA1UECxMY
aHR0cDovL3d3dy51c2VydHJ1c3QuY29tMR8wHQYDVQQDExZVVE4tVVNFUkZpcnN0
LUhhcmR3YXJlMB4XDTExMDExNDAwMDAwMFoXDTE0MDExMzIzNTk1OVowggE1MQsw
CQYDVQQGEwJUVzEOMAwGA1UEERMFMTE1MTAxDzANBgNVBAgTBlRhaXdhbjEPMA0G
A1UEBxMGVGFpcGVpMVswWQYDVQQJE1I3Ri4sIE5vLjUyLCBTZWMuIDMsIE5hbmdh
bmcgUmQuLCBOYW5nYW5nIERpc3QuLCBUYWlwZWkgQ2l0eSAxMTUxMCwgVGFpd2Fu
IChSLk8uQy4pMSUwIwYDVQQKExxOZXdlYiBUZWNobm9sb2dpZXMgQ28uLCBMdGQu
MQwwCgYDVQQLEwNNSVMxKDAmBgNVBAsTH1Byb3ZpZGVkIGJ5IEdsb2JhbCBEaWdp
dGFsIEluYy4xHzAdBgNVBAsTFkdsb2JhbFRydXN0U1NMV2lsZGNhcmQxFzAVBgNV
BAMUDioubmV3ZWIuY29tLnR3MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAjMKy7p5wVfGxzCTM7+FlsnuIqBU6ze084OOUjSOs6BKjy1N1d3QJ9XYSn84Q
a3PkLl5BIwf9tQZu6BFO+KBxwXxwpIHs5GRLt89CxPxQk7qmguHJxkI05YIJqzXy
B2VYTAuGS9fZKmUj8zcFzK+JGlS0yuOTUquR2TAP5AFb1QjRdylF6pOEzoHi1LHn
ljeli6Qu01oRbj1TyjBP6WEVdxhOhMqtF3XMq7byXt3J3MqUO5fpf9DXmlkrpr7k
3ZvcPqvfr/dWn+xBkdOvmV2Uavt2f/CUydpVl4OdofH6I6GQBpHI9Z8KMnDtEDJt
H1WNf/AOPPM6ioCTtB/waB0BLQIDAQABo4IB4jCCAd4wHwYDVR0jBBgwFoAUoXJf
JhsomEOVXQc31YWWnUvSw0UwHQYDVR0OBBYEFFtVjtANLFGUo7ivkaxYzWWVCnVo
MA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUF
BwMBBggrBgEFBQcDAjBGBgNVHSAEPzA9MDsGDCsGAQQBsjEBAgEDBDArMCkGCCsG
AQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21vZG8uY29tL0NQUzB7BgNVHR8EdDBy
MDigNqA0hjJodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9VVE4tVVNFUkZpcnN0LUhh
cmR3YXJlLmNybDA2oDSgMoYwaHR0cDovL2NybC5jb21vZG8ubmV0L1VUTi1VU0VS
Rmlyc3QtSGFyZHdhcmUuY3JsMHEGCCsGAQUFBwEBBGUwYzA7BggrBgEFBQcwAoYv
aHR0cDovL2NydC5jb21vZG9jYS5jb20vVVROQWRkVHJ1c3RTZXJ2ZXJDQS5jcnQw
JAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTAnBgNVHREEIDAe
gg4qLm5ld2ViLmNvbS50d4IMbmV3ZWIuY29tLnR3MA0GCSqGSIb3DQEBBQUAA4IB
AQCRBBiwMUa8QmUnu1fP8OCVUZeFsXzYy0oePWlTkWOMzbg8Nhxc3Uc7vCXcZtKk
FNecxDqYxnQd1MgqfMuogCVtQxcB00CzvB244YNPxO7/w6jzGSrer2M2PA3UgU86
G+HISIlp41M1pVOqEkZVqP+El/K7OdKDF+0MaQ9o90d9XB9jxJmOchxAoMtgzreR
JJObEWMnHlJpjgrpvKrc5XLIXtDTjgZOKn2RvRoBjIjssNIBnBwb88KUhXdEJRmS
LExEaveGk+h6Zwm3bGx51/Y3EUw1c3p2p+1KpygH3DRInYToy44+yOTY6AtlUzee
A3O+goDgL0IO3Qhez3gSgKll
-----END CERTIFICATE-----
subject=/C=TW/postalCode=11510/ST=Taiwan/L=Taipei/streetAddress=7F., No.52, Sec. 3, Nangang Rd., Nangang Dist., Taipei City 11510, Taiwan (R.O.C.)/O=Neweb Technologies Co., Ltd./OU=MIS/OU=Provided by Global Digital Inc./OU=GlobalTrustSSLWildcard/CN=*.neweb.com.tw
issuer=/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
---
No client certificate CA names sent
---
SSL handshake has read 3985 bytes and written 447 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 0000712C8184886D3C78FFFAC431ABF703843D95585858584ED9122B0000269F
    Session-ID-ctx: 
    Master-Key: 26E6F0E074E2ABD6FF10360AA61F7D9CFF213844506EF14B3419146E1D3B950AF75DC452D4C0CCE46829DD8CE1559851
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1322848811
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

