[php-maint] Debian bug #750890 might be caused by PHP5.6 instead of Roundcube

Ondřej Surý ondrej at sury.org
Tue Jun 10 12:14:55 UTC 2014


Control: reassing -1 src:php5
Control: severity -1 normal
Control: retitle -1 UPGRADING document missing in php5-common

Hi,

if you uncomment the @fsockopen in the affected code you would see:

[10-Jun-2014 11:58:55 UTC] PHP Warning:  fsockopen(): SSL operation
failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed in
/usr/share/roundcube/program/lib/Roundcube/rcube_imap_generic.php on
line 746
[10-Jun-2014 11:58:55 UTC] PHP Warning:  fsockopen(): Failed to enable
crypto in
/usr/share/roundcube/program/lib/Roundcube/rcube_imap_generic.php on
line 746
[10-Jun-2014 11:58:55 UTC] PHP Warning:  fsockopen(): unable to connect
to ssl://localhost:993 (Unknown error) in
/usr/share/roundcube/program/lib/Roundcube/rcube_imap_generic.php on
line 746
[10-Jun-2014 11:58:55 +0000]: IMAP Error: Login failed for
user at localhost from 2001:1488:fffe:6:11a6:2588:8dda:226c. Could not
connect to ssl://localhost:993: Unknown reason (fsockopen() function
disabled?) in /usr/share/roundcube/program/lib/Roundcube/rcube_imap.php
on line 184 (POST /roundcube/?_task=login&_action=login)

Either install ca-certificates or properly install your server
certificate (or used CA) into /etc/ssl/certs/

More information can be found in UPGRADING document in the sources:

> - OpenSSL:
>  To prevent man-in-the-middle attacks against encrypted transfers client
>  streams now verify peer certificates by default. Previous versions
>  required users to manually enable peer verification. As a result of this
>  change, existing code using ssl:// or tls:// stream wrappers (e.g.
>  file_get_contents(), fsockopen(), stream_socket_client()) may no longer
>  connect successfully without manually disabling peer verification via the
>  stream context's "verify_peer" setting. Encrypted transfers delegate to
>  operating system certificate stores by default if not overridden via the
>  new openssl.cafile and openssl.cafile ini directives or via call-time SSL
>  context options, so most users should be unaffected by this transparent
>  security enhancement. (https://wiki.php.net/rfc/tls-peer-verification)

O.

On Mon, Jun 9, 2014, at 15:21, Bart Champagne wrote:
> My reason for suspecting a PHP bug :
> Horde is also affected by the latest PHP packages upgrade, so I'm 
> calling this a bug in PHP5.6 and not in Roundcube or Horde.
> 
> SSL/TLS auth turned sour after the following apt-get upgrade :
> 
> Start-Date: 2014-06-05  10:00:36
> Commandline: apt-get upgrade
> Upgrade:
> php5-xmlrpc:amd64 (5.5.12+dfsg-2, 5.6.0~beta3+dfsg-2)
> php5-sqlite:amd64 (5.5.12+dfsg-2, 5.6.0~beta3+dfsg-2)
> php5-mongo:amd64 (1.4.5-2, 1.4.5-2+b1)
> php5-geoip:amd64 (1.1.0-1, 1.1.0-1+b1)
> libapache2-mod-php5:amd64 (5.5.12+dfsg-2, 5.6.0~beta3+dfsg-2)
> php5-mysql:amd64 (5.5.12+dfsg-2, 5.6.0~beta3+dfsg-2)
> php5-apcu:amd64 (4.0.4-1, 4.0.4-2)
> php5-ldap:amd64 (5.5.12+dfsg-2, 5.6.0~beta3+dfsg-2)
> php-horde-lz4:amd64 (1.0.3-1, 1.0.3-1+b1)
> php5-common:amd64 (5.5.12+dfsg-2, 5.6.0~beta3+dfsg-2)
> php5-curl:amd64 (5.5.12+dfsg-2, 5.6.0~beta3+dfsg-2)
> php5-raphf:amd64 (1.0.4-1, 1.0.4-1+b1)
> php5-mcrypt:amd64 (5.5.12+dfsg-2, 5.6.0~beta3+dfsg-2)
> php5-sasl:amd64 (0.1.0-3, 0.1.0-3+b1)
> php5-tidy:amd64 (5.5.12+dfsg-2, 5.6.0~beta3+dfsg-2)
> php5-readline:amd64 (5.5.12+dfsg-2, 5.6.0~beta3+dfsg-2)
> php5:amd64 (5.5.12+dfsg-2, 5.6.0~beta3+dfsg-2)
> php5-memcache:amd64 (3.0.8-4, 3.0.8-4+b1)
> libmagickwand5:amd64 (6.7.7.10+dfsg-1, 6.7.7.10+dfsg-3)
> php5-xdebug:amd64 (2.2.4-1, 2.2.4-1+b1)
> php5-cli:amd64 (5.5.12+dfsg-2, 5.6.0~beta3+dfsg-2)
> php5-propro:amd64 (1.0.0-1, 1.0.0-1+b1)
> php5-pecl-http:amd64 (2.0.4-1, 2.0.4-1+b1)
> php5-json:amd64 (1.3.5-1, 1.3.5-2)
> php5-imap:amd64 (5.5.12+dfsg-2, 5.6.0~beta3+dfsg-2)
> php-pear:amd64 (5.5.12+dfsg-2, 5.6.0~beta3+dfsg-2)
> libmagickcore5:amd64 (6.7.7.10+dfsg-1, 6.7.7.10+dfsg-3)
> php5-pspell:amd64 (5.5.12+dfsg-2, 5.6.0~beta3+dfsg-2)
> imagemagick-common:amd64 (6.7.7.10+dfsg-1, 6.7.7.10+dfsg-3)
> php5-gd:amd64 (5.5.12+dfsg-2, 5.6.0~beta3+dfsg-2)
> php5-imagick:amd64 (3.1.2-1, 3.1.2-1+b1)
> php5-intl:amd64 (5.5.12+dfsg-2, 5.6.0~beta3+dfsg-2)
> End-Date: 2014-06-05  10:00:58
> 
> (I'm on Debian Jessie btw)
> 
> Kind regards,
> 
> Bart
> 
> 
> _______________________________________________
> pkg-php-maint mailing list
> pkg-php-maint at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint


-- 
Ondřej Surý <ondrej at sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server



More information about the pkg-php-maint mailing list