ius-coredev team mailing list archive
-
ius-coredev team
-
Mailing list archive
-
Message #05680
[Bug 1446633] Re: SSL problem with PHP 5.6.7&.8 and Horde_Imap_Client
Hey Ralf,
Thanks for the clarification.
I got looking at the differences in the Fedora spec file and ours. For
the most part they are very similar, as we use theirs as a starting
point. They use a new compile option, '--with-system-ciphers'. Here is
the change log entry:
* Fri Oct 03 2014 Remi Collet <remi@xxxxxxxxxxxxxxxxx> 5.6.1-1
- Update to PHP 5.6.1
http://php.net/releases/5_6_1.php
- use default system cipher list by Fedora policy
http://fedoraproject.org/wiki/Changes/CryptoPolicy
If I blacklist the cipher (RC4-SHA) used for imap.ikmj.com within/etc
/crypto-policies/back-ends/openssl.config, I get the following:
$ time php ssl_test.php
Connected to ssl://imap.ikmj.com:993
* OK ikmj-serwer.home.pl IdeaImapServer v0.80 ready
1 CAPABILITY
2 LOGOUT
real 0m30.900s
user 0m0.031s
sys 0m0.023s
Return the configuration back to stock, I get the following:
$ time php ssl_test.php
Connected to ssl://imap.ikmj.com:993
* OK ikmj-serwer.home.pl IdeaImapServer v0.80 ready
1 CAPABILITY
* CAPABILITY IMAP4rev1 LITERAL+ CHILDREN I18NLEVEL=1 IDLE SORT UIDPLUS UNSELECT XLIST AUTH=PLAIN AUTH=LOGIN
2 LOGOUT
real 0m0.996s
user 0m0.031s
sys 0m0.017s
So I am wondering if the cipher is to blame for our packages. Seeing that the crypto-policies package is not in RHEL yet, I don't think using the '--with-system-ciphers' option is a good idea. If the '--with-system-ciphers' is not used, a hard coded list will be used. The IUS packages do not change that list and I would be hesitant to make changes to it.
Are you talking with the devs on a mailing list?
--
You received this bug notification because you are a member of IUS Core
Development, which is subscribed to IUS Community Project.
https://bugs.launchpad.net/bugs/1446633
Title:
SSL problem with PHP 5.6.7&.8 and Horde_Imap_Client
Status in IUS Community Project:
New
Bug description:
I created a simple example code reproducing the problem Horde or
EGroupware:
<?php
$timeout = 30;
$context = array(
'ssl' => array(
'verify_peer' => false,
'verify_peer_name' => false
)
);
if (($fp = stream_socket_client(
$conn='ssl://imap.ikmj.com:993',
$errno,
$errstr,
$timeout,
STREAM_CLIENT_CONNECT,
stream_context_create($context)
)))
{
echo "Connected to $conn\n";
echo fgets($fp);
echo "1 CAPABILITY\n";
fwrite($fp, "1 CAPABILITY\n");
echo fgets($fp);
echo "2 LOGOUT\n";
fwrite($fp, "2 LOGOUT\n");
}
else var_dump($errno, $errstr);
Running it on various IUS PHP versions gives following results:
[root@lighttpd ~]# php -v
PHP 5.4.39 (cli) (built: Mar 20 2015 08:10:43)
Copyright (c) 1997-2014 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2014 Zend Technologies
[root@lighttpd ~]# php imaps_php56.php
Connected to ssl://imap.ikmj.com:993
* OK ikmj-serwer.home.pl IdeaImapServer v0.80 ready
1 CAPABILITY
* CAPABILITY IMAP4rev1 LITERAL+ CHILDREN I18NLEVEL=1 IDLE SORT UIDPLUS
UNSELECT XLIST AUTH=PLAIN AUTH=LOGIN
2 LOGOUT
[root@fpm60 ~]# php -v
PHP 5.5.23 (cli) (built: Mar 20 2015 08:29:54)
Copyright (c) 1997-2015 The PHP Group
Zend Engine v2.5.0, Copyright (c) 1998-2015 Zend Technologies
with Zend OPcache v7.0.4-dev, Copyright (c) 1999-2015, by Zend
Technologies
[root@fpm60 ~]# php imaps_php56.php
Connected to ssl://imap.ikmj.com:993
* OK ikmj-serwer.home.pl IdeaImapServer v0.80 ready
1 CAPABILITY
* CAPABILITY IMAP4rev1 LITERAL+ CHILDREN I18NLEVEL=1 IDLE SORT UIDPLUS
UNSELECT XLIST AUTH=PLAIN AUTH=LOGIN
2 LOGOUT
[dev@coreos-control ~]$ php -v
PHP 5.6.7 (cli) (built: Mar 25 2015 13:08:46)
Copyright (c) 1997-2015 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2015 Zend Technologies
with Zend OPcache v7.0.4-dev, Copyright (c) 1999-2015, by Zend Technologies
[dev@coreos-control ~]$ php imaps_php56.php
Connected to ssl://imap.ikmj.com:993
* OK ikmj-serwer.home.pl IdeaImapServer v0.80 ready
1 CAPABILITY
^C
Hangs until I hit ^C.
[dev@coreos-control ~]$ php -v
PHP 5.6.8 (cli) (built: Apr 16 2015 20:02:05)
Copyright (c) 1997-2015 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2015 Zend Technologies
with Zend OPcache v7.0.4-dev, Copyright (c) 1999-2015, by Zend Technologies
[dev@coreos-control ~]$ php imaps_php56.php
Connected to ssl://imap.ikmj.com:993
* OK ikmj-serwer.home.pl IdeaImapServer v0.80 ready
1 CAPABILITY
^C
Hangs until I hit ^C.
While I first suspected a further case of SSL timeout bug we had in 5.5 and 5.6 a couple of packages back, I also talked to Remi Collet who reported the previous problem to php internals ML and maintains PHP in Fedora.
Hi could NOT reproduce it on various PHP & Fedora versions:
$ php56 /tmp/foo.php
Running PHP 5.6.8
Connected to ssl://imap.ikmj.com:993
* OK ikmj-serwer.home.pl IdeaImapServer v0.80 ready
1 CAPABILITY
* CAPABILITY IMAP4rev1 LITERAL+ CHILDREN I18NLEVEL=1 IDLE SORT UIDPLUS
UNSELECT XLIST AUTH=PLAIN AUTH=LOGIN
2 LOGOUT
Hi just run more tests
- Fedora 21 and openssl 1.0.1k
- RHEL-6 and RHEL-7, openssl 1.0.1e
- PHP 5.4.40, 5.5.24, 5.6.8 and 7.0.0-dev (20150418)
So it appears to me that there must be some difference in patches or
spec file or IUS and Fedora which causes the problem with IUS PHP 5.6
packages.
Ralf
To manage notifications about this bug go to:
https://bugs.launchpad.net/ius/+bug/1446633/+subscriptions
References