The Apache Haus Forum

Advanced search  

News:

Welcome to Apache Haus Distribution Forum

Pages: [1]   Go Down

Author Topic: PHP SSL client errors: is OpenSSL compiled with no-tlsext?  (Read 4925 times)

karl

  • Newbie
  • *
  • Offline Offline
  • Posts: 1
PHP SSL client errors: is OpenSSL compiled with no-tlsext?
« on: April 07, 2010, 10:31:01 PM »

We have 2.2.15+openssl0.9.8(m|n). We've found that this combination can cause embedded PHP aplications to throw this errer:

    error:14092073:SSL routines:SSL3_GET_SERVER_HELLO:bad packet length

There is some discussion here:

    http://www.mail-archive.com/[email protected]/msg27435.html

The same PHP app works fine from the command line. I was eventually able to show, with phpinfo(), that when embedded in apache, the PHP module picks up the openssl libraires from apache, and they have problems handling the case. The command-line openssl in your apache release has the same problem as described in the article.

Switching to apachelounge binaries has allowed or app to continue working, but it seemed worth pointing out. (In our case, the problem did not become apparent until our linux servers picked up patches from Red Hat  which now support RFC 5746)
Logged

Gregg

  • Administrator
  • Member Elite
  • *****
  • Offline Offline
  • Posts: 849
Re: PHP SSL client errors: is OpenSSL compiled with no-tlsext?
« Reply #1 on: April 08, 2010, 02:57:32 AM »

Yes, the non-sni builds are built with no-tlsext. That is the on-off switch for TLSSNI.

I've seen the report I just personally have nothing that seems to be affected by it because I use the SNI enabled version.

I am not sure how Steffen builds the Apache Lounge Distro other than the same way our SNI enabled builds are built.

OpenSSL 1.0.0 is out and I've been using it for a week and a half now with the intent on monitoring it before us releasing it. The earthquake activity in my part of the world kind of threw that out the window. Maybe I'll have a look later since things have finally quieted down. I still need to un-bury the server anyway since the stuff on the shelf above it came down.

I honestly think there are going to be problems here and there for awhile cause of the rush of releases trying to negate the 0-day MITM problem, I do not think 1.0.0 is the perfect fix either, it will not even build with no-tlsext without making changes to the generated definitions file before compiling.

In any case, I'd like to see a couple changes made on both sides and a 2.2.16/1.0.0a soonish.

Thanks Karl for the report.
Logged
Pages: [1]   Go Up
 

Sitemap 1 2 3 4 5 6 7 8 9 10 11 12 13