Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 295367 - dev-libs/openssl-0.9.8l breaks dev-lang/php-5.2.11 soap local_cert option
Summary: dev-libs/openssl-0.9.8l breaks dev-lang/php-5.2.11 soap local_cert option
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: PHP Bugs
Depends on:
Reported: 2009-12-01 20:41 UTC by Matthew Schultz
Modified: 2010-12-27 23:03 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Matthew Schultz 2009-12-01 20:41:13 UTC
I have an application that uses the php soap client with the local_cert (pem file) and passphrase option specified.  It refuses to connect with openssl 0.9.8l but will connect fine with openssl 0.9.8k.  I think this is related to disabling renegotiation in the new openssl but I'm not sure.  Is there a patch/USE flag that could be made to work around this issue in openssl?

Reproducible: Always

Actual Results:  
php cannot connect to soap service or shows "Error fetching http headers".

Expected Results:  
php should connect to this service.

emerge --info
Portage (default/linux/x86/10.0, gcc-4.3.4, glibc-2.9_p20081201-r2, 2.6.31-gentoo-r6 i686)
System uname: Linux-2.6.31-gentoo-r6-i686-Genuine_Intel-R-_CPU_T2300_@_1.66GHz-with-gentoo-2.0.1   
Timestamp of tree: Tue, 01 Dec 2009 09:45:01 +0000                                                 
app-shells/bash:     4.0_p28                                                                       
dev-java/java-config: 1.3.7-r1, 2.1.9-r1                                                           
dev-lang/python:     2.4.4-r13, 2.5.4-r3, 2.6.2-r1                                                 
dev-python/pycrypto: 2.0.1-r8                                                                      
dev-util/cmake:      2.6.4-r3                                                                      
sys-apps/baselayout: 2.0.1                                                                         
sys-apps/openrc:     0.5.2-r2                                                                      
sys-apps/sandbox:    1.6-r2                                                                        
sys-devel/autoconf:  2.13, 2.63-r1                                                                 
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.2                      
sys-devel/binutils:  2.18-r3                                                                       
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.6a
virtual/os-headers:  2.6.30-r1
CFLAGS="-march=prescott -O2 -pipe -fomit-frame-pointer"
CONFIG_PROTECT="/etc /usr/share/config"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-march=prescott -O2 -pipe -fomit-frame-pointer"
FEATURES="distlocks fixpackages metadata-transfer parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans userfetch"
GENTOO_MIRRORS="http://portage.home "
LINGUAS="en ru"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTDIR_OVERLAY="/usr/local/portage/layman/sunrise /usr/local/portage"
USE="X a52 aac acl acpi adns ads alsa apache2 async audiofile automount avi bcmath bdf berkdb bluetooth bzip2 cairo calendar caps cddb cdparanoia cdr cjk clamav cli cracklib crypt ctype cups curl curlwrappers dbi dbus directfb djvu dri dts dvb dvd dvdnav dvdread encode exif expat fam fbcon ffmpeg flac foomaticdb fortran ftp gd gdbm gif git glib gmp gnutls gpm gstreamer gtk gtk2 hal hash hpn iconv icu imagemagick imap imlib innodb ipv6 java javascript jpeg jpeg2k json kde kipi kson kvm lcms ldap ldap-sasl live logrotate lzo mad matroska mcal mhash mime mjpeg mmap mmx mmxext mng modules mp2 mp3 mp4 mpeg mplayer msession msn mssql mudflap mysql mysqli mythtv ncurses network nls nptl nptlonly nsplugin nss ntfs offensive ofx ogg openal opengl openmp osc oss pam passwordsave pch pcntl pcre pdf pdo perl php png posix ppds pppd python qt3 qt3support qt4 quicktime readline reflection reiserfs resolvconf rtc samba sasl sdl seamonkey session simplexml soap sockets spell spl sql sqlite sse sse2 ssl subversion suexec suhosin svg swat sysfs syslog tcpd theora threads thumbnail tidy tiff tokenizer transcode truetype unicode usb v4l v4l2 vcd vorbis wddx webkit win32codecs winbind wxwindows x264 x86 xcb xcomposite xforms xine xinerama xml xorg xpm xsl xv xvid xvmc zip zlib" ALSA_CARDS="hda-intel ens1371" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic auth_digest authn_anon authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock dbd deflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magic negotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_http rewrite setenvif so speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="evdev synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en ru" QEMU_SOFTMMU_TARGETS="i386 x86_64" QEMU_USER_TARGETS="i386 x86_64" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="intel i810 vesa"
Comment 1 SpanKY gentoo-dev 2009-12-01 22:20:43 UTC
you should make sure the cert isnt using the MD2 digest.  if it is, then your cert is broken and you need to generate a new one.
Comment 2 Matthew Schultz 2009-12-01 22:41:37 UTC
How do I verify which digest was used on the pem file?  I read several bits of data from it but I don't see anything referencing the digest used.   Some info on the cert:

