cPanel / CentOS update break SOAP SSL
Hi all,
We use cPanel/WHM 11.40.0 (build 26).
During the last update of yesterday morning many packages were updated and since this time it is no more possible to make a SOAP connexion using SSL.
The problem occur in our plugin but also from a simple web site on the server . And as everything works without problem when the request come from another server (non-cpanel), we think the problem is due to one or many of the packages update.
The problem is not related to the firewall and occur whatever is the PHP version (5.3.? or 5.4.? build with easyapache script).
The returned exception just tells that the connexion was not possible.
Did someone has an idea of the source of such problem ?
Thanks in advance for any tips.
Cheers,
Philippe
Returned exception :
List of the updated packages :
[Authentication EXCEPTION] => SoapFault Object
(
[message:protected] => Could not connect to host
[string:Exception:private] =>
[code:protected] => 0
[file:protected] => /home/tizoobe/public_html/index.php
[line:protected] => 21
[trace:Exception:private] => Array
(
[0] => Array
(
[function] => __doRequest
[class] => SoapClient
[type] => ->
[args] => Array
(
[0] =>
XXXXXXXXXX
[1] => https://zimbra.tizoo.net:7071/service/admin/soap/
[2] => urn:zimbraAdmin#AuthRequest
[3] => 2
[4] => 0
)
)
[1] => Array
(
[file] => /home/tizoobe/public_html/index.php
=> 21
[function] => __soapCall
[class] => SoapClient
[type] => ->
[args] => Array
(
[0] => AuthRequest
[1] => Array
(
[0] => SoapParam Object
(
[param_name] => name
[param_data] => XXXX
)
[1] => SoapParam Object
(
[param_name] => password
[param_data] => XXXX
)
)
[2] =>
[3] => SoapHeader Object
(
[namespace] => urn:zimbra
[name] => context
[mustUnderstand] =>
)
)
)
)
[previous:Exception:private] =>
[faultstring] => Could not connect to host
[faultcode] => HTTP
)
List of the updated packages :
Packages Installed:
kernel-2.6.32-431.el6.x86_64
lzo-2.03-3.1.el6.x86_64
snappy-1.1.0-1.el6.x86_64
perl-CGI-3.51-136.el6.x86_64
p11-kit-trust-0.18.5-2.el6.x86_64
shared-mime-info-0.70-4.el6.x86_64
p11-kit-0.18.5-2.el6.x86_64
Packages Updated:
libgcc-4.4.7-4.el6.i686
openssh-server-5.3p1-94.el6.x86_64
kexec-tools-2.0.0-273.el6.x86_64
1:busybox-1.15.1-20.el6.x86_64
policycoreutils-2.0.83-19.39.el6.x86_64
libreport-python-2.0.9-19.el6.centos.x86_64
nspr-4.10.0-1.el6.x86_64
cvs-1.11.23-16.el6.x86_64
lvm2-2.02.100-8.el6.x86_64
libreport-2.0.9-19.el6.centos.x86_64
1:perl-Module-Load-0.16-136.el6.x86_64
setuptool-1.19.9-4.el6.x86_64
pam-devel-1.1.1-17.el6.x86_64
1:perl-ExtUtils-CBuilder-0.27-136.el6.x86_64
libreport-plugin-rhtsupport-2.0.9-19.el6.centos.x86_64
