I am attempting to use composer.phar on a server with RHEL6.
Installation details:
curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.14.3.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
PHP 5.4.16 Zend Engine v2.4.0, Copyright (c) 1998-2013 Zend Technologies
My composer.json looks like this:
{
"name" : "zendframework/skeleton-application",
"description" : "Skeleton Application for ZF2",
"keywords" : [
"framework",
"zf2"
],
"homepage" : "https://something.com/",
"require" : {
"php" : ">=5.3.3",
"zendframework/zendframework" : "2.*"
}
}
Running php composer.phar update results in:
Loading composer repositories with package information
Updating dependencies (including require-dev)
- Installing zendframework/zendframework (2.2.5)
Downloading: 100%
Downloading: 100%
Downloading: 100%
[Composer\Downloader\TransportException]
The "https://api.github.com/repos/zendframework/zf2/zipball/4a7cf6a4cf791244e14aa0ca49d1f06916b63202" file could not be downloaded: SSL: Connection reset by peer
Failed to enable crypto
failed to open stream: operation failed
Next step was to attempt curl:
$ curl -vvv "https://api.github.com/repos/zendframework/zf2/zipball/4a7cf6a4cf791244e14aa0ca49d1f06916b63202"
* About to connect() to api.github.com port 443 (#0)
* Trying 192.30.252.139... connected
* Connected to api.github.com (192.30.252.139) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* NSS error -5961
* Closing connection #0
* SSL connect error
curl: (35) SSL connect error
Forcing SSLV3 works:
curl -3 -vvv "https://api.github.com/repos/zendframework/zf2/zipball/4a7cf6a4cf791244e14aa0ca49d1f06916b63202"
* About to connect() to api.github.com port 443 (#0)
* Trying 192.30.252.138... connected
* Connected to api.github.com (192.30.252.138) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSL connection using SSL_RSA_WITH_RC4_128_SHA
* Server certificate:
* subject: CN=*.github.com,O="GitHub, Inc.",L=San Francisco,ST=California,C=US
* start date: Apr 30 00:00:00 2012 GMT
* expire date: Jul 09 12:00:00 2014 GMT
* common name: *.github.com
* issuer: CN=DigiCert High Assurance CA-3,OU=www.digicert.com,O=DigiCert Inc,C=US
> GET /repos/zendframework/zf2/zipball/4a7cf6a4cf791244e14aa0ca49d1f06916b63202 HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.14.3.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: api.github.com
Has anyone encountered this issue with composer.phar, and overcome it (and will share his/her solution :-) )? I know composer uses PHP's file_get_contents().
Not the best solution, but for the sake of time, I worked around the problem. I took the URL from the error output:
https://api.github.com/repos/zendframework/zf2/zipball/4a7cf6a4cf791244e14aa0ca49d1f06916b63202
I plugged it into a browser on my Windows-based workstation. On the RHEL6 box, in the home directory of the user that is using composer, there is a .composer directory. I placed the downloaded zip file in this directory:
/home/composeruser/.composer/cache/files/zendframework/zendframework
I then had to rename the zip file to what was called for in the url (adding the zip extension):
/home/composeruser/.composer/cache/files/zendframework/zendframework/4a7cf6a4cf791244e14aa0ca49d1f06916b63202.zip
The next time composer was run, it used the cached file, and moved on. If anyone comes up with a way to avoid pre-caching the files on a RHEL6 box with NSS, let me know.
Related
I have a PHP script that quickly sends a bunch of requests to the Apple API (APNs). Sometimes 10k requests are sent totally fine (just for the record, it takes ~30sec). However, when the API returns some non-200 codes, establishing new connections to this API throws the following error:
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to api.push.apple.com:443
With the debug mode enabled I get strange results:
When everything is fine:
* Found bundle for host api.push.apple.com: 0x55eba8b11660 [serially]
* Found bundle for host api.push.apple.com: 0x55eba8b11660 [serially]
* Trying 17.188.140.151...
* TCP_NODELAY set
* Hostname 'api.push.apple.com' was found in DNS cache
* Trying 17.188.140.151...
...
...
(full output is here).
