registry team mailing list archive

Thread
Date

Re: [Bug 592442] Re: fopen fails on some SSL urls

To: registry@xxxxxxxxxxxxxxxxxxx
From: Steve Beattie <sbeattie@xxxxxxxxxx>
Date: Wed, 01 Dec 2010 17:12:31 -0000
Reply-to: Bug 592442 <592442@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

On Wed, Dec 01, 2010 at 01:25:37AM -0000, Clint Byrum wrote:
> So initial testing shows that this is actually a problem with OpenSSL,
> or at least, it is OpenSSL refusing to connect to these servers:
> 
> (natty-amd64)root@clint-MacBookPro:/home/clint/pkg/php5/bzr/natty-php-ssl-fix# openssl s_client -host cas.ucdavis.edu -port 443 
> CONNECTED(00000003)
> 1787:error:140773F2:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert unexpected message:s23_clnt.c:602:
> (natty-amd64)root@clint-MacBookPro:/home/clint/pkg/php5/bzr/natty-php-ssl-fix# openssl s_client -host server.db.kvk.nl -port 443
> CONNECTED(00000003)
> 1788:error:1407741A:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert decode error:s23_clnt.c:602:

Note that if you force openssl to use ssl3 via -ssl3, a successful
connection is made. However, both warn of a self-signed certificate in
the chain, though it appears to be the top level certificate:

$ openssl s_client -host server.db.kvk.nl -port 443 -ssl3
CONNECTED(00000003)
depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/C=NL/ST=Utrecht/L=Woerden/O=Kamer van Koophandel Nederland/OU=Technisch Beheer/CN=SERVER.DB.KVK.NL
   i:/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
 1 s:/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
 2 s:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority

(server.db.kvk.nl's certificate is signed by Equifax, not Verisign.)

But perhaps the self-signed certificate thing is a red-herring, as on
hardy (0.9.8g-4ubuntu3.12) and lucid (0.9.8k-7ubuntu8.4), at least,
connecting works, but still gives the warning.

-- 
Steve Beattie
<sbeattie@xxxxxxxxxx>
http://NxNW.org/~steve/

-- 
fopen fails on some SSL urls
https://bugs.launchpad.net/bugs/592442
You received this bug notification because you are a member of Registry
Administrators, which is the registrant for php.

References

[Bug 592442] Re: fopen fails on some SSL urls
From: Clint Byrum, 2010-12-01