man-pages-overrides-6.5.2-1.el6.noarch
ghostscript-devel-8.70-19.el6.x86_64
1:perl-Archive-Extract-0.38-136.el6.x86_64
libreport-plugin-mailx-2.0.9-19.el6.centos.x86_64
nss-sysinit-3.15.1-15.el6.x86_64
1:net-snmp-libs-5.5-49.el6.x86_64
1:perl-ExtUtils-ParseXS-2.2003.0-136.el6.x86_64
device-mapper-event-1.02.79-8.el6.x86_64
1:perl-Locale-Maketext-Simple-0.18-136.el6.x86_64
perl-File-Fetch-0.26-136.el6.x86_64
coreutils-libs-8.4-31.el6.x86_64
gcc-c++-4.4.7-4.el6.x86_64
libreport-compat-2.0.9-19.el6.centos.x86_64
libstdc++-4.4.7-4.el6.x86_64
1:perl-Compress-Raw-Zlib-2.021-136.el6.x86_64
perl-IO-Compress-Bzip2-2.021-136.el6.x86_64
1:microcode_ctl-1.17-17.el6.x86_64
perl-Term-UI-0.20-136.el6.x86_64
ql2500-firmware-7.00.01-1.el6.noarch
kernel-firmware-2.6.32-431.el6.noarch
abrt-libs-2.0.8-21.el6.centos.x86_64
libxml2-python-2.7.6-14.el6.x86_64
libxml2-2.7.6-14.el6.x86_64
python-tools-2.6.6-51.el6.x86_64
bfa-firmware-3.2.21.1-2.el6.noarch
hdparm-9.43-4.el6.x86_64
dracut-kernel-004-336.el6_5.2.noarch
libnl-1.1.4-2.el6.x86_64
sudo-1.8.6p3-12.el6.x86_64
e2fsprogs-devel-1.41.12-18.el6.x86_64
glibc-devel-2.12-1.132.el6.i686
grubby-7.0.15-5.el6.x86_64
1:perl-IPC-Cmd-0.56-136.el6.x86_64
perl-ExtUtils-MakeMaker-6.55-136.el6.x86_64
cronie-1.4.4-12.el6.x86_64
libdrm-2.4.45-2.el6.x86_64
perl-IO-Compress-Base-2.021-136.el6.x86_64
1:quota-3.17-20.el6.x86_64
logrotate-3.7.8-17.el6.x86_64
libblkid-2.17.2-12.14.el6.x86_64
efibootmgr-0.5.4-11.el6.x86_64
libreport-cli-2.0.9-19.el6.centos.x86_64
1:perl-Object-Accessor-0.34-136.el6.x86_64
abrt-addon-kerneloops-2.0.8-21.el6.centos.x86_64
udev-147-2.51.el6.x86_64
14:libpcap-1.4.0-1.20130826git2dbcaa1.el6.x86_64
glibc-static-2.12-1.132.el6.x86_64
atk-1.30.0-1.el6.x86_64
libudev-147-2.51.el6.x86_64
ftp-0.17-54.el6.x86_64
libcom_err-1.41.12-18.el6.x86_64
libgcc-4.4.7-4.el6.x86_64
1:perl-Parse-CPAN-Meta-1.40-136.el6.x86_64
libstdc++-devel-4.4.7-4.el6.x86_64
rpm-python-4.8.0-37.el6.x86_64
4:perl-5.10.1-136.el6.x86_64
perl-IO-Compress-Zlib-2.021-136.el6.x86_64
sysvinit-tools-2.87-5.dsf.el6.x86_64
1:emacs-common-23.1-25.el6.x86_64
coreutils-8.4-31.el6.x86_64
perl-Socket6-0.23-4.el6.x86_64
selinux-policy-3.7.19-231.el6.noarch
libreport-plugin-kerneloops-2.0.9-19.el6.centos.x86_64
xmlrpc-c-1.16.24-1210.1840.el6.x86_64
kernel-headers-2.6.32-431.el6.x86_64
e2fsprogs-1.41.12-18.el6.x86_64
sos-2.2-47.el6.centos.noarch
python-devel-2.6.6-51.el6.x86_64
abrt-cli-2.0.8-21.el6.centos.x86_64
libXcursor-1.1.13-6.20130524git8f677eaea.el6.x86_64
selinux-policy-targeted-3.7.19-231.el6.noarch
device-mapper-event-libs-1.02.79-8.el6.x86_64
libuuid-2.17.2-12.14.el6.x86_64
glibc-headers-2.12-1.132.el6.x86_64
gtk2-2.20.1-4.el6.x86_64
