Forum Discussion
keegan_morrison
Nimbostratus
Nimbostratusssl error when connecting from with php
Hi all. I'm working on writing an interface to display host information on our F5 in our company wiki. I'm trying to set up php to conenct to the f5, and i'm not having much luck.
I followed...
keegan_morrisonNimbostratus
NimbostratusI've narrowed the problem down to being an OpenSSL issue. There are evidently problems with the version of openssl I installed (0.9.8b) and Solaris 10. Running openssl from teh command prompt with SSLv3 produced the following error:
[09:30 AM][root@vwsinfr03:/usr/local/ssl/bin]>./openssl s_client -connect www.google.com:443 -state
CONNECTED(00000004)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
verify error:num=20:unable to get local issuer certificate
verify return:0
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL3 alert read:fatal:bad record mac
SSL_connect:failed in SSLv3 read finished A
29337:error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac:s3_pkt.c:1057:SSL alert number 20
29337:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
The bold part is the same message i got with php / curl.
However, running the same command, but specifying SSLv2 worked fine. I couldn't find a way to tell curl to use SSLv2 (do you know of a way?).
So, I started digging around, and i found that compiling ssl with debug support (./Configure -shared debug-solaris-sparcv8-cc) allows me to connect using the command above, with SSLv3 just fine. With that, I'm recompililng curl to use the new OpenSSL libraries, and from there I'll probably have to recompile php.
I assume this will fix things -- seeing as how ssl v3 from the command line works properly, whereas before it did not. I will post back once i get everything recompiled. However, in case it doesn't, is anyone aware of a way to force curl (with php, maybe setting a config option somewhere?) to use sslv2?
Edit: That was indeed the problem. Recompiling Opnessl with the above compile flags, then recompiling curl fixed the problem. I can now successfully connect to my F5 and list all available pools!
