ius-coredev team mailing list archive

Thread
Date
[Bug 1446633] Re: SSL problem with PHP 5.6.7&.8 and Horde_Imap_Client

To: ius-coredev@xxxxxxxxxxxxxxxxxxx
From: bharper <1446633@xxxxxxxxxxxxxxxxxx>
Date: Wed, 22 Apr 2015 21:08:25 -0000
Reply-to: Bug 1446633 <1446633@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Hey Ralf,

Thanks for the clarification.

I got looking at the differences in the Fedora spec file and ours.  For
the most part they are very similar, as we use theirs as a starting
point.  They use a new compile option, '--with-system-ciphers'. Here is
the change log entry:

* Fri Oct 03 2014 Remi Collet <remi@xxxxxxxxxxxxxxxxx> 5.6.1-1
- Update to PHP 5.6.1
  http://php.net/releases/5_6_1.php
- use default system cipher list by Fedora policy
  http://fedoraproject.org/wiki/Changes/CryptoPolicy 

If I blacklist the cipher (RC4-SHA) used for  imap.ikmj.com within/etc
/crypto-policies/back-ends/openssl.config, I get the following:

$ time php ssl_test.php 
Connected to ssl://imap.ikmj.com:993
* OK ikmj-serwer.home.pl IdeaImapServer v0.80 ready
1 CAPABILITY
2 LOGOUT

real    0m30.900s
user    0m0.031s
sys     0m0.023s

Return the configuration back to stock, I get the following:

$ time php ssl_test.php 
Connected to ssl://imap.ikmj.com:993
* OK ikmj-serwer.home.pl IdeaImapServer v0.80 ready
1 CAPABILITY
* CAPABILITY IMAP4rev1 LITERAL+ CHILDREN I18NLEVEL=1 IDLE SORT UIDPLUS UNSELECT XLIST AUTH=PLAIN AUTH=LOGIN
2 LOGOUT

real    0m0.996s
user    0m0.031s
sys     0m0.017s


So I am wondering if the cipher is to blame for our packages.  Seeing that the crypto-policies package is not in RHEL yet, I don't think using the '--with-system-ciphers' option is a good idea.  If the '--with-system-ciphers' is not used, a hard coded list will be used.  The IUS packages do not change that list and I would be hesitant to make changes to it.  

Are you talking with the devs on a mailing list?

-- 
You received this bug notification because you are a member of IUS Core
Development, which is subscribed to IUS Community Project.
https://bugs.launchpad.net/bugs/1446633

Title:
  SSL problem with PHP 5.6.7&.8 and Horde_Imap_Client

Status in IUS Community Project:
  New

Bug description:
  I created a simple example code reproducing the problem Horde or
  EGroupware:

  <?php
  $timeout = 30;
  $context = array(
      'ssl' => array(
          'verify_peer' => false,
          'verify_peer_name' => false
      )
  );
  if (($fp = stream_socket_client(
          $conn='ssl://imap.ikmj.com:993',
          $errno,
          $errstr,
          $timeout,
          STREAM_CLIENT_CONNECT,
          stream_context_create($context)
      )))
  {
      echo "Connected to $conn\n";
      echo fgets($fp);

      echo "1 CAPABILITY\n";
      fwrite($fp, "1 CAPABILITY\n");
      echo fgets($fp);
      echo "2 LOGOUT\n";
      fwrite($fp, "2 LOGOUT\n");
  }
  else var_dump($errno, $errstr);

  Running it on various IUS PHP versions gives following results:
  [root@lighttpd ~]# php -v
  PHP 5.4.39 (cli) (built: Mar 20 2015 08:10:43)
  Copyright (c) 1997-2014 The PHP Group
  Zend Engine v2.4.0, Copyright (c) 1998-2014 Zend Technologies
  [root@lighttpd ~]# php imaps_php56.php
  Connected to ssl://imap.ikmj.com:993
  * OK ikmj-serwer.home.pl IdeaImapServer v0.80 ready
  1 CAPABILITY
  * CAPABILITY IMAP4rev1 LITERAL+ CHILDREN I18NLEVEL=1 IDLE SORT UIDPLUS
  UNSELECT XLIST AUTH=PLAIN AUTH=LOGIN
  2 LOGOUT