pam-1.1.1-17.el6.x86_64
device-mapper-persistent-data-0.2.8-2.el6.x86_64
glibc-devel-2.12-1.132.el6.x86_64
iw-3.10-1.1.el6.x86_64
1:emacs-23.1-25.el6.x86_64
python-2.6.6-51.el6.x86_64
1:perl-Params-Check-0.26-136.el6.x86_64
openssl-1.0.1e-15.el6.x86_64
1:readahead-1.5.6-2.el6.x86_64
1:perl-Log-Message-0.02-136.el6.x86_64
nss-3.15.1-15.el6.x86_64
xorg-x11-drv-ati-firmware-7.1.0-3.el6.noarch
1:perl-Package-Constants-0.02-136.el6.x86_64
util-linux-ng-2.17.2-12.14.el6.x86_64
fprintd-pam-0.1-21.git04fd09cfa.el6.x86_64
1:perl-Pod-Escapes-1.04-136.el6.x86_64
libreport-plugin-reportuploader-2.0.9-19.el6.centos.x86_64
nss-softokn-3.14.3-9.el6.x86_64
lvm2-libs-2.02.100-8.el6.x86_64
1:perl-Module-Pluggable-3.90-136.el6.x86_64
1:perl-IO-Zlib-1.09-136.el6.x86_64
glibc-common-2.12-1.132.el6.x86_64
libgcj-4.4.7-4.el6.x86_64
biosdevname-0.5.0-2.el6.x86_64
nss-util-3.15.1-3.el6.x86_64
abrt-addon-python-2.0.8-21.el6.centos.x86_64
perl-Compress-Zlib-2.021-136.el6.x86_64
glib2-2.26.1-3.el6.x86_64
nss-tools-3.15.1-15.el6.x86_64
ca-certificates-2013.1.94-65.0.el6.noarch
logwatch-7.3.6-52.el6.noarch
12:dhclient-4.1.1-38.P1.el6.centos.x86_64
1:perl-Digest-SHA-5.47-136.el6.x86_64
cronie-anacron-1.4.4-12.el6.x86_64
initscripts-9.03.40-2.el6.centos.x86_64
rpm-4.8.0-37.el6.x86_64
ntpdate-4.2.6p5-1.el6.centos.x86_64
1:grub-0.97-83.el6.x86_64
cpp-4.4.7-4.el6.x86_64
abrt-tui-2.0.8-21.el6.centos.x86_64
numactl-2.0.7-8.el6.x86_64
openssl-devel-1.0.1e-15.el6.x86_64
systemtap-runtime-2.3-3.el6.x86_64
ql2400-firmware-7.00.01-1.el6.noarch
glibc-2.12-1.132.el6.x86_64
sysstat-9.0.4-22.el6.x86_64
iptables-1.4.7-11.el6.x86_64
mdadm-3.2.6-7.el6.x86_64
kpartx-0.4.9-72.el6.x86_64
perl-CPANPLUS-0.88-136.el6.x86_64
parted-2.1-21.el6.x86_64
perl-CPAN-1.9402-136.el6.x86_64
1:perl-Pod-Simple-3.13-136.el6.x86_64
libgomp-4.4.7-4.el6.x86_64
centos-release-6-5.el6.centos.11.2.x86_64
libcom_err-devel-1.41.12-18.el6.x86_64
btparser-0.17-2.el6.x86_64
ipmitool-1.8.11-16.el6.x86_64
mailx-12.4-7.el6.x86_64
device-mapper-libs-1.02.79-8.el6.x86_64
perl-ExtUtils-Embed-1.28-136.el6.x86_64
python-libs-2.6.6-51.el6.x86_64
dracut-004-336.el6_5.2.noarch
e2fsprogs-libs-1.41.12-18.el6.x86_64
perl-Module-Load-Conditional-0.30-136.el6.x86_64
xmlrpc-c-client-1.16.24-1210.1840.el6.x86_64
grep-2.6.3-4.el6.x86_64
libss-1.41.12-18.el6.x86_64
nss-softokn-freebl-3.14.3-9.el6.x86_64
iptables-ipv6-1.4.7-11.el6.x86_64
4:perl-devel-5.10.1-136.el6.x86_64
2:irqbalance-1.0.4-6.el6.x86_64
iproute-2.6.32-31.el6.x86_64
4:perl-Time-HiRes-1.9721-136.el6.x86_64
1:perl-Module-Loaded-0.02-136.el6.x86_64
perl-core-5.10.1-136.el6.x86_64
3:perl-version-0.77-136.el6.x86_64
12:dhcp-common-4.1.1-38.P1.el6.centos.x86_64