Signature Algorithm: sha1WithRSAEncryption 
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit) 
Comment 3 Matthew Schultz 2009-12-01 22:51:28 UTC
Ok so judging by this data, SHA1 digest was used when the cert was generated.  So this has nothing to do with MD2 but cleaning openssl-0.9.8k will definitely be a problem as there currently does not seem to be any other remedy for this issue right now.  
Comment 4 Tomas Hoger 2009-12-02 07:38:57 UTC
What openssl version runs on the server?  Is client certificate required by the server globally?
Comment 5 Matthew Schultz 2009-12-02 16:24:24 UTC
(In reply to comment #4)
> What openssl version runs on the server?  Is client certificate required by the
> server globally?

The server is running windows.  The cert was generated with Win32OpenSSL_Light-0_9_8j.exe which I assume is a windows port of openssl 0.9.8j.  Here are examples of the commands used to generate the cert:

openssl genrsa -out certs\test-private.key 2048

openssl req -new -x509 –days 3650 -key certs\test-private.key -out certs\test-public.pem -outform pem -config openssl.cfg

openssl x509 -in certs\test-public.pem -inform pem -out certs\test-public.der -outform der

AFAIK, the cert is only used for communication with the soap service running on the windows server.  My machine is a gentoo machine trying to communicate with the windows machine running IIS.  
Comment 6 Jakub Wasielewski 2009-12-18 00:17:53 UTC
The same problem here. I'm trying to communicate with soap server running Microsoft IIS. I had openssl-0.9.8l-r2. I started to investigate the problem, tried /usr/bin/GET from dev-perl/libwww-perl, tried wget, tried fopen from PHP/5.2.11-r1 and PHP/5.2.10-r2, firefox and curl with gnutls not openssl... and only curl and FF worked. Downgrading to openssl-0.9.8k solved the problem.

Here is a sample URL for testing:
Comment 7 Jordan Raub 2010-01-25 00:11:34 UTC
I am also having this problem it is reproducable on command line openssl via 

openssl s_client -connect -state -nbio -cert certificate.pem

This call just hangs after sending headers

GET /service?wsdl HTTP/1.1

The output is:

read R BLOCK
SSL3 alert write:warning:close notify

from using curl a trace gives this:

== Info: SSLv3, TLS handshake, Hello request (0):
<= Recv SSL data, 4 bytes (0x4)
0000: 00 00 00 00                                     ....
== Info: Empty reply from server
== Info: Connection #0 to host left intact
== Info: Closing connection #0
== Info: SSLv3, TLS alert, Client hello (1):
=> Send SSL data, 2 bytes (0x2)
0000: 01 00         
Comment 8 Jordan Raub 2010-01-25 23:19:52 UTC
After further research it seems as though the problem is the fact that the application I am working with ends up having to renegotiate for sslv3. This is what the changelog openssl says:

Changes between 0.9.8k and 0.9.8l  [5 Nov 2009]

  *) Disable renegotiation completely - this fixes a severe security
     problem (CVE-2009-3555) at the cost of breaking all
     renegotiation. Renegotiation can be re-enabled by setting
     run-time. This is really not recommended unless you know what
     you're doing.
     [Ben Laurie]

So, from my understanding in my case, this is not a bug.

Comment 9 SpanKY gentoo-dev 2010-03-05 21:43:54 UTC
you can try openssl-0.9.8m to see if it behaves any better
Comment 10 Ole Markus With (RETIRED) gentoo-dev 2010-12-27 23:03:23 UTC
Response timeout. Please reopen if this problem has not gone away