Hide Forgot
Description of problem: PHP-SOAP calls to HTTPS resources cause network timeout. Version-Release number of selected component (if applicable): php-5.3.3-26.el6 has the issue, php-5.3.3-23.el6_4 does not. How reproducible: Every time. Steps to Reproduce: 1. Run php soap_test.php with 5.3.3-26.el6 or greater installed. Actual results: Line with "ping elapsed" reports more than 10 seconds. "$pingresult is not set" SOAPFAULT FAULTSTRING: Could not connect to host Expected results: Line with "ping elapsed" reports less than 10 seconds. Output contains the string "Ping OK" Additional info: The following curl_* based php script works on any version. <?php $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, 'https://identify.insightgateways.com/identify/v1_0/Identify'); curl_setopt($ch, CURLOPT_HTTPHEADER, array('User-Agent: PHP-SOAP/5.4.22', 'Content-Type: text/xml; charset=utf-8', 'SOAPAction: ""')); curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5); curl_setopt($ch, CURLOPT_TIMEOUT, 5); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); $soap = new SimpleXMLElement('<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="http://webservice.identify.acxiom.com" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><SOAP-ENV:Body><ns1:ping></ns1:ping></SOAP-ENV:Body></SOAP-ENV:Envelope>'); curl_setopt($ch, CURLOPT_POSTFIELDS, $soap->asXML()); $result = curl_exec($ch); curl_close($ch); print $result;
Created attachment 836357 [details] Minimal identify.wsdl
Can you please add the "soap_test.php" ?
Created attachment 836373 [details] Minimal php test file. Apologies. I marked this for attachment when I created the bug. I guess it didn't make it.
From a quick test, same connection issue with latest PHP 5.5.7 (tested under Fedora 19) Adding to connect option: 'ssl_method' => SOAP_SSL_METHOD_SSLv3, seems to work. Can you please confirm with php-5.3.3-27 ?
The 'ssl_method' parameter was added in 5.5; it will not work in 5.3.
* more PHP tests: php-5.3.3-23.el6_4.x86_64 + openssl-1.0.1e-15.el6.x86_64 none very long timeout php-5.3.3-23.el6_4.x86_64 + openssl-1.0.0-27.el6_4.2.x86_64 none OK php-5.3.3-26.el6.x86_64 + openssl-1.0.1e-15.el6.x86_64 none very long timeout php-5.3.3-26.el6.x86_64 + openssl-1.0.0-27.el6_4.2.x86_64 none OK So, I think there is no regression in PHP. * From www.ssllabs.com analysis: Handshake Simulation OpenSSL 0.9.8y TLS 1.0 TLS_RSA_WITH_RC4_128_MD5 (0x4) No FS 128 OpenSSL 1.0.1e Protocol or cipher suite mismatch Fail3 * Test using openssl command; $ rpm -q openssl openssl-1.0.1e-16.el6_5.1.x86_64 $ openssl s_client -connect identify.insightgateways.com:443 -debug CONNECTED(00000003) write to 0x1006ed0 [0x1027e60] (263 bytes => 263 (0x107)) 0000 - 16 03 01 01 02 01 00 00-fe 03 03 52 ae b0 21 79 ...........R..!y 0010 - 26 99 ad 9c 90 1e cb fd-7c 7b d7 de d9 bb be 64 &.......|{.....d 0020 - cf 38 30 dd 4b 8c 8c 0d-cc 1e 14 00 00 94 c0 30 .80.K..........0 0030 - c0 2c c0 28 c0 24 c0 14-c0 0a 00 a3 00 9f 00 6b .,.(.$.........k 0040 - 00 6a 00 39 00 38 00 88-00 87 c0 32 c0 2e c0 2a .j.9.8.....2...* 0050 - c0 26 c0 0f c0 05 00 9d-00 3d 00 35 00 84 c0 12 .&.......=.5.... 0060 - c0 08 00 16 00 13 c0 0d-c0 03 00 0a c0 2f c0 2b ............./.+ 0070 - c0 27 c0 23 c0 13 c0 09-00 a2 00 9e 00 67 00 40 .'.#.........g.@ 0080 - 00 33 00 32 00 9a 00 99-00 45 00 44 c0 31 c0 2d .3.2.....E.D.1.- 0090 - c0 29 c0 25 c0 0e c0 04-00 9c 00 3c 00 2f 00 96 .).%.......<./.. 00a0 - 00 41 00 07 c0 11 c0 07-c0 0c c0 02 00 05 00 04 .A.............. 00b0 - 00 15 00 12 00 09 00 14-00 11 00 08 00 06 00 03 ................ 00c0 - 00 ff 01 00 00 41 00 0b-00 04 03 00 01 02 00 0a .....A.......... 00d0 - 00 06 00 04 00 18 00 17-00 23 00 00 00 0d 00 22 .........#....." 00e0 - 00 20 06 01 06 02 06 03-05 01 05 02 05 03 04 01 . .............. 00f0 - 04 02 04 03 03 01 03 02-03 03 02 01 02 02 02 03 ................ 0100 - 01 01 00 0f 00 01 01 ....... ===> very long time read from 0x1006ed0 [0x102d3c0] (7 bytes => -1 (0xFFFFFFFFFFFFFFFF)) write:errno=104 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 263 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE ---
It seems there is a problem on the server side, when it receives client hello from openssl-1.0.1e, the server should reply with something. Can you please check the server configuration ?
Unfortunately, I do not manage the server installation in this case, only the client. However, in speaking with the owners of the server, they say that nothing has changed since well before November 27 (when we started seeing the issue).
We are confirming with the remote server manager that nothing has changed. I'll update when I find out more.
I don't say that the server has changed, it just should tolerate the valid client hellos from openssl-1.0.1e or at least send TLS alert message with an error if there is an error in the client hello.
It seems to be related to an F5 device in front of their system. The URL included documents the problem. https://www.imperialviolet.org/2013/10/07/f5update.html
*** This bug has been marked as a duplicate of bug 1044446 ***