php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #52106 fopen fails on some SSL urls
Submitted: 2010-06-17 00:10 UTC Modified: 2013-02-18 00:34 UTC
Votes:23
Avg. Score:4.6 ± 1.0
Reproduced:19 of 19 (100.0%)
Same Version:11 (57.9%)
Same OS:9 (47.4%)
From: sc0ttbeardsley at gmail dot com Assigned:
Status: No Feedback Package: OpenSSL related
PHP Version: 5.3.2 OS: Ubuntu Lucid/Maverick
Private report: No CVE-ID:
Have you experienced this issue?
Rate the importance of this bug to you:

 [2010-06-17 00:10 UTC] sc0ttbeardsley at gmail dot com
Description:
------------
This bug is being filed as requested on the Ubuntu bug tracker see[1].

I'm having problems running the script below using the version of php5 that 
comes with Lucid (Clint Byrum reproduced it in Maverick and the php5 svn).

For some reason this is only happening on one of our servers. Whenever I try to 
run fopen() against it I get a "SSL operation failed with code 1. OpenSSL Error 
messages: error:140773F2:SSL routines:func(119):reason(1010)" message. I 
attached a tcpdump of a similar transaction (instead of yale it was google) 
here[2].

As you can see from the dump, Google is working but my server is not. I get an 
SSL alert packet (packet #29) back with SSL code 10 (unexpected message). I 
can't seem to reproduce it on other HTTPS servers (yet).

What is funny is that I get an ACK right before that. It seems like maybe the 
server is sending an ACK, client starts talking, server isn't ready and sends an 
out-of-order message. I'm not sure if it is my https server that is barfing or 
it is fopen() that is sending the wrong packets. This script works fine on 
karmic (PHP 5.2.10-2ubuntu6.4),

Scott
------------
[1] https://bugs.launchpad.net/ubuntu/+source/php5/+bug/592442
[2] http://launchpadlibrarian.net/50098267/out.dump

Test script:
---------------
<?php
$ctx = stream_context_create(array('ssl'=>array('verify_peer'=>true, 'capath'=>'/etc/ssl/certs')));
$uris = array(	"https://cas.ucdavis.edu/login", 
		"https://www.google.com/",);

$uris = array ( "https://cas.ucdavis.edu/cas/login","https://secure.its.yale.edu/cas/login", );

foreach ($uris as &$uri) {
	print "checking $uri\n";
	fopen("$uri",'r',false,$ctx);
}
?>

Expected result:
----------------
checking https://cas.ucdavis.edu/cas/login
checking https://secure.its.yale.edu/cas/login

Actual result:
--------------
checking https://cas.ucdavis.edu/cas/login
PHP Warning:  fopen(): SSL operation failed with code 1. OpenSSL Error messages:
error:140773F2:SSL routines:func(119):reason(1010) in /root/bug.php on line 10
PHP Warning:  fopen(): Failed to enable crypto in /root/bug.php on line 10
PHP Warning:  fopen(https://cas.ucdavis.edu/cas/login): failed to open stream: 
operation failed in /root/bug.php on line 10
checking https://secure.its.yale.edu/cas/login

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-06-17 00:35 UTC] sc0ttbeardsley at gmail dot com
-Package: HTTP related +Package: OpenSSL related
 [2010-06-17 00:35 UTC] sc0ttbeardsley at gmail dot com
This might not be an fopen() problem. The following code won't work either:


<?php
$fp = fsockopen("ssl://cas.ucdavis.edu", 443, $errno, $errstr, 30);
if (!$fp) {
    echo "$errstr ($errno)<br />\n";
} else {
    $out = "GET /cas/login HTTP/1.1\r\n";
    $out .= "Host: cas.ucdavis.edu\r\n";
    $out .= "Connection: Close\r\n\r\n";
    fwrite($fp, $out);
    while (!feof($fp)) {
        echo fgets($fp, 128);
    }
    fclose($fp);
}
?>

$ php bug2.php
The following is printed:
PHP Warning:  fsockopen(): SSL operation failed with code 1. OpenSSL Error 
messages:
error:140773F2:SSL routines:func(119):reason(1010) in bug2.php on line 2
PHP Warning:  fsockopen(): Failed to enable crypto in bug2.php on line 2
PHP Warning:  fsockopen(): unable to connect to ssl://cas.ucdavis.edu:443 
(Unknown error) in bug2.php on line 2
 (0)<br />
$
 [2010-06-17 19:43 UTC] sc0ttbeardsley at gmail dot com
An update... I've discovered that the cas.ucdavis.edu machine does not correctly 
deal with fragmented IP packets. I thought this might be the problem but 
then I went looking for those types of packets and found none (I'll still try to 
get that fixed though).

Then I discovered that on the "client hello" packet (first packet after the 
connection is established) on a Lucid machine shows up in wireshark as the TLSv1 
protocol and on a Karmic machine it shows up as a SSLv2 protocol.

I wonder why this changed? Did the defaults for openssl change or something?
 [2010-06-17 19:45 UTC] sc0ttbeardsley at gmail dot com
substitute Lucid in my last comment with PHP v5.3.2 and Karmic with PHP v5.2.10
 [2010-08-23 12:50 UTC] k dot nagurski at ulster dot ac dot uk
We're having the same problem with connecting to a box running our student records 
system.

We've tested this using Zend Server 5.0.2 using RHEL, with PHP version is 5.3.2. 
We've also been able to reproduce this on Zend Server CE 5.0.2 using MacOSX, also 
PHP version 5.3.2.

