php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #29296 SSL connection failed
Submitted: 2004-07-21 13:12 UTC Modified: 2010-12-20 11:41 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: hotte at unrealforum dot de Assigned: jani (profile)
Status: Closed Package: OpenSSL related
PHP Version: 5.0.0 OS: Linux Gentoo 2.6.7
Private report: No CVE-ID: None
 [2004-07-21 13:12 UTC] hotte at unrealforum dot de
Description:
------------
I've tried to etablish a ssl-connection with the php-cli to a rrp-server (http://www.ietf.org/rfc/rfc2832.txt?number=2832) with fsockopen but receive "SSL handshake/connection failed"
A connect with openssl is successfull:

openssl s_client -ssl3 -crlf -connect host:648


New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 1024 bit
SSL-Session:
    Protocol  : SSLv3
    Cipher    : DES-CBC3-SHA
    Session-ID: 77752169E6CCC2EE44C4A5BADFD93A074D041FA8D0E8A5285810312F2DEBD43E
    Session-ID-ctx:
    Master-Key: 58F8FE9AA2CE1D5A731D3A7207889503A79254DC3BE6D1C8DE3B94EB4E634317D7CC084CA29BBE7218F587967EA099B6
    Key-Arg   : None
    Start Time: 1090407338
    Timeout   : 7200 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---


PHP configure:

'./configure' '--prefix=/usr' '--host=i686-pc-linux-gnu' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--datadir=/usr/share' '--sysconfdir=/etc' '--localstatedir=/var/lib' '--with-apxs2=/usr/sbin/apxs2' '--with-config-file-path=/etc/php/apache2-php5' '--without-pear' '--disable-bcmath' '--without-bz2' '--disable-calendar' '--without-cpdflib' '--disable-ctype' '--without-curl' '--without-curlwrappers' '--disable-dbase' '--disable-dbx' '--disable-dio' '--disable-exif' '--with-fam' '--without-fbsql' '--without-fdftk' '--disable-filepro' '--disable-ftp' '--with-gettext' '--without-gmp' '--without-hwapi' '--without-iconv' '--without-informix' '--without-ingres' '--without-interbase' '--enable-mbstring' '--with-mcrypt' '--without-mcve' '--without-mhash' '--without-ming' '--without-mnogosearch' '--without-msql' '--without-mssql' '--with-ncurses' '--without-oci8' '--without-oracle' '--with-openssl' '--without-ovrimos' '--without-pcre-regx' '--without-pfpro' '--without-pgsql' '--disable-posix' '--with-pspell' '--without-recode' '--disable-simplexml' '--without-snmp' '--disable-soap' '--disable-sockets' '--disable-spl' '--without-sybase' '--without-sybase-ct' '--disable-sysvmsg' '--disable-sysvsem' '--disable-sysvshm' '--without-tidy' '--disable-tokenizer' '--disable-wddx' '--without-xsl' '--with-xmlrpc' '--disable-yp' '--with-zlib' '--without-cdb' '--with-db4' '--without-dbm' '--without-flatfile' '--with-gdbm' '--without-inifile' '--without-qdbm' '--with-gd' '--enable-gd-jis-conf' '--enable-gd-native-ttf' '--with-ldap' '--without-ldap-sasl' '--with-mysql' '--disable-session' '--without-sqlite' '--enable-dba' '--with-readline' '--without-libedit'


SSL connections to other Mail/Webserver works fine.

Reproduce code:
---------------
$fd	=	fsockopen("ssl://host,648);
or
$fd	=	fsockopen("tls://host,648);

Expected result:
----------------
a successfull connection

Actual result:
--------------
Warning: fsockopen(): SSL operation failed with code 1. OpenSSL Error messages:
error:1408F10B:SSL routines:func(143):reason(267) in test.php on line 3

Warning: fsockopen(): Failed to enable crypto in test.php on line 3

Warning: fsockopen(): unable to connect to tls://host:648 (Unknown error) in test.php on line 3

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-09-10 13:13 UTC] wez@php.net
How to diagnose OpenSSL errors:

Look at the error message:
error:1408F10B:SSL routines:func(143):reason(267)

Take the reason code (267) and determine the error:
grep 267 /usr/include/openssl/ssl.h
/usr/include/openssl/ssl.h:#define SSL_R_WRONG_VERSION_NUMBER                    267

Now google for SSL_R_WRONG_VERSION_NUMBER

Read the first hit: 
http://www.mail-archive.com/openssl-dev@openssl.org/msg02770.html

"
    Many of SSL clients sends the first CLIENT HELLO with
    ssl2 format (0x80.....) because they don't know what
    version the server supports.
    In this first message, the client sends the version
    he wants to use (3 for SSL3), then the other exchanged
    messages are in the appropriate format SSL3 for V3,
    SSL2 for V2 etc....

    So in your server method configuration you must put:
      SSL_CTX *ctx = SSL_CTX_new (SSLv23_server_method())
    to correctely analyse the first client_hello message
    instead of 
      SSL_CTX *ctx = SSL_CTX_new (SSLv3_server_method())
    which i suppose you did.
"

Conclusion: the rrp-server uses SSLv3_server_method and therefore needs to be fixed to use SSLv23 instead.

 [2004-09-10 13:44 UTC] wez@php.net
On reflection, it might be a tad difficult to force rrp server to change, so I've added sslv2:// and sslv3:// transports to CVS; grab the next snapshot (5.0 or HEAD) and use fsockopen("sslv3://...") instead.
 [2010-12-20 11:41 UTC] jani@php.net
-Package: Tidy +Package: OpenSSL related -Assigned To: +Assigned To: jani
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 12:01:31 2024 UTC