[SOLVED]Bad OpenSSL cause 503/500 error in FastCGI/PHP-FPM curl with compiled additional php-5.6

Discussion in 'ISPConfig 3 Priority Support' started by StefanoBertoli, May 21, 2018.

  1. StefanoBertoli

    StefanoBertoli Member HowtoForge Supporter

    Hi, as I wrote I have an error executing this code:
    Code:
    $ch = curl_init();
    
    curl_setopt($ch, CURLOPT_URL, "https://tlstest.paypal.com/");
    curl_setopt($ch, CURLOPT_CAINFO, 'cacert.pem');
    
    // Some environments may be capable of TLS 1.2 but it is not in their list of defaults so need the SSL version option to be set.
    curl_setopt($ch, CURLOPT_SSLVERSION, 6);
    
    curl_exec($ch);
    echo "\n";
    This broke down both PHP-5.6 run in Fast-CGI and PHP-FPM
    Executing the vhost under Mod-PHP the call will work (using default Debian 9 PHP version: 7)
    Error log shown trying with Fast-CGI:
    Code:
    [Mon May 21 18:57:07.259425 2018] [fcgid:warn] [pid 437] (104)Connection reset by peer: [client xxx.xxx.xxx.xxx:55437] mod_fcgid: error reading data from FastCGI server
    [Mon May 21 18:57:07.259504 2018] [core:error] [pid 437] [client xxx.xxx.xxx.xxx:55437] End of script output before headers: ssl.php
    
    Error log shown trying with PHP-FPM:
    Code:
    [Mon May 21 18:56:20.867156 2018] [proxy_fcgi:error] [pid 32685] [client xxx.xxx.xxx.xxx:55262] AH01067: Failed to read FastCGI header
    [Mon May 21 18:56:20.867221 2018] [proxy_fcgi:error] [pid 32685] (104)Connection reset by peer: [client xxx.xxx.xxx.xxx:55262] AH01075: Error dispatching request to :
    
    I cannot figure out how to solve it
    Thanks
    Stefano
     
  2. StefanoBertoli

    StefanoBertoli Member HowtoForge Supporter

    CURL VERSION: { "version_number": 472065, "age": 3, "features": 4179869, "ssl_version_number": 0, "version": "7.52.1", "host": "x86_64-pc-linux-gnu", "ssl_version": "OpenSSL\/1.0.1t", "libz_version": "1.2.8", "protocols": [ "dict", "file", "ftp", "ftps", "gopher", "http", "https", "imap", "imaps", "ldap", "ldaps", "pop3", "pop3s", "rtmp", "rtsp", "scp", "sftp", "smb", "smbs", "smtp", "smtps", "telnet", "tftp" ] }

    Seems my openssl version is enought (1.0.1t):
    https://support.shopgate.com/hc/en-...-I-upgrade-my-SSL-library-to-support-TLS-1-2-
    Any Idea?
     
  3. till

    till Super Moderator Staff Member ISPConfig Developer

  4. StefanoBertoli

    StefanoBertoli Member HowtoForge Supporter

    Yes I used that one.

    Which is the maximum version of openssl can be used with php-5.6.36?
    I suppose that I should put some --enable-1.2 or similar when I will recompile openssl but I didn't found any information about it. May you know which is the right way to enable it?
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    I don't know., I haven't tried different versions I just know that it does not work with the version that ships with Debian 9.

    Sorry, I'm just an openssl user as well and not expert. Did you try to get a list of all compile options with ./configure --help or similar?
     
  6. StefanoBertoli

    StefanoBertoli Member HowtoForge Supporter

    I made some test: executing a curl without "https://" it work.
    It seems that enabling https:// crash all... I check error.log bou nothing that can explain. I don't know if curl or openssl write some log where I can inspect.
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    And when you leave out curl_setopt($ch, CURLOPT_SSLVERSION, 6); or set a different (lower) TLS version? Or do you block all lower TLS versions?
     
  8. StefanoBertoli

    StefanoBertoli Member HowtoForge Supporter

    I tried version 4 but without luck, Now i recompiling openssl with 1.0.2o and I will try anymore.
    Perhaps, what I can think is: Can be any permission problem loading cacert by the user of vhost?
    I have the cert in the web folder, the same folder of the php page callig curl. which is the user is loading cacert? the webX/clientX user or www-data:www-data?
     
  9. StefanoBertoli

    StefanoBertoli Member HowtoForge Supporter

    SOLVED!
    I read on OpenSSL site that version 1.0.1 is not yet supported. Could be there is no back compatibility or no more compatibility between php-5.6 or CURL 7.52 and that version.
    I had recompiled a different version of openssl, 1.0.2o that is their LTS program. All work flawless.
    The debian 9 version:
    Code:
    # /usr/bin/openssl version
    OpenSSL 1.1.0f  25 May 2017
    Thanks
     
    till likes this.

Share This Page