Edit report at http://bugs.php.net/bug.php?id=52106&edit=1
ID: 52106
Comment by: personseb at yahoo dot fr
Reported by: sc0ttbeardsley at gmail dot com
Summary: fopen fails on some SSL urls
Status: Open
Type: Bug
Package: OpenSSL related
Operating System: Ubuntu Lucid/Maverick
PHP Version: 5.3.2
Block user comment: N
New Comment:
same problem here...
Warning: fsockopen() [function.fsockopen]: SSL operation failed with
code 1.
OpenSSL Error messages: error:14077438:SSL
routines:SSL23_GET_SERVER_HELLO:tlsv1
alert internal error in /www/test_servicesWS_sp.php on line 16
Warning: fsockopen() [function.fsockopen]: Failed to enable crypto in
/www/test_servicesWS_sp.php on line 16
Warning: fsockopen() [function.fsockopen]: unable to connect to
ssl://192.168.0.1:443 (Unknown error) in /www/test_servicesWS_sp.php on
line 16
(0)
PHP 5.3.2
OpenSSL 1.0.0
OS CentOS
Previous Comments:
------------------------------------------------------------------------
[2010-08-23 12:50:16] k dot nagurski at ulster dot ac dot uk
We're having the same problem with connecting to a box running our
student records
system.
We've tested this using Zend Server 5.0.2 using RHEL, with PHP version
is 5.3.2.
We've also been able to reproduce this on Zend Server CE 5.0.2 using
MacOSX, also
PHP version 5.3.2.
As far as we can see, this popped up with 5.3.2 as we cannot reproduce
the problem
with a version of Zend Server CE running PHP 5.3.1.
------------------------------------------------------------------------
[2010-06-17 19:45:19] sc0ttbeardsley at gmail dot com
substitute Lucid in my last comment with PHP v5.3.2 and Karmic with PHP
v5.2.10
------------------------------------------------------------------------
[2010-06-17 19:43:43] sc0ttbeardsley at gmail dot com
An update... I've discovered that the cas.ucdavis.edu machine does not
correctly
deal with fragmented IP packets. I thought this might be the problem but
then I went looking for those types of packets and found none (I'll
still try to
get that fixed though).
Then I discovered that on the "client hello" packet (first packet after
the
connection is established) on a Lucid machine shows up in wireshark as
the TLSv1
protocol and on a Karmic machine it shows up as a SSLv2 protocol.
I wonder why this changed? Did the defaults for openssl change or
something?
------------------------------------------------------------------------
[2010-06-17 00:35:32] sc0ttbeardsley at gmail dot com
This might not be an fopen() problem. The following code won't work
either:
<?php
$fp = fsockopen("ssl://cas.ucdavis.edu", 443, $errno, $errstr, 30);
if (!$fp) {
echo "$errstr ($errno)<br />\n";
} else {
$out = "GET /cas/login HTTP/1.1\r\n";
$out .= "Host: cas.ucdavis.edu\r\n";
$out .= "Connection: Close\r\n\r\n";
fwrite($fp, $out);
while (!feof($fp)) {
echo fgets($fp, 128);
}
fclose($fp);
}
?>
$ php bug2.php
The following is printed:
PHP Warning: fsockopen(): SSL operation failed with code 1. OpenSSL
Error
messages:
error:140773F2:SSL routines:func(119):reason(1010) in bug2.php on line
2
PHP Warning: fsockopen(): Failed to enable crypto in bug2.php on line
2
PHP Warning: fsockopen(): unable to connect to
ssl://cas.ucdavis.edu:443
(Unknown error) in bug2.php on line 2
(0)<br />
$
------------------------------------------------------------------------
[2010-06-17 00:10:18] sc0ttbeardsley at gmail dot com
Description:
------------
This bug is being filed as requested on the Ubuntu bug tracker see[1].
I'm having problems running the script below using the version of php5
that
comes with Lucid (Clint Byrum reproduced it in Maverick and the php5
svn).
For some reason this is only happening on one of our servers. Whenever I
try to
run fopen() against it I get a "SSL operation failed with code 1.
OpenSSL Error
messages: error:140773F2:SSL routines:func(119):reason(1010)" message. I
attached a tcpdump of a similar transaction (instead of yale it was
google)
here[2].
As you can see from the dump, Google is working but my server is not. I
get an
SSL alert packet (packet #29) back with SSL code 10 (unexpected
message). I
can't seem to reproduce it on other HTTPS servers (yet).
What is funny is that I get an ACK right before that. It seems like
maybe the
server is sending an ACK, client starts talking, server isn't ready and
sends an
out-of-order message. I'm not sure if it is my https server that is
barfing or
it is fopen() that is sending the wrong packets. This script works fine
on
karmic (PHP 5.2.10-2ubuntu6.4),
Scott
------------
[1] https://bugs.launchpad.net/ubuntu/+source/php5/+bug/592442
[2] http://launchpadlibrarian.net/50098267/out.dump
Test script:
---------------
<?php
$ctx = stream_context_create(array('ssl'=>array('verify_peer'=>true,
'capath'=>'/etc/ssl/certs')));
$uris = array( "https://cas.ucdavis.edu/login";,
"https://www.google.com/";,);
$uris = array (
"https://cas.ucdavis.edu/cas/login","https://secure.its.yale.edu/cas/login";,
);
foreach ($uris as &$uri) {
print "checking $uri\n";
fopen("$uri",'r',false,$ctx);
}
?>
Expected result:
----------------
checking https://cas.ucdavis.edu/cas/login
checking https://secure.its.yale.edu/cas/login
Actual result:
--------------
checking https://cas.ucdavis.edu/cas/login
PHP Warning: fopen(): SSL operation failed with code 1. OpenSSL Error
messages:
error:140773F2:SSL routines:func(119):reason(1010) in /root/bug.php on
line 10
PHP Warning: fopen(): Failed to enable crypto in /root/bug.php on line
10
PHP Warning: fopen(https://cas.ucdavis.edu/cas/login): failed to open
stream:
operation failed in /root/bug.php on line 10
checking https://secure.its.yale.edu/cas/login
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/bug.php?id=52106&edit=1
