Bug 1044446

Summary: curl does not work with https://api.mercadolibre.com/ after update to RHEL-6.5
Product: Red Hat Enterprise Linux 6 Reporter: Marcop <marcopinho>
Component: nssAssignee: Elio Maldonado Batiz <emaldona>
Status: CLOSED CANTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 6.6CC: cleaver-redhat, davids, gms8994, hkario, marcopinho, nkinder, rrelyea, thoger, tmraz
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-10-09 19:34:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Marcop 2013-12-18 10:42:56 UTC 
Description of problem:

The MyHosting.com insisted repeatedly that the problem was in the API, so I created a new VPS today, everything worked fine when I noticed that the problem started to appear shortly after the system update.

After the openssl updates that changes the security requirements and has broken my server for secure calls.

wget --secure-protocol=tlsv1 get the file but the WGET is just a simple way to illustrate the problem that is happening after the update, access is via a PHP page where the code is:

...LINESLINESLINESLINESLINESLINESLINESLINESLINESLINESLININESLINESLINES...

function get_fcontent( $url, $javascript_loop = 0, $timeout = 5 ) {
    $url = str_replace( "&", "&", urldecode(trim($url)) );
    $cookie = tempnam ("/tmp", "CURLCOOKIE");
    $ch = curl_init();
    curl_setopt( $ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.7.3) Gecko/20041001 Firefox/0.10.1" );
    curl_setopt( $ch, CURLOPT_URL, $url );
    curl_setopt( $ch, CURLOPT_COOKIEJAR, $cookie );
    curl_setopt( $ch, CURLOPT_FOLLOWLOCATION, true );
    curl_setopt( $ch, CURLOPT_ENCODING, "" );
    curl_setopt( $ch, CURLOPT_RETURNTRANSFER, true );
    curl_setopt( $ch, CURLOPT_AUTOREFERER, true );
    curl_setopt( $ch, CURLOPT_SSL_VERIFYPEER, false ); # required for https urls
    curl_setopt( $ch, CURLOPT_CONNECTTIMEOUT, $timeout );
    curl_setopt( $ch, CURLOPT_TIMEOUT, $timeout );
    curl_setopt( $ch, CURLOPT_MAXREDIRS, 10 );
    $content = curl_exec( $ch );
    $response = curl_getinfo( $ch );
    curl_close ( $ch );
    if ($response['http_code'] == 301 || $response['http_code'] == 302) {
        ini_set("user_agent", "Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.7.3) Gecko/20041001 Firefox/0.10.1");
        if ( $headers = get_headers($response['url']) ) {
            foreach( $headers as $value ) {
                if ( substr( strtolower($value), 0, 9 ) == "location:" )
                    return get_url( trim( substr( $value, 9, strlen($value) ) ) );
            }
        }
    }

    if ( ( preg_match("/>[[:space:]]+window\.location\.replace\('(.*)'\)/i", $content, $value) || preg_match("/>[[:space:]]+window\.location\=\"(.*)\"/i", $content, $value) ) && $javascript_loop < 5) {
        return get_url( $value[1], $javascript_loop+1 );
    } else {
        return array( $content, $response );
    }
}

...LINESLINESLINESLINESLINESLINESLINESLINESLINESLINESLININESLINESLINES...


I have not found an option like "--secure-protocol=tlsv1" in PHP, to circumvent the problem.

Yesterday after the downgrade returned to work, as reported above, but the system update installed the update again, blocking access again.

How can I disable the update of this package?
If you can not disable only the packages, as I disable the automatic update to manual? So can I downgrade afterwards.

Version-Release number of selected components:
[~]# uname -mrs
Linux 2.6.32-042stab079.6 x86_64
[~]# cat /proc/version
Linux version 2.6.32-042stab079.6 (root@rh6-build-x64) (gcc version 4.4.6 20120305 (Red Hat 4.4.6-4) (GCC) ) #1 SMP Mon Aug 26 19:47:50 MSK 20
13

named	9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6	up

openssl-devel-1.0.1e-16.el6_5.x86_64 (BUG DETECTED)
openssl-1.0.1e-16.el6_5.x86_64 (BUG DETECTED)

openssl-1.0.0-27.el6_4.2.x86_64.rpm (WORKING FINE)
openssl-devel-1.0.0-27.el6_4.2.x86_64.rpm (WORKING FINE)

