fopen fails on some SSL urls
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
php |
Unknown
|
Unknown
|
|||
openssl (Ubuntu) |
Won't Fix
|
Undecided
|
Unassigned | ||
php5 (Ubuntu) |
Fix Released
|
Medium
|
Unassigned |
Bug Description
Binary package hint: php5
Description: Ubuntu 10.04 LTS
Release: 10.04
php5:
Installed: 5.3.2-1ubuntu4.2
Candidate: 5.3.2-1ubuntu4.2
Version table:
*** 5.3.2-1ubuntu4.2 0
500 http://
100 /var/lib/
5.3.2-1ubuntu4 0
500 http://
For some reason I can't seem to get the following to work. I suspect a SSL problem. Maybe the intermediate SSL cert is not being recognized properly? The server cert is signed by geotrust (which is an intermediate of equifax[1]).
I put the following in a file called /tmp/fopen.php:
<?php
if (fopen("https:/
if (fopen("https:/
?>
Then I run the php via an apache web and/or via the php5-cli (the results are the same in both cases):
$ php /tmp/fopen.php
www.google.com worked
PHP Warning: fopen(): SSL operation failed with code 1. OpenSSL Error messages:
error:140773F2:SSL routines:
PHP Warning: fopen(): Failed to enable crypto in /tmp/fopen.php on line 3
PHP Warning: fopen(https:/
$
When I run the above command on a karmic or jaunty machine it works fine for both fopen() calls. I've attached a tcpdump of the above script.
As you can see from the dump, Google is working but my server is not. I get an SSL alert packet (packet #29) back with code 10
(unexpected message). Maybe this is an intermediate cert verification problem?
What is funny is that I get an ACK right before that. It seems like maybe the server is sending an ACK, client starts talking, server isn't ready and sends an out-of-order message.
Scott
-----------
[1] https:/
Related branches
Changed in php5 (Ubuntu): | |
status: | Confirmed → In Progress |
assignee: | nobody → Clint Byrum (clint-fewbar) |
Changed in openssl (Ubuntu): | |
status: | In Progress → Confirmed |
assignee: | Clint Byrum (clint-fewbar) → nobody |
Changed in openssl (Ubuntu): | |
status: | Confirmed → Won't Fix |
The example given returns the same result for me on an up to date maverick system. I think the problem is just a misleading error message bubbling up from openssl. s_client does give an error about the self signed cert:
verify error:num=19:self signed certificate in certificate chain
Full log:
clint@ubuntu:~$ openssl s_client -host cas.ucdavis.edu -port 443 Equifax/ OU=Equifax Secure Certificate Authority ST=California/ L=Davis/ O=University of California Davis/OU= IET-IR/ CN=cas. ucdavis. edu US/O=Equifax/ OU=Equifax Secure Certificate Authority O=Equifax/ OU=Equifax Secure Certificate Authority US/O=Equifax/ OU=Equifax Secure Certificate Authority BAgIDCiCtMA0GCS qGSIb3DQEBBQUAM E4xCzAJBgNVBAYT AlVT FcXVpZmF4MS0wKw YDVQQLEyRFcXVpZ mF4IFNlY3VyZSBD ZXJ0 ob3JpdHkwHhcNMD gxMTA2MjMwNDQ2W hcNMTEwMTA2MjMw NDQ2 EBhMCVVMxEzARBg NVBAgTCkNhbGlmb 3JuaWExDjAMBgNV BAcT DVQQKEx5Vbml2ZX JzaXR5IG9mIENhb Glmb3JuaWEgRGF2 aXMx FVC1JUjEYMBYGA1 UEAxMPY2FzLnVjZ GF2aXMuZWR1MIGf MA0G AA4GNADCBiQKBgQ DRT3t20tSOMW9sC +WYk8csHzV6JK+ aMGd8 1AfuovU2tGKv1YD 5HCIs1BzDbbN+ XJIrU+zSAdrVdHK p62ZKy iKzWVpfiRutUC+ RqodMBQ3DqM0YU4 RX6cz9L5QFi+ hQsCQ+Ha Bo4GuMIGrMA4GA1 UdDwEB/ wQEAwIE8DAdBgNV HQ4EFgQUZoEl mVQu5Ka0wOgYDVR 0fBDMwMTAvoC2gK 4YpaHR0cDovL2Ny bC5n vY3Jscy9zZWN1cm VjYS5jcmwwHwYDV R0jBBgwFoAUSOZo +SvS Qn9QwHQYDVR0lBB YwFAYIKwYBBQUHA wEGCCsGAQUFBwMC MA0G AA4GBADhAlAHFme mcwilbfWfu2/ /Os58jzJNCBFPNp S0d+tg4 o4+2eEnGvLHvPy1 El8JkKRexwVhQSy mz60Bnkg0oiQ6qI YwML kPp+olFO8u/ d+UlW6ZPfI5RTyz 5e+InrETFyjgoIJ Y3y3SnFQ /C=US/ST= California/ L=Davis/ O=University of California Davis/OU= IET-IR/ CN=cas. ucdavis. edu /C=US/O= Equifax/ OU=Equifax Secure Certificate Authority DES-CBC3- SHA DES-CBC3- SHA 059BF6889329DDE B55963208CB0353 EBCB8F2774B3B1A 92A5 4F0E82EE8EB4CD3 FAD33B17E96BFFC D34DDF95AA02EBE 439C2ED9E0216F9 6E2205E35237610 A50869
CONNECTED(00000003)
depth=1 /C=US/O=
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=US/
i:/C=
1 s:/C=US/
i:/C=
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC/DCCAmWgAwI
MRAwDgYDVQQKEwd
aWZpY2F0ZSBBdXR
WjCBhjELMAkGA1U
BURhdmlzMScwJQY
DzANBgNVBAsTBkl
CSqGSIb3DQEBAQU
m9NDQtK3bb5STyp
AWTFfwfQ0VWvBz8
lKzseuEJnQIDAQA
UbQzpXvJyk5JVUG
ZW90cnVzdC5jb20
spXXR9gjIBBPM5i
CSqGSIb3DQEBBQU
AQTgR4Ogs7ljbJe
r5Gfk+liSBpexjZ
-----END CERTIFICATE-----
subject=
issuer=
---
No client certificate CA names sent
---
SSL handshake has read 2147 bytes and written 276 bytes
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : EDH-RSA-
Session-ID: 4C116AFE454ACEE
Session-ID-ctx:
Master-Key: B7D3BB1CA375E59
Key-Arg : None
Start Time: 1276209918
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
HEAD / HTTP/1.0
Host: cas.ucdavis.edu
HTTP/1.1 302 Moved Temporarily /cas.ucdavis. edu/login charset= ISO-8859- 1
Server: Apache-Coyote/1.1
Location: https:/
Content-Type: text/html;
Content-Length: 0
Date: Thu, 10 Jun 2010 22:45:34 GMT
Connection: close
closed
clint@ubuntu:~$