Forum Discussion

keegan_morrison's avatar
keegan_morrison
Icon for Nimbostratus rankNimbostratus
Oct 10, 2007

ssl error when connecting from with php

Hi all. I'm working on writing an interface to display host information on our F5 in our company wiki. I'm trying to set up php to conenct to the f5, and i'm not having much luck.

 

 

I followed the php tutorial (http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=69).

 

 

Here's my setup:

 

- solaris 10 update 3

 

- php 5.2.4 (has soap installed)

 

- curl 7.17.0

 

- httpd 2.2.4

 

 

I have not compiled php or apache with ssl support.

 

 

Here's my source code:

 

 

 

 

require_once 'SOAP/Client.php';
$soapoptions = array('namespace' => 'urn:iControl');
$wsdl_url = 'http://localhost/bigip/iControl/sdk/wsdl/LocalLB.Pool.wsdl';
$proxy_parms = array( 'user' => $username, 'pass' => $password);
$params = array();
$client = new SOAP_Client($wsdl_url, true, '', $proxy_parms );
$client->setOpt('curl', CURLOPT_SSL_VERIFYPEER, 0);
$client->setOpt('curl', CURLOPT_SSL_VERIFYHOST, 0);
$response    = $client->call('get_list', $params, $soapoptions);
if (PEAR::isError($response)) 
{
  print "an error occurred in the call: ";
  echo $response->message;
}

 

 

 

The error i get when i go to that page is:

 

 

curl_exec error 35 error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac

 

 

 

WHen i googled, i didn't find much help. Does anyone know how to fix this? Should i try compiling with ssl support?
  • I haven't used the php toolkit so I don't know for sure. The one thing that sticks out is that it looks like you are using the wsdl file for the connection endpoint information. If you are using the stock wsdl files in the SDK, they do not have a correct endpoint to the BIG-IP. You'll need to override the endpoint with https://bigip_address/iControl/iControlPortal.cgi.

     

     

    You can either update the WSDL file and manually put in your correct endpoint, or with the php library, manually set the value after the load of the WSDL.

     

     

    If that's not the case, then I don't know what is... Please let us know when you get it figured out.

     

     

    -Joe
  • Edit: This issue has been resolved, please see the bottom of the next post

     

     

    Hi Joe,

     

     

    I haven't fixed the problem, but i've found something out. I'm still using the local wsdl files, and I think there might be a problem in there somewhere. I did some troubleshooting, and here's what I've found:

     

     

    the URL in my wsdl file is correct (copying & pasting it into my browser takes me to the appropriate location on my F5) so that isn't the problem. The location to that wsdl file in my php script is correct (i can also copy that url and visit it in my browser, and it prints out the wsdl file just fine.)

     

     

    So, I was curious and I changed the URL location to my F5 in the wsdl file (the part $location="https://$hostname/iControl/iControlPortal.cgi?";

     

     

    require_once 'SOAP/Client.php';

     

    $soapoptions = array('namespace' => 'urn:iControl');

     

     

    $proxy_parms = array( 'user' => $username, 'pass' => $password);

     

    $params = array();

     

    $client = new SOAP_Client($wsdl_url, true, '', $proxy_parms );

     

    $client->setOpt('curl', CURLOPT_SSL_VERIFYPEER, 0);

     

    $client->setOpt('curl', CURLOPT_SSL_VERIFYHOST, 0);

     

    $response = $client->call('get_list', $params, $soapoptions);

     

     

    if (PEAR::isError($response))

     

    {

     

    print "an error occurred in the call

     

    ";

     

    echo $response->message;

     

    }

     

     

     

    Now, when i visit the php page, i get the following error:

     

     

    "Unable to retrieve WSDL https://hostname/iControl/iControlPortal.cgi?WSDL=LocalLB.Pool"

     

     

    However, I know that url is correct, as again it pulls up in my browser. I know this isn't a firewall issue, bevause i can telnet to the server on the apropriate ports from the host.
  • I've narrowed the problem down to being an OpenSSL issue. There are evidently problems with the version of openssl I installed (0.9.8b) and Solaris 10. Running openssl from teh command prompt with SSLv3 produced the following error:

     

     

     

    [09:30 AM][root@vwsinfr03:/usr/local/ssl/bin]>./openssl s_client -connect www.google.com:443 -state

     

    CONNECTED(00000004)

     

    SSL_connect:before/connect initialization

     

    SSL_connect:SSLv2/v3 write client hello A

     

    SSL_connect:SSLv3 read server hello A

     

    depth=1 /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA

     

    verify error:num=20:unable to get local issuer certificate

     

    verify return:0

     

    SSL_connect:SSLv3 read server certificate A

     

    SSL_connect:SSLv3 read server done A

     

    SSL_connect:SSLv3 write client key exchange A

     

    SSL_connect:SSLv3 write change cipher spec A

     

    SSL_connect:SSLv3 write finished A

     

    SSL_connect:SSLv3 flush data

     

    SSL3 alert read:fatal:bad record mac

     

    SSL_connect:failed in SSLv3 read finished A

     

    29337:error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac:s3_pkt.c:1057:SSL alert number 20

     

    29337:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:

     

     

     

    The bold part is the same message i got with php / curl.

     

     

    However, running the same command, but specifying SSLv2 worked fine. I couldn't find a way to tell curl to use SSLv2 (do you know of a way?).

     

     

    So, I started digging around, and i found that compiling ssl with debug support (./Configure -shared debug-solaris-sparcv8-cc) allows me to connect using the command above, with SSLv3 just fine. With that, I'm recompililng curl to use the new OpenSSL libraries, and from there I'll probably have to recompile php.

     

     

    I assume this will fix things -- seeing as how ssl v3 from the command line works properly, whereas before it did not. I will post back once i get everything recompiled. However, in case it doesn't, is anyone aware of a way to force curl (with php, maybe setting a config option somewhere?) to use sslv2?

     

     

     

    Edit: That was indeed the problem. Recompiling Opnessl with the above compile flags, then recompiling curl fixed the problem. I can now successfully connect to my F5 and list all available pools!