How reproducible:
Below the chat transcript where Tristan diagnosed the fault that caused the stop of my VPS and days searching for the solution.
I was able to provide that openssl is the issue not cPanel (and the openssl updates were CentOS updates for the Operating System rather than those for cPanel control panel). First, I downgraded my CentOS 6.5 machine to openssl-1.0.0-27 that was the prior openssl version:

wget ftp://fr2.rpmfind.net/linux/centos/6.4/updates/x86_64/Packages/openssl-devel-1.0.0-27.el6_4.2.x86_64.rpm
wget ftp://fr2.rpmfind.net/linux/centos/6.4/updates/x86_64/Packages/openssl-1.0.0-27.el6_4.2.x86_64.rpm

rpm -Uvh openssl-1.0.0-27.el6_4.2.x86_64.rpm
rpm -Uvh openssl-devel-1.0.0-27.el6_4.2.x86_64.rpm

Of note, I had wget the rpms for 1.0.0-27 before I removed the existing openssl and openssl-devel 1.0.1e-16 packages, because yum and wget won't work to grab anything after openssl has been removed. As such, after I wget the older openssl, I removed the openssl and openssl-devel 1.0.1e-16 rpms, then I installed the openssl 1.0.0-27 older openssl rpms. Then I ran this command successfully:

-bash-4.1# wget https://api.mercadolibre.com/items/MLB519566844
--2013-12-14 13:45:16--  https://api.mercadolibre.com/items/MLB519566844
Resolving api.mercadolibre.com... 216.33.196.77, 216.33.197.77
Connecting to api.mercadolibre.com|216.33.196.77|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [application/json]
Saving to: “MLB519566844.1”

    [ <=>                                                                                         ] 2,549       --.-K/s   in 0s

2013-12-14 13:45:16 (17.7 MB/s) - “MLB519566844.1” saved [2549]

After that, I then re-upgraded openssl using this command:

yum update openssl

After it updated to openssl 1.0.1e-16, then the call began failing again:

-bash-4.1# wget https://api.mercadolibre.com/items/MLB519566844
--2013-12-14 13:49:47--  https://api.mercadolibre.com/items/MLB519566844
Resolving api.mercadolibre.com... 216.33.197.77, 216.33.196.77
Connecting to api.mercadolibre.com|216.33.197.77|:443... connected.
Unable to establish SSL connection.

This is entirely an openssl 1.0.1e-16 bug.

Actual results:
-bash-4.1# wget https://api.mercadolibre.com/items/MLB519566844
--2013-12-14 13:49:47--  https://api.mercadolibre.com/items/MLB519566844
Resolving api.mercadolibre.com... 216.33.197.77, 216.33.196.77
Connecting to api.mercadolibre.com|216.33.197.77|:443... connected.
Unable to establish SSL connection.

Expected results:
-bash-4.1# wget https://api.mercadolibre.com/items/MLB519566844
--2013-12-14 13:45:16--  https://api.mercadolibre.com/items/MLB519566844
Resolving api.mercadolibre.com... 216.33.196.77, 216.33.197.77
Connecting to api.mercadolibre.com|216.33.196.77|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [application/json]
Saving to: “MLB519566844.1”

    [ <=>                                                                                         ] 2,549       --.-K/s   in 0s

2013-12-14 13:45:16 (17.7 MB/s) - “MLB519566844.1” saved [2549]

Additional info:

I receive help from Tristan J. Wallace
Technical Analyst III, Forums Specialist
He say: In the meantime, you can wget the old openssl versions that I linked to above, uninstall the current openssl version and install the older version. I purposely did not indicate the rpm removal commands for the current openssl, since yum and wget and any other functions requiring openssl will be broken if you remove the existing openssl rpms without ensuring the older rpms are wget onto the server. If this breaks due to doing it improperly, we cannot be held responsible. If you are uncertain how to perform the task without breaking yum functionality, please contact a qualified systems administrator.

Please let me know if the above is unclear on where the issue lies. You can setup a new CentOS 6.5 system without cPanel installed at all and see the same issue occur. This isn't being caused by cPanel but by openssl and a bug within the newest version.

Thank you.
Comment 1 Japheth Cleaver 2013-12-18 21:35:41 UTC 
For reference, this link will call out the incompatibility with "newer protocol versions"

https://www.ssllabs.com/ssltest/analyze.html?d=api.mercadolibre.com&s=216.33.196.77


With openssl-1.0.1e installed, this will hang during the handshake:

openssl s_client -msg -connect api.mercadolibre.com:443
Comment 2 Tomas Mraz 2013-12-19 09:50:47 UTC 
This is a bug in the F5/BIG-IP devices: see https://www.imperialviolet.org/2013/10/07/f5update.html
Comment 3 Tomas Mraz 2013-12-19 09:51:33 UTC 
We will try to workaround it.
Comment 4 Tomas Mraz 2013-12-19 09:52:49 UTC 
*** Bug 1042908 has been marked as a duplicate of this bug. ***
Comment 5 Marcop 2013-12-21 02:19:07 UTC 
During this week's technicians MyHosting.com did the downgrade, access worked fine for a few hours, but unfortunately they forgot to turn off the auto-update, thus returning the bugged version to be installed on the server, now the answer technicians myhosting.com is is that "is not possible downgrade".

