PHP :: Bug #29296 :: SSL connection failed

Bug #29296

SSL connection failed

Submitted:

2004-07-21 13:12 UTC

Modified:

2010-12-20 11:41 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	0 of 0 (0.0%)

From:

hotte at unrealforum dot de

Assigned:

jani (profile)

Status:

Closed

Package:

OpenSSL related

PHP Version:

5.0.0

OS:

Linux Gentoo 2.6.7

Private report:

CVE-ID:

None

View Developer Edit

[2004-07-21 13:12 UTC] hotte at unrealforum dot de

Description:
------------
I've tried to etablish a ssl-connection with the php-cli to a rrp-server (http://www.ietf.org/rfc/rfc2832.txt?number=2832) with fsockopen but receive "SSL handshake/connection failed"
A connect with openssl is successfull:

openssl s_client -ssl3 -crlf -connect host:648


New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 1024 bit
SSL-Session:
    Protocol  : SSLv3
    Cipher    : DES-CBC3-SHA
    Session-ID: 77752169E6CCC2EE44C4A5BADFD93A074D041FA8D0E8A5285810312F2DEBD43E
    Session-ID-ctx:
    Master-Key: 58F8FE9AA2CE1D5A731D3A7207889503A79254DC3BE6D1C8DE3B94EB4E634317D7CC084CA29BBE7218F587967EA099B6
    Key-Arg   : None
    Start Time: 1090407338
    Timeout   : 7200 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---


PHP configure:

'./configure' '--prefix=/usr' '--host=i686-pc-linux-gnu' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--datadir=/usr/share' '--sysconfdir=/etc' '--localstatedir=/var/lib' '--with-apxs2=/usr/sbin/apxs2' '--with-config-file-path=/etc/php/apache2-php5' '--without-pear' '--disable-bcmath' '--without-bz2' '--disable-calendar' '--without-cpdflib' '--disable-ctype' '--without-curl' '--without-curlwrappers' '--disable-dbase' '--disable-dbx' '--disable-dio' '--disable-exif' '--with-fam' '--without-fbsql' '--without-fdftk' '--disable-filepro' '--disable-ftp' '--with-gettext' '--without-gmp' '--without-hwapi' '--without-iconv' '--without-informix' '--without-ingres' '--without-interbase' '--enable-mbstring' '--with-mcrypt' '--without-mcve' '--without-mhash' '--without-ming' '--without-mnogosearch' '--without-msql' '--without-mssql' '--with-ncurses' '--without-oci8' '--without-oracle' '--with-openssl' '--without-ovrimos' '--without-pcre-regx' '--without-pfpro' '--without-pgsql' '--disable-posix' '--with-pspell' '--without-recode' '--disable-simplexml' '--without-snmp' '--disable-soap' '--disable-sockets' '--disable-spl' '--without-sybase' '--without-sybase-ct' '--disable-sysvmsg' '--disable-sysvsem' '--disable-sysvshm' '--without-tidy' '--disable-tokenizer' '--disable-wddx' '--without-xsl' '--with-xmlrpc' '--disable-yp' '--with-zlib' '--without-cdb' '--with-db4' '--without-dbm' '--without-flatfile' '--with-gdbm' '--without-inifile' '--without-qdbm' '--with-gd' '--enable-gd-jis-conf' '--enable-gd-native-ttf' '--with-ldap' '--without-ldap-sasl' '--with-mysql' '--disable-session' '--without-sqlite' '--enable-dba' '--with-readline' '--without-libedit'


SSL connections to other Mail/Webserver works fine.

Reproduce code:
---------------
$fd	=	fsockopen("ssl://host,648);
or
$fd	=	fsockopen("tls://host,648);

Expected result:
----------------
a successfull connection

Actual result:
--------------
Warning: fsockopen(): SSL operation failed with code 1. OpenSSL Error messages:
error:1408F10B:SSL routines:func(143):reason(267) in test.php on line 3

Warning: fsockopen(): Failed to enable crypto in test.php on line 3

Warning: fsockopen(): unable to connect to tls://host:648 (Unknown error) in test.php on line 3

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2004-09-10 13:13 UTC] wez@php.net

How to diagnose OpenSSL errors:

Look at the error message:
error:1408F10B:SSL routines:func(143):reason(267)

Take the reason code (267) and determine the error:
grep 267 /usr/include/openssl/ssl.h
/usr/include/openssl/ssl.h:#define SSL_R_WRONG_VERSION_NUMBER                    267

Now google for SSL_R_WRONG_VERSION_NUMBER

Read the first hit: 
http://www.mail-archive.com/openssl-dev@openssl.org/msg02770.html

"
    Many of SSL clients sends the first CLIENT HELLO with
    ssl2 format (0x80.....) because they don't know what
    version the server supports.
    In this first message, the client sends the version
    he wants to use (3 for SSL3), then the other exchanged
    messages are in the appropriate format SSL3 for V3,
    SSL2 for V2 etc....

    So in your server method configuration you must put:
      SSL_CTX *ctx = SSL_CTX_new (SSLv23_server_method())
    to correctely analyse the first client_hello message
    instead of 
      SSL_CTX *ctx = SSL_CTX_new (SSLv3_server_method())
    which i suppose you did.
"

Conclusion: the rrp-server uses SSLv3_server_method and therefore needs to be fixed to use SSLv23 instead.

[2004-09-10 13:44 UTC] wez@php.net

On reflection, it might be a tad difficult to force rrp server to change, so I've added sslv2:// and sslv3:// transports to CVS; grab the next snapshot (5.0 or HEAD) and use fsockopen("sslv3://...") instead.

[2010-12-20 11:41 UTC] jani@php.net

-Package: Tidy +Package: OpenSSL related -Assigned To: +Assigned To: jani

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 08:01:29 2024 UTC