| Summary: | dev-libs/openssl-0.9.8l breaks dev-lang/php-5.2.11 soap local_cert option | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Matthew Schultz <mattsch> |
| Component: | New packages | Assignee: | PHP Bugs <php-bugs> |
| Status: | RESOLVED NEEDINFO | ||
| Severity: | normal | CC: | gentoo-bugs, jordan.raub, thoger |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
|
Description
Matthew Schultz
2009-12-01 20:41:13 UTC
you should make sure the cert isnt using the MD2 digest. if it is, then your cert is broken and you need to generate a new one. How do I verify which digest was used on the pem file? I read several bits of data from it but I don't see anything referencing the digest used. Some info on the cert: Signature Algorithm: sha1WithRSAEncryption Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Ok so judging by this data, SHA1 digest was used when the cert was generated. So this has nothing to do with MD2 but cleaning openssl-0.9.8k will definitely be a problem as there currently does not seem to be any other remedy for this issue right now. What openssl version runs on the server? Is client certificate required by the server globally? (In reply to comment #4) > What openssl version runs on the server? Is client certificate required by the > server globally? > The server is running windows. The cert was generated with Win32OpenSSL_Light-0_9_8j.exe which I assume is a windows port of openssl 0.9.8j. Here are examples of the commands used to generate the cert: openssl genrsa -out certs\test-private.key 2048 openssl req -new -x509 –days 3650 -key certs\test-private.key -out certs\test-public.pem -outform pem -config openssl.cfg openssl x509 -in certs\test-public.pem -inform pem -out certs\test-public.der -outform der AFAIK, the cert is only used for communication with the soap service running on the windows server. My machine is a gentoo machine trying to communicate with the windows machine running IIS. The same problem here. I'm trying to communicate with soap server running Microsoft IIS. I had openssl-0.9.8l-r2. I started to investigate the problem, tried /usr/bin/GET from dev-perl/libwww-perl, tried wget, tried fopen from PHP/5.2.11-r1 and PHP/5.2.10-r2, firefox and curl with gnutls not openssl... and only curl and FF worked. Downgrading to openssl-0.9.8k solved the problem. Here is a sample URL for testing: https://www.multiinfo.plus.pl/SmsGW4/Images/close.gif I am also having this problem it is reproducable on command line openssl via openssl s_client -connect secure.example.com:443 -state -nbio -cert certificate.pem This call just hangs after sending headers GET /service?wsdl HTTP/1.1 Host: secure.example.com The output is: read R BLOCK read:errno=0 SSL3 alert write:warning:close notify from using curl a trace gives this: == Info: SSLv3, TLS handshake, Hello request (0): <= Recv SSL data, 4 bytes (0x4) 0000: 00 00 00 00 .... == Info: Empty reply from server == Info: Connection #0 to host secure.example.com left intact == Info: Closing connection #0 == Info: SSLv3, TLS alert, Client hello (1): => Send SSL data, 2 bytes (0x2) 0000: 01 00 After further research it seems as though the problem is the fact that the application I am working with ends up having to renegotiate for sslv3. This is what the changelog openssl says:
Changes between 0.9.8k and 0.9.8l [5 Nov 2009]
*) Disable renegotiation completely - this fixes a severe security
problem (CVE-2009-3555) at the cost of breaking all
renegotiation. Renegotiation can be re-enabled by setting
SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION in s3->flags at
run-time. This is really not recommended unless you know what
you're doing.
[Ben Laurie]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555
So, from my understanding in my case, this is not a bug.
Thanks,
Jordan
you can try openssl-0.9.8m to see if it behaves any better Response timeout. Please reopen if this problem has not gone away |