nss-softokn-freebl-3.14.3-9.el6.i686
openssh-clients-5.3p1-94.el6.x86_64
libreport-plugin-logger-2.0.9-19.el6.centos.x86_64
libxml2-devel-2.7.6-14.el6.x86_64
rpm-libs-4.8.0-37.el6.x86_64
1:perl-parent-0.221-136.el6.x86_64
abrt-addon-ccpp-2.0.8-21.el6.centos.x86_64
glibc-2.12-1.132.el6.i686
tkinter-2.6.6-51.el6.x86_64
device-mapper-1.02.79-8.el6.x86_64
abrt-2.0.8-21.el6.centos.x86_64
iotop-0.3.2-7.el6.noarch
python-urlgrabber-3.9.1-9.el6.noarch
fprintd-0.1-21.git04fd09cfa.el6.x86_64
perl-Archive-Tar-1.58-136.el6.x86_64
ghostscript-8.70-19.el6.x86_64
ntp-4.2.6p5-1.el6.centos.x86_64
rsyslog-5.8.10-8.el6.x86_64
gcc-4.4.7-4.el6.x86_64
4:perl-libs-5.10.1-136.el6.x86_64
python-ethtool-0.6-5.el6.x86_64
hwdata-0.233-9.1.el6.noarch
1:quota-devel-3.17-20.el6.x86_64
openssh-5.3p1-94.el6.x86_64-
Hi all, Some new information about this issue. Trying to access the service with wget give interesting information (I only thought about that now...) : # wget https://zimbra.tizoo.net:7071/service/admin/soap/ --2013-12-03 17:10:38-- https://zimbra.tizoo.net:7071/service/admin/soap/ R"solution de zimbra.tizoo.net... 212.147.77.199 Connexion vers zimbra.tizoo.net|212.147.77.199|:7071...connect". OpenSSL: error:100AE081:elliptic curve routines:EC_GROUP_new_by_curve_name:unknown group OpenSSL: error:1408D010:SSL routines:SSL3_GET_KEY_EXCHANGE:EC lib
Which seems to be due to a too quick implementation from RedHat of the ECDHE/ECDSA algorithm. We will try to donwgrade openssl package to see if this fix the problem and give feedback here. Cheers, Philippe0 -
Hi Michael, Yes, it's exactly the problem. We fixed it before CentOS released the fix, but it's no more needed now as the CentOS fix, fixed it. I give the solution if this could be useful for someone else in another situation. The solution was to avoid using ECDH* ciphers and define which cipher to use for the SOAP request. Which is done with the following code : $sslOptions = array('ssl' => array ('ciphers' => 'RC4-SHA')); $sc = new SoapClient(null, array( 'location' => 'https://zimbra.tizoo.net:7071/service/admin/soap/', 'uri' => 'urn:zimbraAdmin', 'stream_context' => stream_context_create($sslOptions), 'trace' => 1, 'exceptions' => 1, 'soap_version' => SOAP_1_2, 'style' => SOAP_RPC, 'use' => SOAP_LITERAL ) );
To detect what goes wrong and what goes well, we used openssl this way :# openssl s_client -connect zimbra.tizoo.net:7071 => Problem :( # openssl s_client -connect zimbra.tizoo.net:7071 -cipher RC4-SHA => OK :)
Hope this will be useful. Cheers, Philippe0 -
Philippe, Thank you for your post. It helped me solve a related problem today! Bob 0
Please sign in to leave a comment.
Comments
4 comments