[SOLVED]Bad OpenSSL cause 503/500 error in FastCGI/PHP-FPM curl with compiled additional php-5.6

Discussion in 'ISPConfig 3 Priority Support' started by StefanoBertoli, May 21, 2018.

  1. Hi, as I wrote I have an error executing this code:
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, "https://tlstest.paypal.com/");
    curl_setopt($ch, CURLOPT_CAINFO, 'cacert.pem');
    // Some environments may be capable of TLS 1.2 but it is not in their list of defaults so need the SSL version option to be set.
    curl_setopt($ch, CURLOPT_SSLVERSION, 6);
    echo "\n";
    This broke down both PHP-5.6 run in Fast-CGI and PHP-FPM
    Executing the vhost under Mod-PHP the call will work (using default Debian 9 PHP version: 7)
    Error log shown trying with Fast-CGI:
    [Mon May 21 18:57:07.259425 2018] [fcgid:warn] [pid 437] (104)Connection reset by peer: [client xxx.xxx.xxx.xxx:55437] mod_fcgid: error reading data from FastCGI server
    [Mon May 21 18:57:07.259504 2018] [core:error] [pid 437] [client xxx.xxx.xxx.xxx:55437] End of script output before headers: ssl.php
    Error log shown trying with PHP-FPM:
    [Mon May 21 18:56:20.867156 2018] [proxy_fcgi:error] [pid 32685] [client xxx.xxx.xxx.xxx:55262] AH01067: Failed to read FastCGI header
    [Mon May 21 18:56:20.867221 2018] [proxy_fcgi:error] [pid 32685] (104)Connection reset by peer: [client xxx.xxx.xxx.xxx:55262] AH01075: Error dispatching request to :
    I cannot figure out how to solve it
  2. CURL VERSION: { "version_number": 472065, "age": 3, "features": 4179869, "ssl_version_number": 0, "version": "7.52.1", "host": "x86_64-pc-linux-gnu", "ssl_version": "OpenSSL\/1.0.1t", "libz_version": "1.2.8", "protocols": [ "dict", "file", "ftp", "ftps", "gopher", "http", "https", "imap", "imaps", "ldap", "ldaps", "pop3", "pop3s", "rtmp", "rtsp", "scp", "sftp", "smb", "smbs", "smtp", "smtps", "telnet", "tftp" ] }

    Seems my openssl version is enought (1.0.1t):
    Any Idea?
  3. till

    till Super Moderator Staff Member ISPConfig Developer

  4. Yes I used that one.

    Which is the maximum version of openssl can be used with php-5.6.36?
    I suppose that I should put some --enable-1.2 or similar when I will recompile openssl but I didn't found any information about it. May you know which is the right way to enable it?
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    I don't know., I haven't tried different versions I just know that it does not work with the version that ships with Debian 9.

    Sorry, I'm just an openssl user as well and not expert. Did you try to get a list of all compile options with ./configure --help or similar?
  6. I made some test: executing a curl without "https://" it work.
    It seems that enabling https:// crash all... I check error.log bou nothing that can explain. I don't know if curl or openssl write some log where I can inspect.
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    And when you leave out curl_setopt($ch, CURLOPT_SSLVERSION, 6); or set a different (lower) TLS version? Or do you block all lower TLS versions?
  8. I tried version 4 but without luck, Now i recompiling openssl with 1.0.2o and I will try anymore.
    Perhaps, what I can think is: Can be any permission problem loading cacert by the user of vhost?
    I have the cert in the web folder, the same folder of the php page callig curl. which is the user is loading cacert? the webX/clientX user or www-data:www-data?
  9. SOLVED!
    I read on OpenSSL site that version 1.0.1 is not yet supported. Could be there is no back compatibility or no more compatibility between php-5.6 or CURL 7.52 and that version.
    I had recompiled a different version of openssl, 1.0.2o that is their LTS program. All work flawless.
    The debian 9 version:
    # /usr/bin/openssl version
    OpenSSL 1.1.0f  25 May 2017
    micp and till like this.
  10. micp

    micp New Member

    Thank you very much for your search and suggestion to install OpenSSL 1.0.2. I got 1.0.2s for now.
    I had 500-503 errors when testing from navigators with https (not http).
    Not all the time but when refresh after a while of no activity.
    After 2 refreshes, it came again with 400.
    To say, it is a fresh ISPConfig install from here:
    followed by :
    I think 1.0.2 should be in the tutorials in place of 1.0.1x.
    Thanks again.
    StefanoBertoli likes this.

Share This Page