  [root@fpm60 ~]# php -v
  PHP 5.5.23 (cli) (built: Mar 20 2015 08:29:54)
  Copyright (c) 1997-2015 The PHP Group
  Zend Engine v2.5.0, Copyright (c) 1998-2015 Zend Technologies
      with Zend OPcache v7.0.4-dev, Copyright (c) 1999-2015, by Zend
  Technologies
  [root@fpm60 ~]# php imaps_php56.php
  Connected to ssl://imap.ikmj.com:993
  * OK ikmj-serwer.home.pl IdeaImapServer v0.80 ready
  1 CAPABILITY
  * CAPABILITY IMAP4rev1 LITERAL+ CHILDREN I18NLEVEL=1 IDLE SORT UIDPLUS
  UNSELECT XLIST AUTH=PLAIN AUTH=LOGIN
  2 LOGOUT

  [dev@coreos-control ~]$ php -v
  PHP 5.6.7 (cli) (built: Mar 25 2015 13:08:46) 
  Copyright (c) 1997-2015 The PHP Group
  Zend Engine v2.6.0, Copyright (c) 1998-2015 Zend Technologies
      with Zend OPcache v7.0.4-dev, Copyright (c) 1999-2015, by Zend Technologies
  [dev@coreos-control ~]$ php imaps_php56.php 
  Connected to ssl://imap.ikmj.com:993
  * OK ikmj-serwer.home.pl IdeaImapServer v0.80 ready
  1 CAPABILITY
  ^C
  Hangs until I hit ^C.

  [dev@coreos-control ~]$ php -v
  PHP 5.6.8 (cli) (built: Apr 16 2015 20:02:05) 
  Copyright (c) 1997-2015 The PHP Group
  Zend Engine v2.6.0, Copyright (c) 1998-2015 Zend Technologies
      with Zend OPcache v7.0.4-dev, Copyright (c) 1999-2015, by Zend Technologies
  [dev@coreos-control ~]$ php imaps_php56.php 
  Connected to ssl://imap.ikmj.com:993
  * OK ikmj-serwer.home.pl IdeaImapServer v0.80 ready
  1 CAPABILITY
  ^C
  Hangs until I hit ^C.

  While I first suspected a further case of SSL timeout bug we had in 5.5 and 5.6 a couple of packages back, I also talked to Remi Collet who reported the previous problem to php internals ML and maintains PHP in Fedora. 
  Hi could NOT reproduce it on various PHP & Fedora versions:

  $ php56 /tmp/foo.php
  Running PHP 5.6.8
  Connected to ssl://imap.ikmj.com:993
  * OK ikmj-serwer.home.pl IdeaImapServer v0.80 ready
  1 CAPABILITY
  * CAPABILITY IMAP4rev1 LITERAL+ CHILDREN I18NLEVEL=1 IDLE SORT UIDPLUS
  UNSELECT XLIST AUTH=PLAIN AUTH=LOGIN
  2 LOGOUT

  Hi just run more tests
  - Fedora 21 and openssl 1.0.1k
  - RHEL-6 and RHEL-7, openssl 1.0.1e
  - PHP 5.4.40, 5.5.24, 5.6.8 and 7.0.0-dev (20150418)

  So it appears to me that there must be some difference in patches or
  spec file or IUS and Fedora which causes the problem with IUS PHP 5.6
  packages.

  Ralf

To manage notifications about this bug go to:
https://bugs.launchpad.net/ius/+bug/1446633/+subscriptions
References

[Bug 1446633] [NEW] SSL problem with PHP 5.6.7&.8 and Horde_Imap_Client
From: RalfBecker, 2015-04-21