And with SSLv3 forced on the same version:

$ openssl s_client -host aquarius.neweb.com.tw -port 443 -ssl3
CONNECTED(00000003)
13713:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530:

SSLv2 has been gone for some time now:

openssl (0.9.8o-1ubuntu3) maverick; urgency=low

  * debian/patches/no-sslv2.patch: disable SSLv2 to match NSS and GnuTLS.
    The protocol is unsafe and extremely deprecated. (Debian bug 589706)

 -- Kees Cook <kees at ubuntu.com>  Tue, 20 Jul 2010 08:24:13 -0700


Its puzzling that the older openssl (0.9.8e-12.el5_5.7 on CentOS 5.5) does not
share this problem.

Anyway, this is not the same bug that was fixed here.. most likely a new bug. Please
open a new report against openssl so that we can address it (and please reference back
to the new bug on this bug report, so users who stumble on this one will find the new
one.

> ---
> 
> # PHP Version 5.3.6-13ubuntu3.2
> Suhosin Patch 0.9.10
> Apache/2.2.20 (Ubuntu)
> OpenSSL 1.0.0e 6 Sep 2011
> 
> $ uname -a
> Linux xxx 3.0.0-13-generic #22-Ubuntu SMP Wed Nov 2 13:27:26 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux
> $ openssl s_client -host aquarius.neweb.com.tw -port 443
> CONNECTED(00000003)
> 140055608010400:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:591:
> 
> ---
> 
> # PHP Version 5.2.4-2ubuntu5.17
> Suhosin Patch 0.9.6.2
> Apache/2.2.8 (Ubuntu)
> OpenSSL 0.9.8g 19 Oct 2007
> 
> $ uname -a
> Linux xxx 2.6.24-17-server #1 SMP Thu May 1 14:28:06 UTC 2008 x86_64 GNU/Linux
> $ openssl s_client -host aquarius.neweb.com.tw -port 443
> CONNECTED(00000003)
> depth=2 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
> verify error:num=19:self signed certificate in certificate chain
> verify return:0
> 
> -- 
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/592442
> 
> Title:
>   fopen fails on some SSL urls
> 
> Status in PHP: Hypertext Preprocessor:
>   Unknown
> Status in “openssl” package in Ubuntu:
>   Confirmed
> Status in “php5” package in Ubuntu:
>   Fix Released
> 
> Bug description:
>   Binary package hint: php5
> 
>   Description:    Ubuntu 10.04 LTS
>   Release:    10.04
> 
>   php5:
>     Installed: 5.3.2-1ubuntu4.2
>     Candidate: 5.3.2-1ubuntu4.2
>     Version table:
>    *** 5.3.2-1ubuntu4.2 0
>           500 http://archive.ubuntu.com/ubuntu/ lucid-updates/main Packages
>           100 /var/lib/dpkg/status
>        5.3.2-1ubuntu4 0
>           500 http://archive.ubuntu.com/ubuntu/ lucid/main Packages
> 
>   For some reason I can't seem to get the following to work. I suspect a
>   SSL problem. Maybe the intermediate SSL cert is not being recognized
>   properly? The server cert is signed by geotrust (which is an
>   intermediate of equifax[1]).
> 
>   I put the following in a file called /tmp/fopen.php:
> 
>   <?php
>   if (fopen("https://www.google.com","r")) { print "www.google.com worked\n"; }
>   if (fopen("https://cas.ucdavis.edu","r")) { print "cas.ucdavis.edu worked\n"; }
>   ?>
> 
>   Then I run the php via an apache web and/or via the php5-cli (the
>   results are the same in both cases):
> 
>   $ php /tmp/fopen.php
>   www.google.com worked
>   PHP Warning:  fopen(): SSL operation failed with code 1. OpenSSL Error messages:
>   error:140773F2:SSL routines:func(119):reason(1010) in /tmp/fopen.php on line 3
>   PHP Warning:  fopen(): Failed to enable crypto in /tmp/fopen.php on line 3
>   PHP Warning:  fopen(https://cas.ucdavis.edu): failed to open stream: operation failed in /tmp/fopen.php on line 3
>   $
> 
>   When I run the above command on a karmic or jaunty machine it works
>   fine for both fopen() calls. I've attached a tcpdump of the above
>   script.
> 
>   As you can see from the dump, Google is working but my server is not. I get an SSL alert packet (packet #29) back with code 10
>   (unexpected message).  Maybe this is an intermediate cert verification problem?
> 
>   What is funny is that I get an ACK right before that. It seems like
>   maybe the server is sending an ACK, client starts talking, server
>   isn't ready and sends an out-of-order message.
> 
>   Scott

