[Bug 592442] Re: fopen fails on some SSL urls

Mon Apr 30 14:21:24 UTC 2012

Excerpts from chrone's message of Mon Apr 30 09:34:18 UTC 2012:
> i'm having the same problem here after upgrade from 11.10, my web server
> could not set email using curl and google mail smtp.
> 
> i guess the culprit is either between php5-curl, curl, and openssl. :(
> 
> is there a way to downgrade each curl and openssl version but still
> running on ubuntu 12.04 until this bug is fixed?
> 
> here's the apache error log:
> PHP Warning:  file_get_contents(): SSL operation failed with code 1. OpenSSL Error messages:\nerror:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure in /var/www/piwik.php on line 114
> PHP Warning:  file_get_contents(): Failed to enable crypto in /var/www/piwik.php on line 114
> 

You may want to try setting the cipher to use, as the issue seems to be
with a too-large header for some servers to handle.

http://php.net/manual/en/context.ssl.php

You can test what ciphers work with:

openssl s_client -connect server:port -cipher xxxxx

I'd recommend 'AES256' or 'AES128'

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/592442

Title:
  fopen fails on some SSL urls

Status in PHP: Hypertext Preprocessor:
  Unknown
Status in “openssl” package in Ubuntu:
  Confirmed
Status in “php5” package in Ubuntu:
  Fix Released

Bug description:
  Binary package hint: php5

  Description:	Ubuntu 10.04 LTS
  Release:	10.04

  php5:
    Installed: 5.3.2-1ubuntu4.2
    Candidate: 5.3.2-1ubuntu4.2
    Version table:
   *** 5.3.2-1ubuntu4.2 0
          500 http://archive.ubuntu.com/ubuntu/ lucid-updates/main Packages
          100 /var/lib/dpkg/status
       5.3.2-1ubuntu4 0
          500 http://archive.ubuntu.com/ubuntu/ lucid/main Packages

  For some reason I can't seem to get the following to work. I suspect a
  SSL problem. Maybe the intermediate SSL cert is not being recognized
  properly? The server cert is signed by geotrust (which is an
  intermediate of equifax[1]).

  I put the following in a file called /tmp/fopen.php:

  <?php
  if (fopen("https://www.google.com","r")) { print "www.google.com worked\n"; }
  if (fopen("https://cas.ucdavis.edu","r")) { print "cas.ucdavis.edu worked\n"; }
  ?>

  Then I run the php via an apache web and/or via the php5-cli (the
  results are the same in both cases):

  $ php /tmp/fopen.php
  www.google.com worked
  PHP Warning:  fopen(): SSL operation failed with code 1. OpenSSL Error messages:
  error:140773F2:SSL routines:func(119):reason(1010) in /tmp/fopen.php on line 3
  PHP Warning:  fopen(): Failed to enable crypto in /tmp/fopen.php on line 3
  PHP Warning:  fopen(https://cas.ucdavis.edu): failed to open stream: operation failed in /tmp/fopen.php on line 3
  $

  When I run the above command on a karmic or jaunty machine it works
  fine for both fopen() calls. I've attached a tcpdump of the above
  script.

  As you can see from the dump, Google is working but my server is not. I get an SSL alert packet (packet #29) back with code 10
  (unexpected message).  Maybe this is an intermediate cert verification problem?

  What is funny is that I get an ACK right before that. It seems like
  maybe the server is sending an ACK, client starts talking, server
  isn't ready and sends an out-of-order message.

  Scott
  -----------
  [1] https://www.geotrust.com/resources/root-certificates/index.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/php/+bug/592442/+subscriptions