As far as we can see, this popped up with 5.3.2 as we cannot reproduce the problem 
with a version of Zend Server CE running PHP 5.3.1.
 [2010-09-15 12:12 UTC] personseb at yahoo dot fr
same problem here...

Warning: fsockopen() [function.fsockopen]: SSL operation failed with code 1. 
OpenSSL Error messages: error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 
alert internal error in /www/test_servicesWS_sp.php on line 16

Warning: fsockopen() [function.fsockopen]: Failed to enable crypto in 
/www/test_servicesWS_sp.php on line 16

Warning: fsockopen() [function.fsockopen]: unable to connect to 
ssl://192.168.0.1:443 (Unknown error) in /www/test_servicesWS_sp.php on line 16
(0)

PHP 5.3.2
OpenSSL 1.0.0
OS CentOS
 [2010-09-15 17:07 UTC] personseb at yahoo dot fr
maybe a hint to troubleshoot the problem if I use the following it works :


$t_context = array(
        'ciphers' => 'ALL:!AES:!3DES:!RC4:@STRENGTH', // OK:LOW
);
$context = stream_context_create(
        array(
                'ssl' => $t_context,
));

file_get_contents('https://myserver:443', false, $context);

without the above context it breaks :

file_get_contents('https://myserver:443', false, $context);
 [2010-09-20 16:39 UTC] ns at centralservices dot nl
I'm having a similar problem.

The URL I'm trying to open: https://login.twinfield.com/webservices/session.asmx?wsdl

Environment in which it's working perfectly: Ubuntu 9.10 (php 5.2.10).

Environment in which it's not working: Ubuntu 10.04.1 (php 5.3.2).
The specific errors I get when trying to connect to the url:

PHP Warning:  fopen(): SSL operation failed with code 1. OpenSSL Error messages:
error:14092073:SSL routines:func(146):reason(115) in /share/ac/staging/test_twf_ubuntu10lts.php on line 26
PHP Warning:  fopen(): Failed to enable crypto in /share/ac/staging/test_twf_ubuntu10lts.php on line 26
PHP Warning:  fopen(https://login.twinfield.com/webservices/session.asmx?wsdl): failed to open stream: operation failed in /share/ac/staging/test_twf_ubuntu10lts.php on line 26

This means that I cannot connect to a very important SSL webservice through SoapClient so I cannot upgrade to Ubuntu 10 lts, which I really need to because of another, new, crucial package our project will depend on.

I guess that the failing SOAP call is related to the above, but just to be sure, I'm getting the following error when trying to create a SoapClient with the above WSDL url (note that a commandline wget of the url works just fine):

PHP Fatal error:  SOAP-ERROR: Parsing WSDL: Couldn't load from 'https://login.twinfield.com/webservices/session.asmx?wsdl' : failed to load external entity "https://login.twinfield.com/webservices/session.asmx?wsdl"
 in /share/staging/test_twf_ubuntu10lts.php on line 30
SOAP-ERROR: Parsing WSDL: Couldn't load from 'https://login.twinfield.com/webservices/session.asmx?wsdl' : failed to load external entity "https://login.twinfield.com/webservices/session.asmx?wsdl"
 [2010-09-28 10:40 UTC] ns at centralservices dot nl
A note on my previous post. Downgrading to PHP 5.2.10 within Ubuntu 10.04.1 LTS does resolve the problem. So the bug clearly resides in the PHP codebase.
 [2010-10-04 13:57 UTC] shinoj at hotmail dot com
Hi,

I could not reproduce this bug on RHEL5 64 bit (kernel 2.6.18-164.el5) with php-5.1.6-23.2.el5_3 which is the redhat default

and centos5 64 bit (kernel 2.6.18-194.3.1.el5) with php-5.3.2-2

Regards,
Shinoj.
 [2010-10-13 18:41 UTC] jeremy dot postlethwaite at gmail dot com
I am also having trouble with stream_socket_client and Zend_Auth_Adapter_Cas

http://framework.zend.com/wiki/display/ZFPROP/Zend_Auth_Adapter_Cas+-+Jeremy+Postlethwaite

I am using CentOS 5.5, zend-server-ce-php-5.3 and PHP 5.3.3.

Here is my error:

Unable to Connect to ssl://cas.ucdavis.edu:443. Error #0: 

The problem did not arise until I upgraded to PHP 5.3.3
 [2010-10-19 22:45 UTC] website-php at interfasys dot ch
Same problem on FreeBSD 8.1 with PHP 5.2.14 and OpenSSL 1.0.
Impossible to connect to a website using SSL.
Immediate Timeout, error 0.
Tried both fopen and fsockopen.
 [2010-12-02 07:44 UTC] clint at ubuntu dot com
I think this issue is actually on the server side, and may be superceded by this 
bug request I just filed:

http://bugs.php.net/bug.php?id=53447
 [2011-02-02 15:18 UTC] cataphract@php.net
-Status: Open +Status: Feedback
 [2011-02-02 15:18 UTC] cataphract@php.net
Please see if the new feature for bug #53447 resolves this issue.
 [2011-02-02 19:20 UTC] website-php at interfasys dot ch
It's fixed for me on 5.3.x. Too bad this hasn't been ported back to 5.2.x
 [2011-12-16 15:16 UTC] ns at centralservices dot nl
The issue has been fixed for me in the latest PHP 5.3 release of Ubuntu 10.04.3 LTS.
 [2013-02-18 00:34 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Open". Thank you.
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 16 18:01:53 2014 UTC