Ubuntu
php5 package

Bug #592442
Comment #14

Comment 14 for bug 592442

Revision history for this message

Steve Beattie (sbeattie) wrote on 2010-12-01: Re: [Bug 592442] Re: fopen fails on some SSL urls

#14

On Wed, Dec 01, 2010 at 01:25:37AM -0000, Clint Byrum wrote:
> So initial testing shows that this is actually a problem with OpenSSL,
> or at least, it is OpenSSL refusing to connect to these servers:
>
> (natty-amd64)root@clint-MacBookPro:/home/clint/pkg/php5/bzr/natty-php-ssl-fix# openssl s_client -host cas.ucdavis.edu -port 443
> CONNECTED(00000003)
> 1787:error:140773F2:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert unexpected message:s23_clnt.c:602:
> (natty-amd64)root@clint-MacBookPro:/home/clint/pkg/php5/bzr/natty-php-ssl-fix# openssl s_client -host server.db.kvk.nl -port 443
> CONNECTED(00000003)
> 1788:error:1407741A:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert decode error:s23_clnt.c:602:

Note that if you force openssl to use ssl3 via -ssl3, a successful
connection is made. However, both warn of a self-signed certificate in
the chain, though it appears to be the top level certificate:

$ openssl s_client -host server.db.kvk.nl -port 443 -ssl3
CONNECTED(00000003)
depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=NL/ST=Utrecht/L=Woerden/O=Kamer van Koophandel Nederland/OU=Technisch Beheer/CN=SERVER.DB.KVK.NL
   i:/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
1 s:/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
2 s:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority

(server.db.kvk.nl's certificate is signed by Equifax, not Verisign.)

But perhaps the self-signed certificate thing is a red-herring, as on
hardy (0.9.8g-4ubuntu3.12) and lucid (0.9.8k-7ubuntu8.4), at least,
connecting works, but still gives the warning.

--
Steve Beattie
<email address hidden>
http://NxNW.org/~steve/

On Wed, Dec 01, 2010 at 01:25:37AM -0000, Clint Byrum wrote:
> So initial testing shows that this is actually a problem with OpenSSL,
> or at least, it is OpenSSL refusing to connect to these servers:
> 
> (natty-amd64)root@clint-MacBookPro:/home/clint/pkg/php5/bzr/natty-php-ssl-fix# openssl s_client -host cas.ucdavis.edu -port 443 
> CONNECTED(00000003)
> 1787:error:140773F2:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert unexpected message:s23_clnt.c:602:
> (natty-amd64)root@clint-MacBookPro:/home/clint/pkg/php5/bzr/natty-php-ssl-fix# openssl s_client -host server.db.kvk.nl -port 443
> CONNECTED(00000003)
> 1788:error:1407741A:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert decode error:s23_clnt.c:602:

Note that if you force openssl to use ssl3 via -ssl3, a successful
connection is made. However, both warn of a self-signed certificate in
the chain, though it appears to be the top level certificate:

$ openssl s_client -host server.db.kvk.nl -port 443 -ssl3
CONNECTED(00000003)
depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/C=NL/ST=Utrecht/L=Woerden/O=Kamer van Koophandel Nederland/OU=Technisch Beheer/CN=SERVER.DB.KVK.NL
   i:/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
 1 s:/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
 2 s:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority

(server.db.kvk.nl's certificate is signed by Equifax, not Verisign.)

But perhaps the self-signed certificate thing is a red-herring, as on
hardy (0.9.8g-4ubuntu3.12) and lucid (0.9.8k-7ubuntu8.4), at least,
connecting works, but still gives the warning.

-- 
Steve Beattie
<sbeattie@ubuntu.com>
http://NxNW.org/~steve/

Ubuntuphp5 package

Comment 14 for bug 592442

Ubuntu
php5 package