add OpenSSL version check

Question

add OpenSSL version check

Closed this issue 7 years ago · 11 comments

Could it be that something has changed on contao.org regarding the SSL connection? There are some reports on the forum (well, two), that people cannot connect to the Extension Repository all of a sudden, i.e. a connection to https://contao.org/services/repository.wsdl fails.

In one case it appears that the OpenSSL of the server environment is now too old and the connection fails with the following error:

SSL operation failed with code 1. OpenSSL Error messages:
error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

In this case the OpenSSL version was 0.9.8o.

May be the checks for the live update and the extension repository should also check for a minimum OpenSSL version? Not sure what version that should be though.

Answer 1 · 2016-11-17T09:37:43.000Z

I rather think that the OpenSSL version is too old to handle SNI certificates.

Answer 2 · 2016-11-17T09:59:43.000Z

Hm, according to Wikipedia, SNI support was first added in version 0.9.8f in 2007.

Answer 3 · 2016-11-17T10:03:46.000Z

In another case where the connection to https://contao.org/services/repository.wsdl fails, the reported OpenSSL Version is

OpenSSL Library Version: OpenSSL 0.9.8zg 11 Jun 2015
OpenSSL Header Version: OpenSSL 0.9.8y 5 Feb 2013

Answer 4 · 2016-11-17T10:08:13.000Z

Did the two reporters purge the WSDL cache?

Answer 5 · 2016-11-17T10:14:06.000Z

I'll ask, but I doubt they have access to the WSDL cache directly.

Another report just came in, with the same error message as in the original post: https://community.contao.org/de/showthread.php?64639-Webhoster-OVH

Answer 6 · 2016-11-17T16:27:51.000Z

the error error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm clearly states that the two peers could not decide a common algorithm to use.

contao.org supports the following algorithms:

ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-SHA384
ECDHE-RSA-AES256-SHA
AES256-GCM-SHA384
AES256-SHA256
AES256-SHA
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES128-SHA
AES128-GCM-SHA256
AES128-SHA256
AES128-SHA
ECDHE-RSA-DES-CBC3-SHA
DES-CBC3-SHA

You need a local openSSL version capable of at least ONE of the above.

Answer 7 · 2016-11-17T16:34:40.000Z

Do you happen to know which OpenSSL version supports at least one of these?

Answer 8 · 2016-11-17T16:50:48.000Z

Nope and availability additionally depends on the configuration of OpenSSL as the admin might disable algorithms considered insecure prior removal (or disabling by default) from OpenSSL.

So there is no general rule of thumb when any is available but chances are pretty high that at least one is available when staying within an upgrade window of 2 years (but I strongly advise anyone to stay bleeding edge in cases of events like heartbleed and the like).

Answer 9 · 2016-11-17T16:53:41.000Z

I see. Then I guess it makes no sense to check for the OpenSSL version. May be updating the error text from

Maybe the request has been blocked by a firewall. Please contact your server administrator.

to

Maybe the request has been blocked by a firewall or the OpenSSL version is too old. Please contact your server administrator.

is a better idea then.

Answer 10 · 2016-11-17T17:06:26.000Z

This is a valid argument I could agree on. @leofeyer what do you think?

Answer 11 · 2016-11-18T10:26:43.000Z

Fine with me.