Bug 1042908
Summary: | PHP-SOAP calls to HTTPS resources cause network timeout. | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Glen Solsberry <gms8994> | ||||||
Component: | openssl | Assignee: | Tomas Mraz <tmraz> | ||||||
Status: | CLOSED DUPLICATE | QA Contact: | BaseOS QE Security Team <qe-baseos-security> | ||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | unspecified | ||||||||
Version: | 6.4 | CC: | davids, fedora, gms8994, pt, rcollet | ||||||
Target Milestone: | rc | ||||||||
Target Release: | --- | ||||||||
Hardware: | x86_64 | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2013-12-19 09:52:49 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
Glen Solsberry
2013-12-13 15:43:30 UTC
Created attachment 836357 [details]
Minimal identify.wsdl
Can you please add the "soap_test.php" ? Created attachment 836373 [details]
Minimal php test file.
Apologies. I marked this for attachment when I created the bug. I guess it didn't make it.
From a quick test, same connection issue with latest PHP 5.5.7 (tested under Fedora 19) Adding to connect option: 'ssl_method' => SOAP_SSL_METHOD_SSLv3, seems to work. Can you please confirm with php-5.3.3-27 ? The 'ssl_method' parameter was added in 5.5; it will not work in 5.3. * more PHP tests: php-5.3.3-23.el6_4.x86_64 + openssl-1.0.1e-15.el6.x86_64 none very long timeout php-5.3.3-23.el6_4.x86_64 + openssl-1.0.0-27.el6_4.2.x86_64 none OK php-5.3.3-26.el6.x86_64 + openssl-1.0.1e-15.el6.x86_64 none very long timeout php-5.3.3-26.el6.x86_64 + openssl-1.0.0-27.el6_4.2.x86_64 none OK So, I think there is no regression in PHP. * From www.ssllabs.com analysis: Handshake Simulation OpenSSL 0.9.8y TLS 1.0 TLS_RSA_WITH_RC4_128_MD5 (0x4) No FS 128 OpenSSL 1.0.1e Protocol or cipher suite mismatch Fail3 * Test using openssl command; $ rpm -q openssl openssl-1.0.1e-16.el6_5.1.x86_64 $ openssl s_client -connect identify.insightgateways.com:443 -debug CONNECTED(00000003) write to 0x1006ed0 [0x1027e60] (263 bytes => 263 (0x107)) 0000 - 16 03 01 01 02 01 00 00-fe 03 03 52 ae b0 21 79 ...........R..!y 0010 - 26 99 ad 9c 90 1e cb fd-7c 7b d7 de d9 bb be 64 &.......|{.....d 0020 - cf 38 30 dd 4b 8c 8c 0d-cc 1e 14 00 00 94 c0 30 .80.K..........0 0030 - c0 2c c0 28 c0 24 c0 14-c0 0a 00 a3 00 9f 00 6b .,.(.$.........k 0040 - 00 6a 00 39 00 38 00 88-00 87 c0 32 c0 2e c0 2a .j.9.8.....2...* 0050 - c0 26 c0 0f c0 05 00 9d-00 3d 00 35 00 84 c0 12 .&.......=.5.... 0060 - c0 08 00 16 00 13 c0 0d-c0 03 00 0a c0 2f c0 2b ............./.+ 0070 - c0 27 c0 23 c0 13 c0 09-00 a2 00 9e 00 67 00 40 .'.#.........g.@ 0080 - 00 33 00 32 00 9a 00 99-00 45 00 44 c0 31 c0 2d .3.2.....E.D.1.- 0090 - c0 29 c0 25 c0 0e c0 04-00 9c 00 3c 00 2f 00 96 .).%.......<./.. 00a0 - 00 41 00 07 c0 11 c0 07-c0 0c c0 02 00 05 00 04 .A.............. 00b0 - 00 15 00 12 00 09 00 14-00 11 00 08 00 06 00 03 ................ 00c0 - 00 ff 01 00 00 41 00 0b-00 04 03 00 01 02 00 0a .....A.......... 00d0 - 00 06 00 04 00 18 00 17-00 23 00 00 00 0d 00 22 .........#....." 00e0 - 00 20 06 01 06 02 06 03-05 01 05 02 05 03 04 01 . .............. 00f0 - 04 02 04 03 03 01 03 02-03 03 02 01 02 02 02 03 ................ 0100 - 01 01 00 0f 00 01 01 ....... ===> very long time read from 0x1006ed0 [0x102d3c0] (7 bytes => -1 (0xFFFFFFFFFFFFFFFF)) write:errno=104 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 263 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- It seems there is a problem on the server side, when it receives client hello from openssl-1.0.1e, the server should reply with something. Can you please check the server configuration ? Unfortunately, I do not manage the server installation in this case, only the client. However, in speaking with the owners of the server, they say that nothing has changed since well before November 27 (when we started seeing the issue). We are confirming with the remote server manager that nothing has changed. I'll update when I find out more. I don't say that the server has changed, it just should tolerate the valid client hellos from openssl-1.0.1e or at least send TLS alert message with an error if there is an error in the client hello. It seems to be related to an F5 device in front of their system. The URL included documents the problem. https://www.imperialviolet.org/2013/10/07/f5update.html *** This bug has been marked as a duplicate of bug 1044446 *** |