[Bug 965371] Re: HTTPS requests fail on sites which immediately close the connection if TLS 1.1 negotiation is attempted, on Ubuntu 12.04

Will Bradley bradley.will at gmail.com
Thu Oct 4 01:45:18 UTC 2012 

Congratulations, all! This consumed ~20 hours of time isolating and
fixing a bug in what's supposed to be 6-month-old "LTS" release. I see
it's supposedly got a fix released and triaged, but the milestone is 6
months old and Colin doesn't seem sure if this is still an issue. I can
confirm it is on the two 12.04 machines I have access to and am happy to
do further troubleshooting or supply sample scripts if necessary.

There are unfortunately few workarounds for those (two?) of us trying to
use SoapClient in PHP. The above fixes work for me, but don't handle
PHP's SoapClient, and it was quite a journey triaging that.

I finally got the below PHP code to work for my use case, which is
communicating with remote SSL SOAP services that only support SSLv2,
SSLv3, or TLS1.0 (and not TLS 1.1, TLS 1.2) especially using RC4-SHA
ciphers. The ciphers option in a new stream_context is the necessary bit
to make the code work on 12.04:

  $opts = array(
    'ssl' => array('ciphers'=>'RC4-SHA')
  );

  ini_set( "soap.wsdl_cache_enabled", "0" );
  $objSoapClient = new SoapClient(
    'https://EXAMPLE.COM/EXAMPLEWSDLPATH',
    array ( "encoding"=>"ISO-8859-1",
    'stream_context' => stream_context_create($opts),
    "trace"=>1,
    "exceptions"=>0,
    "connection_timeout"=>2000 ));

The trick is to substitute SoapClient's normal context with your own context + SSL options: http://www.php.net/manual/en/soapclient.soapclient.php
http://www.php.net/manual/en/context.php
http://www.php.net/manual/en/function.stream-context-create.php

This site was invaluable in testing what exact ciphers/technologies are
actually supported by the remote server:
https://www.ssllabs.com/ssltest/index.html

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/965371

Title:
  HTTPS requests fail on sites which immediately close the connection if
  TLS 1.1 negotiation is attempted, on Ubuntu 12.04

Status in OpenSSL cryptography and SSL/TLS toolkit:
  Confirmed
Status in “openssl” package in Ubuntu:
  Fix Released
Status in “openssl” source package in Precise:
  Triaged
Status in “openssl” package in Debian:
  Fix Released

Bug description:
  This week, HTTPS connections from a Python script I wrote started
  giving me this error:

  urllib2.URLError: <urlopen error [Errno 8] _ssl.c:497: EOF occurred in
  violation of protocol>

  This used to work up until some three days ago and still works on
  other Ubuntu versions, but not in other Python versions on Precise. I
  was suspecting this was a bug in Python, but a guy on AskUbuntu (
  http://askubuntu.com/questions/116020/python-https-requests-urllib2
  -to-some-sites-fail-on-ubuntu-12-04-without-proxy/116059#116059 )
  found out this happens using the openssl command line tool too:

  $ openssl s_client -connect www.mediafire.com:443

  But succeeds if forcing TLS 1 with the -tls1 argument.

To manage notifications about this bug go to:
https://bugs.launchpad.net/openssl/+bug/965371/+subscriptions

More information about the foundations-bugs mailing list