Dear, how to downgrade properly? (until it is fixed the problem) just tried to uninstall the current version:
rpm -e --nodeps openssl-devel-1.0.1e-16.el6_5.x86_64
rpm -e --nodeps openssl-1.0.1e-16.el6_5.x86_64

and install a functional version:
rpm -Uvh openssl-1.0.0-27.el6_4.2.x86_64.rpm
rpm -Uvh openssl-devel-1.0.0-27.el6_4.2.x86_64.rpm

But I get no SSH access after logging off the system.

Thanks again.
Comment 6 Tomas Mraz 2013-12-21 08:45:31 UTC 
You should be able to workaround the bug with using CURLOPT_SSL_CIPHER_LIST. If you limit the cipher list somehow for example by disabling export ciphers and a few others, it will make the client hello smaller and the connection to those broken SSL servers will not hang.

Use for example:
curl_setopt($ch,CURLOPT_SSL_CIPHER_LIST,"ALL:!aNULL:!eNULL:!SSLv2:!EXPORT:!RC2:!DES");
Comment 7 Marcop 2014-01-10 16:59:08 UTC 
Dear Tomaz,
the option that sends me results in an empty search, I tried several others and unfortunately all that worked to make slower research, I am currently using a server with Ubuntu to make reading the file, I hope the problem is resolved, the most soon as possible, since myhosting unable to downgrade.

Thanks again.
Comment 8 Tomas Mraz 2014-01-10 17:12:19 UTC 
I do not quite understand - are you saying that adding 
curl_setopt($ch,CURLOPT_SSL_CIPHER_LIST,"ALL:!aNULL:!eNULL:!SSLv2:!EXPORT:!RC2:!DES");
Does not work? It works for me fine.
Comment 9 Marcop 2014-01-10 17:46:57 UTC 
I added the parameters in my PHP, on my VPS, the result was an empty return, gave no error, you can post the full code of your research?

Thank you again.
Comment 10 Tomas Hoger 2014-01-24 09:55:57 UTC 
(In reply to Tomas Mraz from comment #8)
> I do not quite understand - are you saying that adding 
> curl_setopt($ch,CURLOPT_SSL_CIPHER_LIST,"ALL:!aNULL:!eNULL:!SSLv2:!EXPORT:!RC2:!DES");

This should not help on Red Hat Enterprise Linux 6, as curl there uses nss, not openssl.  To change cipher suites list, that would need to be adjusted to something nss can parse.

http://curl.haxx.se/libcurl/c/curl_easy_setopt.html#CURLOPTSSLCIPHERLIST

Also the script in comment 0 can be used with RHEL-6 php+curl to fetch the url mentioned in the same comment.
Comment 11 Tomas Mraz 2014-01-24 10:03:43 UTC 
Heh, so I was actually confused with the mentioned wget above which uses openssl. And so this is not really openssl request but nss one.
Comment 12 Tomas Hoger 2014-01-24 10:26:01 UTC 
(In reply to Tomas Mraz from comment #11)
> Heh, so I was actually confused with the mentioned wget above which uses
> openssl. And so this is not really openssl request but nss one.

Well, no, RHEL-6 curl/nss works with that site.  openssl/wget does not.  If php+curl does not work, reporter may be using some custom curl packages, or there's some other important information missing in this report.

The issue does not seem to reproduce with nss, even when tls 1.1+ is enabled and ssl2 hello disabled.  Tested with tstclnt, as curl does not enable tls 1.1+.

tstclnt -d /etc/pki/nssdb/ -h api.mercadolibre.com -p 443 -o -V ssl3:tls1.2
Comment 13 Tomas Mraz 2014-01-24 10:36:48 UTC 
As the curl_setopt workaround I posted does not work it seems that it is really compiled against nss even in his case, so this is definitely not an openssl problem. I'm not saying that wget+openssl works though.
Comment 14 Nathan Kinder 2015-10-09 19:34:26 UTC 
This has been shown to work with NSS in the comments mentioned in the bug.  In addition, there has not been a reproducer provided that shows that this fails with NSS.  This bug is no quite old, and we can't go any further on it with more information.  Closing this as CANTFIX.  If this is still a problem and there is a reproducer, it can be reopened.