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/592442

Title:
  fopen fails on some SSL urls

Status in PHP: Hypertext Preprocessor:
  Unknown
Status in “openssl” package in Ubuntu:
  Confirmed
Status in “php5” package in Ubuntu:
  Fix Released

Bug description:
  Binary package hint: php5

  Description:	Ubuntu 10.04 LTS
  Release:	10.04

  php5:
    Installed: 5.3.2-1ubuntu4.2
    Candidate: 5.3.2-1ubuntu4.2
    Version table:
   *** 5.3.2-1ubuntu4.2 0
          500 http://archive.ubuntu.com/ubuntu/ lucid-updates/main Packages
          100 /var/lib/dpkg/status
       5.3.2-1ubuntu4 0
          500 http://archive.ubuntu.com/ubuntu/ lucid/main Packages

  For some reason I can't seem to get the following to work. I suspect a
  SSL problem. Maybe the intermediate SSL cert is not being recognized
  properly? The server cert is signed by geotrust (which is an
  intermediate of equifax[1]).

  I put the following in a file called /tmp/fopen.php:

  <?php
  if (fopen("https://www.google.com","r")) { print "www.google.com worked\n"; }
  if (fopen("https://cas.ucdavis.edu","r")) { print "cas.ucdavis.edu worked\n"; }
  ?>

  Then I run the php via an apache web and/or via the php5-cli (the
  results are the same in both cases):

  $ php /tmp/fopen.php
  www.google.com worked
  PHP Warning:  fopen(): SSL operation failed with code 1. OpenSSL Error messages:
  error:140773F2:SSL routines:func(119):reason(1010) in /tmp/fopen.php on line 3
  PHP Warning:  fopen(): Failed to enable crypto in /tmp/fopen.php on line 3
  PHP Warning:  fopen(https://cas.ucdavis.edu): failed to open stream: operation failed in /tmp/fopen.php on line 3
  $

  When I run the above command on a karmic or jaunty machine it works
  fine for both fopen() calls. I've attached a tcpdump of the above
  script.

  As you can see from the dump, Google is working but my server is not. I get an SSL alert packet (packet #29) back with code 10
  (unexpected message).  Maybe this is an intermediate cert verification problem?

  What is funny is that I get an ACK right before that. It seems like
  maybe the server is sending an ACK, client starts talking, server
  isn't ready and sends an out-of-order message.

  Scott
  -----------
  [1] https://www.geotrust.com/resources/root-certificates/index.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/php/+bug/592442/+subscriptions




More information about the foundations-bugs mailing list