HTML Logo by World Wide Web Consortium (www.w3.org). Click to learn more about our commitment to accessibility and standards.

Moving forward with Composr

ocPortal has been relaunched as Composr CMS, which is now in beta. ocPortal 9 will be superseded by Composr 10.

Head over to compo.sr for our new site, and to our migration roadmap. Existing ocPortal member accounts have been mirrored.


error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

Login / Search

 [ Join | More ]
 Add topic 
Posted
Rating:
#108299 (In Topic #21099)
TQ
Avatar

Honoured member

Hi All,

I have a user that has made available a few files for my download section. These files download ok if I put the address directly into the Firefox address bar but if I use the 'URL' field in the add-download with 'Copy to Server' checked I get this error:

error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure


The location is an https address but if I change it to http I still get the same message.

Interestingly, if I do not check the 'Copy to Server' box and use the actual download page's 'Download Now' link, everything works. Unfortunately, I must copy these files to my server as the user wants to delete them from his companies server asap.

Any idea's/suggestions please?

TQ
Back to the top
 
Posted
Rating:
#108301
Avatar

It seems to be a bug in CURLs "SSL" version-choice negotiation. Try:
Attachment
sources/files2.php
» Download: files2.php (43 Kb, 518 downloads so far)

I think it has come up now that servers are disabling SSL3, due to a vulnerability found.

It it works we'll make this change official, as for security we want anyway for ocPortal to prefer TLS not the old SSL versions.

CURL really is meant to handle this itself, which is why I am reticent, but it's bug seems to get in the way.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Item has a rating of 1  
Rating:
#108306
TQ
Avatar

Honoured member

Chris Graham said

It seems to be a bug in CURLs "SSL" version-choice negotiation. Try:
Attachment
sources/files2.php
» Download: files2.php (43 Kb, 518 downloads so far)

I think it has come up now that servers are disabling SSL3, due to a vulnerability found.

It it works we'll make this change official, as for security we want anyway for ocPortal to prefer TLS not the old SSL versions.

CURL really is meant to handle this itself, which is why I am reticent, but it's bug seems to get in the way.
Alas, it didn't work. This is the error I got:

Code

PHP NOTICE [8] Use of undefined constant CURL_SSLVERSION_TLSv1 - assumed 'CURL_SSLVERSION_TLSv1' in sources\files2.php on line 729 (version: 9.0.19, PHP version: 5.3.24, URL: /cms/index.php?page=cms_downloads&type=__ed&id=263&uploading=1)
If you want the full error detail, I'd be glad to post it.

Thanks for looking into it Chris.

TQ
Back to the top
 
Posted
Rating:
#108307
Avatar

Okay, so an older PHP and/or CURL version is involved here. Try this alternate way of setting the protocol…

Attachment
» Download: files2.php (43 Kb, 366 downloads so far)


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#108310
TQ
Avatar

Honoured member

Chris Graham said

Okay, so an older PHP and/or CURL version is involved here. Try this alternate way of setting the protocol…

Attachment
» Download: files2.php (43 Kb, 366 downloads so far)

Sorry, no dice:

Code

error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
Chris, can I remind you that OCP is on a Windows server in case that has some influence. I have no idea what is at the other end but if you want me to PM you any info (including OCP admin & FTP to my site) let me know.

I know that you are busy with v10 so, if you'd rather put this on the back burner, I can download these files manually.

Thanks for your time.

TQ
Back to the top
 
Posted
Rating:
#108316
Avatar

Bugs take priority.

Try this:
Attachment
» Download: files2.php (43 Kb, 184 downloads so far)


If still not working, please open a bug report ticket with access and I'll debug through it. If need-be we can implement a curl bypass workaround.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#108335
TQ
Avatar

Honoured member

Chris Graham said

Bugs take priority.

Try this:
Attachment
» Download: files2.php (43 Kb, 184 downloads so far)


If still not working, please open a bug report ticket with access and I'll debug through it. If need-be we can implement a curl bypass workaround.

No luck.

Bug Report submitted.

Thanks for your time.

TQ
Back to the top
 
Posted
Rating:
#108340
Avatar

I ran a lot of tests but it seems this is unsolvable unless PHP is upgraded on the server. My understanding is upgrading PHP will also upgrade cURL and OpenSSL, as it is all built in together on Windows.

CloudFlare is hosting the https. It is also redirecting http to https. CloudFlare has disabled SSLv3 support, meaning we must use TLS.

The OpenSSL on the server is old and has a bug that causes its protocol negotiation to fail:
http://openssl.6102.n7.nabble.com/SSL-Alert-Warning-treated-Fatal-without-Explicit-SSL-TLS-Version-td8183.html

cURL has a workaround for this bug, and support for explicit protocol specification, which we were trying to use:
curl is at curl.haxx.se / Bugs / #1037 SSL23_GET_SERVER_HELLO when connecting to OpenSSL 1.0.0
However your version of cURL is too old for it:
Convert PHP code to curl command where only TLSv1 is allowed - Stack Overflow

Additionally the PHP's stream wrappers (an alternative to cURL) suffers the same problem - it can't be forced to use TLS.

Now I'm not entirely sure if the issue is PHP doesn't have the support to force TLS, or if the OpenSSL on the server doesn't have the modern crypto protocols that TLS requires (because in theory I should have been able to force TLS when I hard-specified those protocols as the only choices). It may well be both these issues.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#108341
Avatar

Generally speaking a lot of servers have disabled old "SSL" protocols and cryptos because of the recent big vulnerabilities. Combine that with buggy old versions of OpenSSL, and poor support for protocol specification in older versions of PHP and cURL and you have a big mess.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#108350
TQ
Avatar

Honoured member

Hi Chris,

Thank you very much for your time and detailed explanation of the problem, even if it's not fixable with the current set-up it's good to know where the problem lies. It's also yet further motivation to upgrade the server.

