[php-maint] Debian bug #750890 might be caused by PHP5.6 instead of Roundcube
Ondřej Surý
ondrej at sury.org
Tue Jun 10 12:14:55 UTC 2014
Control: reassing -1 src:php5
Control: severity -1 normal
Control: retitle -1 UPGRADING document missing in php5-common
Hi,
if you uncomment the @fsockopen in the affected code you would see:
[10-Jun-2014 11:58:55 UTC] PHP Warning: fsockopen(): SSL operation
failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed in
/usr/share/roundcube/program/lib/Roundcube/rcube_imap_generic.php on
line 746
[10-Jun-2014 11:58:55 UTC] PHP Warning: fsockopen(): Failed to enable
crypto in
/usr/share/roundcube/program/lib/Roundcube/rcube_imap_generic.php on
line 746
[10-Jun-2014 11:58:55 UTC] PHP Warning: fsockopen(): unable to connect
to ssl://localhost:993 (Unknown error) in
/usr/share/roundcube/program/lib/Roundcube/rcube_imap_generic.php on
line 746
[10-Jun-2014 11:58:55 +0000]: IMAP Error: Login failed for
user at localhost from 2001:1488:fffe:6:11a6:2588:8dda:226c. Could not
connect to ssl://localhost:993: Unknown reason (fsockopen() function
disabled?) in /usr/share/roundcube/program/lib/Roundcube/rcube_imap.php
on line 184 (POST /roundcube/?_task=login&_action=login)
Either install ca-certificates or properly install your server
certificate (or used CA) into /etc/ssl/certs/
More information can be found in UPGRADING document in the sources:
> - OpenSSL:
> To prevent man-in-the-middle attacks against encrypted transfers client
> streams now verify peer certificates by default. Previous versions
> required users to manually enable peer verification. As a result of this
> change, existing code using ssl:// or tls:// stream wrappers (e.g.
> file_get_contents(), fsockopen(), stream_socket_client()) may no longer
> connect successfully without manually disabling peer verification via the
> stream context's "verify_peer" setting. Encrypted transfers delegate to
> operating system certificate stores by default if not overridden via the
> new openssl.cafile and openssl.cafile ini directives or via call-time SSL
> context options, so most users should be unaffected by this transparent
> security enhancement. (https://wiki.php.net/rfc/tls-peer-verification)
O.
On Mon, Jun 9, 2014, at 15:21, Bart Champagne wrote:
> My reason for suspecting a PHP bug :
> Horde is also affected by the latest PHP packages upgrade, so I'm
> calling this a bug in PHP5.6 and not in Roundcube or Horde.
>
> SSL/TLS auth turned sour after the following apt-get upgrade :
>
> Start-Date: 2014-06-05 10:00:36
> Commandline: apt-get upgrade
> Upgrade:
> php5-xmlrpc:amd64 (5.5.12+dfsg-2, 5.6.0~beta3+dfsg-2)
> php5-sqlite:amd64 (5.5.12+dfsg-2, 5.6.0~beta3+dfsg-2)
> php5-mongo:amd64 (1.4.5-2, 1.4.5-2+b1)
> php5-geoip:amd64 (1.1.0-1, 1.1.0-1+b1)
> libapache2-mod-php5:amd64 (5.5.12+dfsg-2, 5.6.0~beta3+dfsg-2)
> php5-mysql:amd64 (5.5.12+dfsg-2, 5.6.0~beta3+dfsg-2)
> php5-apcu:amd64 (4.0.4-1, 4.0.4-2)
> php5-ldap:amd64 (5.5.12+dfsg-2, 5.6.0~beta3+dfsg-2)
> php-horde-lz4:amd64 (1.0.3-1, 1.0.3-1+b1)
> php5-common:amd64 (5.5.12+dfsg-2, 5.6.0~beta3+dfsg-2)
> php5-curl:amd64 (5.5.12+dfsg-2, 5.6.0~beta3+dfsg-2)
> php5-raphf:amd64 (1.0.4-1, 1.0.4-1+b1)
> php5-mcrypt:amd64 (5.5.12+dfsg-2, 5.6.0~beta3+dfsg-2)
> php5-sasl:amd64 (0.1.0-3, 0.1.0-3+b1)
> php5-tidy:amd64 (5.5.12+dfsg-2, 5.6.0~beta3+dfsg-2)
> php5-readline:amd64 (5.5.12+dfsg-2, 5.6.0~beta3+dfsg-2)
> php5:amd64 (5.5.12+dfsg-2, 5.6.0~beta3+dfsg-2)
> php5-memcache:amd64 (3.0.8-4, 3.0.8-4+b1)
> libmagickwand5:amd64 (6.7.7.10+dfsg-1, 6.7.7.10+dfsg-3)
> php5-xdebug:amd64 (2.2.4-1, 2.2.4-1+b1)
> php5-cli:amd64 (5.5.12+dfsg-2, 5.6.0~beta3+dfsg-2)
> php5-propro:amd64 (1.0.0-1, 1.0.0-1+b1)
> php5-pecl-http:amd64 (2.0.4-1, 2.0.4-1+b1)
> php5-json:amd64 (1.3.5-1, 1.3.5-2)
> php5-imap:amd64 (5.5.12+dfsg-2, 5.6.0~beta3+dfsg-2)
> php-pear:amd64 (5.5.12+dfsg-2, 5.6.0~beta3+dfsg-2)
> libmagickcore5:amd64 (6.7.7.10+dfsg-1, 6.7.7.10+dfsg-3)
> php5-pspell:amd64 (5.5.12+dfsg-2, 5.6.0~beta3+dfsg-2)
> imagemagick-common:amd64 (6.7.7.10+dfsg-1, 6.7.7.10+dfsg-3)
> php5-gd:amd64 (5.5.12+dfsg-2, 5.6.0~beta3+dfsg-2)
> php5-imagick:amd64 (3.1.2-1, 3.1.2-1+b1)
> php5-intl:amd64 (5.5.12+dfsg-2, 5.6.0~beta3+dfsg-2)
> End-Date: 2014-06-05 10:00:58
>
> (I'm on Debian Jessie btw)
>
> Kind regards,
>
> Bart
>
>
> _______________________________________________
> pkg-php-maint mailing list
> pkg-php-maint at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint
--
Ondřej Surý <ondrej at sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
More information about the pkg-php-maint
mailing list