After the issue happened:
* Found bundle for host api.push.apple.com: 0x561d83bb1f00 [serially]
* Server doesn't support multiplex (yet)
* Connection #0 is still name resolving, can't reuse
* Found bundle for host api.push.apple.com: 0x561d83bb1f00 [serially]
* Server doesn't support multiplex (yet)
* Connection #0 is still name resolving, can't reuse
* Connection #1 is still name resolving, can't reuse
* Trying 17.188.156.30:443...
* TCP_NODELAY set
* Hostname 'api.push.apple.com' was found in DNS cache
* Trying 17.188.156.30:443...
...
...
(full output is here).
So the IP is changed and something about multiplexing.
After it happens, sending requests to this API using the cli curl also stops working:
$ curl -v -I https://api.push.apple.com
* Trying 17.188.156.30:443...
* TCP_NODELAY set
* Connected to api.push.apple.com (17.188.156.30) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to api.push.apple.com:443
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to api.push.apple.com:443
(full output is here).
The error may disappear after a few minutes, may not. The code runs in a docker container (php:7.3-cli-alpine), restarting the container usually resets the issue until some future requests get non-200 codes. Performing restarts isn't an option.
Presumably, curl somehow stores opened connections and tries to re-use them, but for some reason something is broken inside the curl and it doesn't allow curl to correctly re-use the connections.
While curl stops working, openssl works fine:
$ openssl s_client -connect api.push.apple.com:443
CONNECTED(00000003)
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 320 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
Software versions:
$ curl --version
curl 7.67.0 (x86_64-alpine-linux-musl) libcurl/7.67.0 OpenSSL/1.1.1d zlib/1.2.11 nghttp2/1.40.0
Release-Date: 2019-11-06
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS HTTP2 HTTPS-proxy IPv6 Largefile libz NTLM NTLM_WB SSL TLS-SRP UnixSockets
$ openssl version
OpenSSL 1.1.1d 10 Sep 2019
Looks like a curl issue, but how to fix it?
Any help will be appreciated
Just in case it's helpful to you or someone else, the "one error breaks things for a long time" nature of this (and the re-use of Curl connections) reminded me a bit of the Curl bug:
https://github.com/curl/curl/issues/3966
Not sure whether the fix for that is in your Curl version though - from the date it might well be.
This problem seems to be common, and i've been through a lot of SO posts related to it and nothing works, and i'm going crazy. Whats weird is that it was working perfectly few weeks ago, and i didnt install anything new since months...
Setup :
PHP 7.1.9
WAMPSERVER 3.1.0
APACHE 2.4.27
Composer 1.6.5 (latest)
I'm not behind a proxy & no firewall
Windows 10
What Works :
composer self-update
What does not work :
Installing a package
I cannot reach https://packagist.org/ with firefox 61.0.1 (64bits) (unsecure connection : MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT)
The error i get with composer require :
[Composer\Downloader\TransportException]
The "https://packagist.org/packages.json" file could not be downloaded: SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Failed to enable crypto
failed to open stream: operation failed
php -r "var_dump(openssl_get_cert_locations());" Returns this :
array(8) {
["default_cert_file"]=>
string(25) "c:/usr/local/ssl/cert.pem"
["default_cert_file_env"]=>
string(13) "SSL_CERT_FILE"
["default_cert_dir"]=>
string(22) "c:/usr/local/ssl/certs"
["default_cert_dir_env"]=>
string(12) "SSL_CERT_DIR"
["default_private_dir"]=>
string(24) "c:/usr/local/ssl/private"
["default_default_cert_area"]=>
string(16) "c:/usr/local/ssl"
["ini_cafile"]=>
string(51) "C:/wamp64/bin/php/php7.1.9/extras/ssl/ca-bundle.crt"
["ini_capath"]=>
string(0) ""
}
I've downloaded the ca-bundle.crt and added it to my php.ini file :
curl.cainfo=C:/wamp64/bin/php/php7.1.9/extras/ssl/ca-bundle.crt
openssl.cafile=C:/wamp64/bin/php/php7.1.9/extras/ssl/ca-bundle.crt
Composer diagnose returns this :
Checking composer.json: OK
Checking platform settings: OK
Checking git settings: OK
Checking http connectivity to packagist: WARNING
[Composer\Downloader\TransportException] The "http://packagist.org/packages.json" file could not be downloaded (HTTP/1.1 404 Not Found)
Checking https connectivity to packagist: WARNING
[Composer\Downloader\TransportException] The "https://packagist.org/packages.json" file could not be downloaded: SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Failed to enable crypto
failed to open stream: operation failed
Checking github.com rate limit: OK
Checking disk free space: OK
Checking pubkeys: OK
Checking composer version: OK
Composer version: 1.6.5
PHP version: 7.1.9
PHP binary path: C:\wamp64\bin\php\php7.1.9\php.exe
composer show -p -vvv | grep ssl returns this :
Reading ./composer.json
Loading config file ./composer.json
Checked CA file C:\wamp64\bin\php\php7.1.9\extras\ssl\ca-bundle.crt: valid
Executing command (C:\wamp64\www\projectName): git branch --no-color --no-abbrev -v
Failed to initialize global composer: Composer could not find the config file: C:/Users/********/AppData/Roaming/Composer/composer.json
To initialize a project, please create a composer.json file as described in the https://getcomposer.org/ "Getting Started" section
Reading C:\wamp64\www\projectName/vendor/composer/installed.json
Loading plugin PackageVersions\Installer
Loading plugin Symfony\Flex\Flex
Composer >=1.7 not found, downloads will happen in sequence
Running 1.6.5 (2018-05-04 11:44:59) with PHP 7.1.9 on Windows NT / 10.0
ext-openssl 7.1.9 The openssl PHP extension
lib-openssl 1.0.2.11 OpenSSL 1.0.2k 26 Jan 2017
php --ini :
Configuration File (php.ini) Path: C:\WINDOWS
Loaded Configuration File: C:\wamp64\bin\php\php7.1.9\php.ini
Scan for additional .ini files in: (none)
Additional .ini files parsed: (none)
EDIT 1
- Tried emptying cache
- Other web browser (chrome, edge) and it didnt work
- Another computer on same network --> it works
EDIT 2
- Created a new windows user, didnt work
EDIT 3
- I can reach https://repo.packagist.org/ as suggested by #kallosz
- Curl gives me this :
curl -vvv https://packagist.org/
* Trying 144.217.203.53...
* TCP_NODELAY set
* Connected to packagist.org (144.217.203.53) port 443 (#0)
* schannel: SSL/TLS connection with packagist.org port 443 (step 1/3)
* schannel: checking server certificate revocation
* schannel: sending initial handshake data: sending 178 bytes...
* schannel: sent initial handshake data: sent 178 bytes
* schannel: SSL/TLS connection with packagist.org port 443 (step 2/3)
* schannel: failed to receive handshake, need more data
* schannel: SSL/TLS connection with packagist.org port 443 (step 2/3)
* schannel: encrypted data got 1462
* schannel: encrypted data buffer: offset 1462 length 4096
* schannel: next InitializeSecurityContext failed: SEC_E_UNTRUSTED_ROOT (0x80090325) - La chaîne de certificats a été fournie par une autorité qui n'est pas approuvée.
* Closing connection 0
* schannel: shutting down SSL/TLS connection with packagist.org port 443
* schannel: clear security context handle
curl: (77) schannel: next InitializeSecurityContext failed: SEC_E_UNTRUSTED_ROOT (0x80090325)
try
composer config disable-tls true
composer config secure-http false
you can also change composer config repositories.packagist.org.url to https?://repo.packagist.org.
I had to change the global config file
C:\Users\USERNAME\AppData\Roaming\Composer\config.json
to this:
{
"config": {
"disable-tls": true,
"secure-http": false
},
"repositories": [
{
"type": "composer",
"url": "http://repo.packagist.org"
}
]
}
I had to reinstall CURL development libraries on Ubuntu, i.e. replace NSS flavor to OpenSSL one:
sudo apt install -y libcurl4-openssl-dev
The rebuilding PHP with phpbrew resulted in libcurl enabled with appropriate library call; which, in turn, recognized CA certificates bundle correctly, pointing it to the right location.
I have a valid wildcard CA Certificate for my sites:
myapp.example.com
qamyapp.example.com
I need consume a rest service using php 5.6 curl.
When try to execute php curl calling qamyapp.example.com, show the next error:
* Trying xx.xxx.xxx.xx...
* Connected to qamyapp.example.com (xx.xxx.xxx.xx) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection:
ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:#STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
But when curl call myapp.example.com work fine.
How a can update the ca-certificates.crt file.
I have found the solution. In qamyapp.example.com server, is necesary concat to certificate.crt file, the content of bundle.crt file, to NGinx.
I have been fighting this issue for a while and cannot seem to get it right. To preface, this is my first experience having to work with SSL. The server I am working on is using PHP 5.6.30 and Laravel 5.1.46, and I'm trying to use GuzzleHttp 6.2.3 to post JSON to a third party. Up until now, I've been disabling ssl verification by specifying 'verify' => false within the client, and have been able to get successful responses. The third party provided me with a certificate to use, and gave me both .pem and .cer formats. They stated the certificate is not password protected since it is the public key. According to GuzzleHttp's documentation, my request should look like this:
$response = $client->request('POST', $endpoint, [
'cert' => /path/to/new/cert.pem,
'headers' => [
'Content-type' => 'application/json'
],
'body' => $request_body,
'connect_timeout' => 5,
]);
I cannot connect using this method, and unfortunately I can't get the low level error detail due to the design of the server I'm working on (it's a large pre-existing codebase I'm having to update, it will hopefully eventually be completely rewritten).
In order to get more detail, I decided to send the request using cURL. First I sent the request without the certificate:
// REQUEST
curl -v -H "Content-Type: application/json" -X POST -d '{"some_json_request": "value"}' https://sometargeturl.com:8443/dosomething
// OUTPUT
* Trying 204.71.178.10...
* TCP_NODELAY set
* Connected to sometargeturl.com (204.71.178.10) port 8443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* Server certificate:
* subject: CN=sometargeturl.com,OU=OU,O="Some Company Name, Inc",L=Pleasanton,ST=California,C=US
* start date: May 13 00:00:00 2016 GMT
* expire date: May 14 23:59:59 2018 GMT
* common name: sometargeturl.com
* issuer: CN=Symantec Class 3 Secure Server CA - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US
* NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
* Peer's Certificate issuer is not recognized.
* Curl_http_done: called premature == 1
* Closing connection 0
curl: (60) Peer's Certificate issuer is not recognized.
Then, with the certificate:
// REQUEST
curl -v --cert /path/to/the/cert.pem -H "Content-Type: application/json" -X POST -d '{"some_json_request": "value"}' https://sometargeturl.com:8443/dosomething
// OUTPUT
* Trying 204.71.178.10...
* TCP_NODELAY set
* Connected to sometargeturl.com (204.71.178.10) port 8443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* unable to load client key: -8178 (SEC_ERROR_BAD_KEY)
* NSS error -8178 (SEC_ERROR_BAD_KEY)
* Peer's public key is invalid.
* Curl_http_done: called premature == 0
* Closing connection 0
curl: (58) unable to load client key: -8178 (SEC_ERROR_BAD_KEY)
I've done a ton of research and have not been able to find a solution. I'm really just unsure of next steps at this point. I ultimately will need to use GuzzleHttp to send the request, but I don't what I'm missing. I have read about adding the new cert to an existing CA bundle, however I'm not sure if that is the right solution/how I would do that if so. Any help would be appreciated, thanks!
what are you exactly trying to do ?
Verifying remote server certificate with 'verify' => true
Authenticating yourself by presenting your certificate to remote ?
That being said, your curl is compiled against NSS and not openssl.
The NSS error -8178 (SEC_ERROR_BAD_KEY) comes from NSS that does not support providing the private key as a file
I am trying to get the version of tls which is currently used when invoking the url.
I'm trying to get the tls version from php curl like the command curl in Ubuntu.
for example:
curl -v https://qpyl.uas-gw.info
* Rebuilt URL to: https://qpyl.uas-gw.info/
* Trying 54.199.158.6...
* Connected to qpyl.uas-gw.info (54.199.158.6) port 443 (#0)
* found 1 certificates in ca.crt
* found 692 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
like this to show the tls version result.
But I cannot get the version in php curl like the above curl does
SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
php openssl version: openssl/1.0.2g
php version: 5.5.38.