The most recent version of PHP that is compatible with my server is 5.4.41 (I'm currently running 5.3.24) is that worth a try?

A moment ago I tried to load php info from Admin>Tools> PHP info> which crashed with this error:

Code

PHP WARNING [2] shell_exec() [<a href='http://www.php.net/manual/en/function.shell-exec.php'>function.shell-exec.php</a>]: Unable to execute 'whoami' in adminzone\pages\modules\admin_phpinfo.php on line 112 (version: 9.0.19, PHP version: 5.3.24, URL: /adminzone/index.php?page=admin_phpinfo)
Yet it will load from another (old) installation of OCP (v9.0.9) I have on the same server, is this related to something we've done or have I just come across another 'issue' with this particular (Hamfiles) install?

Thanks again.

TQ
Back to the top
 
Posted
Rating:
#108351
Avatar

is that worth a try?

Yes

A moment ago I tried to load php info from Admin>Tools> PHP info> which crashed with this error:

Ah. This is  a bug, we are forgetting to support Windows in some improvements we made. Please ignore.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#108352
TQ
Avatar

Honoured member

Wow, hardly had time to close the tab before you replied!

Thanks, will give it a go.

TQ
Back to the top
 
Posted
Rating:
#108368
TQ
Avatar

Honoured member

Hi Chris,

Let me start by saying I expect no further work on your part to address this issue.

I have updated PHP to v5.4.41 (the highest revision that will run on my server) and all of my sites seem to be working as expected.

I've have tried all of the patches you kindly provided again but have made no progress. I did however come across a great utility that allowed me to disable SSL1.0, 2.0 & 3.0 without hacking the registry and confirm that TLS above 1.0 is never going to happen on my antiquated Win server 2003.

The report it also generated made it clear that I must accept what I have or retire the current server and replace it with something more recent than the birth of man.

Thanks for all your help and time.

TQ
Back to the top
 
Posted
Rating:
#108370
Avatar

Community saint

Yep, and Windows Server 2003 end of life is July 14, 2015 so maybe it's best to migrate.
Back to the top
 
Posted
Rating:
#108374
Avatar

Hi,

Well, I am interested in the resolution regardless. But yeah Windows 2003 should really be replaced, it's not secure.

I think I was wrong about PHP bundling OpenSSL.

This is about static vs dynamic linking, and it's not always clear what PHP is using on any particular platform. It seems it is actually dynamic linking, so directly upgrading OpenSSL may work.

PHP: Installation - Manual

libeay32.dll seems to be the OpenSSL dll file.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Item has a rating of 5 (Liked by KingBast)  
Rating:
#108378
TQ
Avatar

Honoured member

HI,

@KingBast You are correct of course, thing is, this is a personal server for personal projects so cost is everything. The donations I receive from my site provide <5% of the internet cost let alone enough to buy a new server & O/S.

@Chris Thank you! I do believe I run on the same fuel as you. I did so want to fix it, if it were possible, for no other reason than not to leave something unresolved.

So, I checked out the OpenSSL operation/version via PHP which informed me that it was enabled and running a not-so-old version.

Code

openssl

OpenSSL support enabled
OpenSSL Library Version OpenSSL 0.9.8zf 19 Mar 2015
OpenSSL Header Version OpenSSL 0.9.8zf 19 Mar 2015
E
I then looked into and found that there was a later version so I've installed the latest rendition for PHP to use.

Code

openssl

OpenSSL support enabled
OpenSSL Library Version OpenSSL 1.0.2a 19 Mar 2015
OpenSSL Header Version OpenSSL 0.9.8zf 19 Mar 2015
... and I think there may be a solution in sight! Don't (yet) know why the header version is still the old one but I won't let go till I find out why.

The catch is, the user that provided the files behind SSL has now removed them. I have written to them to see if they will repost something so I can continue testing. In the mean time their URL now generates a 404 (still under SSL) which OCP now downloads :P

Thanks so much for not letting go!

TQ
Back to the top
 
Posted
Item has a rating of 5 (Liked by GuestLiked by Guest)  
Rating:
#108383
Avatar

That does sound like progress. I don't remember the version I saw cURL was using, but I thought it was a fair bit older than that. Anyway, it does sound fixed because if it's downloading a 404 it has got through the SSL checks at least.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Item has a rating of 5 (Liked by Chris GrahamLiked by KingBastLiked by Guest)  
Rating:
#108420
TQ
Avatar

Honoured member

*** Resolved ***

I have now had an opportunity to test the above problem/solution and all is well. My thanks to Chris for his guidance.

For those still dancing with dinosaurs, ie. running a Win 2003 server, here it is in a nutshell.

It was thought that my version of PHP was the cause but OpenSSL proved to be the culprit.

The most recent version of PHP that is compatible with win 2003 server is 5.4.41 which is bundled with OpenSSL v0.9.8zf.

The solution, after installing PHP 5.4.41, is to download the latest version of OpenSSL and overwrite ssleay32.dll & libeay32.dll in your PHP folder.

After a restart, if you run phpinfo it'll report that the OpenSSL header is still the old version. I have investigated this and the consensus of opinion is that this can't be fixed without recompiling PHP with the new version of OpenSSL and that it will not cause any problems. In my experience over the past few days, there is no evidence to say otherwise.

Hopefully, case closed. :thumbs:

TQ
Back to the top
 
Posted
Rating:
#110884

Non-joined user

Hi,

Thanks  to both of you, TQ and Chris.
It's a great resource I've found to solve my problem.

Thanks again.
Rana
Back to the top
 
There are too many online users to list.
Control functions:

Quick reply   Contract

Your name:
Your message: