contao/check

add OpenSSL version check

fritzmg opened this issue · 11 comments

Could it be that something has changed on contao.org regarding the SSL connection? There are some reports on the forum (well, two), that people cannot connect to the Extension Repository all of a sudden, i.e. a connection to https://contao.org/services/repository.wsdl fails.

In one case it appears that the OpenSSL of the server environment is now too old and the connection fails with the following error:

SSL operation failed with code 1. OpenSSL Error messages:
error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

In this case the OpenSSL version was 0.9.8o.

May be the checks for the live update and the extension repository should also check for a minimum OpenSSL version? Not sure what version that should be though.

I rather think that the OpenSSL version is too old to handle SNI certificates.

Hm, according to Wikipedia, SNI support was first added in version 0.9.8f in 2007.

In another case where the connection to https://contao.org/services/repository.wsdl fails, the reported OpenSSL Version is

OpenSSL Library Version: OpenSSL 0.9.8zg 11 Jun 2015
OpenSSL Header Version: OpenSSL 0.9.8y 5 Feb 2013

Did the two reporters purge the WSDL cache?

I'll ask, but I doubt they have access to the WSDL cache directly.

Another report just came in, with the same error message as in the original post: https://community.contao.org/de/showthread.php?64639-Webhoster-OVH

the error error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm clearly states that the two peers could not decide a common algorithm to use.

contao.org supports the following algorithms:

  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES256-SHA384
  • ECDHE-RSA-AES256-SHA
  • AES256-GCM-SHA384
  • AES256-SHA256
  • AES256-SHA
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES128-SHA256
  • ECDHE-RSA-AES128-SHA
  • AES128-GCM-SHA256
  • AES128-SHA256
  • AES128-SHA
  • ECDHE-RSA-DES-CBC3-SHA
  • DES-CBC3-SHA

You need a local openSSL version capable of at least ONE of the above.

Do you happen to know which OpenSSL version supports at least one of these?

Nope and availability additionally depends on the configuration of OpenSSL as the admin might disable algorithms considered insecure prior removal (or disabling by default) from OpenSSL.

So there is no general rule of thumb when any is available but chances are pretty high that at least one is available when staying within an upgrade window of 2 years (but I strongly advise anyone to stay bleeding edge in cases of events like heartbleed and the like).

I see. Then I guess it makes no sense to check for the OpenSSL version. May be updating the error text from

Maybe the request has been blocked by a firewall. Please contact your server administrator.

to

Maybe the request has been blocked by a firewall or the OpenSSL version is too old. Please contact your server administrator.

is a better idea then.

This is a valid argument I could agree on. @leofeyer what do you think?

Fine with me.