The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cPanel / CentOS update break SOAP SSL

Discussion in 'General Discussion' started by tizoo, Dec 3, 2013.

  1. tizoo

    tizoo Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    66
    Likes Received:
    0
    Trophy Points:
    6
    Hi all,

    We use cPanel/WHM 11.40.0 (build 26).

    During the last update of yesterday morning many packages were updated and since this time it is no more possible to make a SOAP connexion using SSL.

    The problem occur in our plugin but also from a simple web site on the server . And as everything works without problem when the request come from another server (non-cpanel), we think the problem is due to one or many of the packages update.

    The problem is not related to the firewall and occur whatever is the PHP version (5.3.? or 5.4.? build with easyapache script).

    The returned exception just tells that the connexion was not possible.

    Did someone has an idea of the source of such problem ?

    Thanks in advance for any tips.

    Cheers,
    Philippe

    Returned exception :

    Code:
    [Authentication EXCEPTION] => SoapFault Object
    (
        [message:protected] => Could not connect to host
        [string:Exception:private] => 
        [code:protected] => 0
        [file:protected] => /home/tizoobe/public_html/index.php
        [line:protected] => 21
        [trace:Exception:private] => Array
            (
                [0] => Array
                    (
                        [function] => __doRequest
                        [class] => SoapClient
                        [type] => ->
                        [args] => Array
                            (
                                [0] => <?xml version="1.0" encoding="UTF-8"?>
    <env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope" xmlns:ns1="urn:zimbraAdmin" xmlns:ns2="urn:zimbra"><env:Header><ns2:context/></env:Header><env:Body><ns1:AuthRequest><name>XXXXX</name><password>XXXXX</password></ns1:AuthRequest></env:Body></env:Envelope>
                                [1] => https://zimbra.tizoo.net:7071/service/admin/soap/
                                [2] => urn:zimbraAdmin#AuthRequest
                                [3] => 2
                                [4] => 0
                            )
                    )
                [1] => Array
                    (
                        [file] => /home/tizoobe/public_html/index.php
                        [line] => 21
                        [function] => __soapCall
                        [class] => SoapClient
                        [type] => ->
                        [args] => Array
                            (
                                [0] => AuthRequest
                                [1] => Array
                                    (
                                        [0] => SoapParam Object
                                            (
                                                [param_name] => name
                                                [param_data] => XXXX
                                            )
                                        [1] => SoapParam Object
                                            (
                                                [param_name] => password
                                                [param_data] => XXXX
                                            )
                                    )
                                [2] => 
                                [3] => SoapHeader Object
                                    (
                                        [namespace] => urn:zimbra
                                        [name] => context
                                        [mustUnderstand] => 
                                    )
                            )
                    )
            )
        [previous:Exception:private] => 
        [faultstring] => Could not connect to host
        [faultcode] => HTTP
    )
    
    List of the updated packages :

    Code:
    Packages Installed:
        kernel-2.6.32-431.el6.x86_64
        lzo-2.03-3.1.el6.x86_64
        snappy-1.1.0-1.el6.x86_64
        perl-CGI-3.51-136.el6.x86_64
        p11-kit-trust-0.18.5-2.el6.x86_64
        shared-mime-info-0.70-4.el6.x86_64
        p11-kit-0.18.5-2.el6.x86_64
     
     Packages Updated:
        libgcc-4.4.7-4.el6.i686
        openssh-server-5.3p1-94.el6.x86_64
        kexec-tools-2.0.0-273.el6.x86_64
        1:busybox-1.15.1-20.el6.x86_64
        policycoreutils-2.0.83-19.39.el6.x86_64
        libreport-python-2.0.9-19.el6.centos.x86_64
        nspr-4.10.0-1.el6.x86_64
        cvs-1.11.23-16.el6.x86_64
        lvm2-2.02.100-8.el6.x86_64
        libreport-2.0.9-19.el6.centos.x86_64
        1:perl-Module-Load-0.16-136.el6.x86_64
        setuptool-1.19.9-4.el6.x86_64
        pam-devel-1.1.1-17.el6.x86_64
        1:perl-ExtUtils-CBuilder-0.27-136.el6.x86_64
        libreport-plugin-rhtsupport-2.0.9-19.el6.centos.x86_64
        man-pages-overrides-6.5.2-1.el6.noarch
        ghostscript-devel-8.70-19.el6.x86_64
        1:perl-Archive-Extract-0.38-136.el6.x86_64
        libreport-plugin-mailx-2.0.9-19.el6.centos.x86_64
        nss-sysinit-3.15.1-15.el6.x86_64
        1:net-snmp-libs-5.5-49.el6.x86_64
        1:perl-ExtUtils-ParseXS-2.2003.0-136.el6.x86_64
        device-mapper-event-1.02.79-8.el6.x86_64
        1:perl-Locale-Maketext-Simple-0.18-136.el6.x86_64
        perl-File-Fetch-0.26-136.el6.x86_64
        coreutils-libs-8.4-31.el6.x86_64
        gcc-c++-4.4.7-4.el6.x86_64
        libreport-compat-2.0.9-19.el6.centos.x86_64
        libstdc++-4.4.7-4.el6.x86_64
        1:perl-Compress-Raw-Zlib-2.021-136.el6.x86_64
        perl-IO-Compress-Bzip2-2.021-136.el6.x86_64
        1:microcode_ctl-1.17-17.el6.x86_64
        perl-Term-UI-0.20-136.el6.x86_64
        ql2500-firmware-7.00.01-1.el6.noarch
        kernel-firmware-2.6.32-431.el6.noarch
        abrt-libs-2.0.8-21.el6.centos.x86_64
        libxml2-python-2.7.6-14.el6.x86_64
        libxml2-2.7.6-14.el6.x86_64
        python-tools-2.6.6-51.el6.x86_64
        bfa-firmware-3.2.21.1-2.el6.noarch
        hdparm-9.43-4.el6.x86_64
        dracut-kernel-004-336.el6_5.2.noarch
        libnl-1.1.4-2.el6.x86_64
        sudo-1.8.6p3-12.el6.x86_64
        e2fsprogs-devel-1.41.12-18.el6.x86_64
        glibc-devel-2.12-1.132.el6.i686
        grubby-7.0.15-5.el6.x86_64
        1:perl-IPC-Cmd-0.56-136.el6.x86_64
        perl-ExtUtils-MakeMaker-6.55-136.el6.x86_64
        cronie-1.4.4-12.el6.x86_64
        libdrm-2.4.45-2.el6.x86_64
        perl-IO-Compress-Base-2.021-136.el6.x86_64
        1:quota-3.17-20.el6.x86_64
        logrotate-3.7.8-17.el6.x86_64
        libblkid-2.17.2-12.14.el6.x86_64
        efibootmgr-0.5.4-11.el6.x86_64
        libreport-cli-2.0.9-19.el6.centos.x86_64
        1:perl-Object-Accessor-0.34-136.el6.x86_64
        abrt-addon-kerneloops-2.0.8-21.el6.centos.x86_64
        udev-147-2.51.el6.x86_64
        14:libpcap-1.4.0-1.20130826git2dbcaa1.el6.x86_64
        glibc-static-2.12-1.132.el6.x86_64
        atk-1.30.0-1.el6.x86_64
        libudev-147-2.51.el6.x86_64
        ftp-0.17-54.el6.x86_64
        libcom_err-1.41.12-18.el6.x86_64
        libgcc-4.4.7-4.el6.x86_64
        1:perl-Parse-CPAN-Meta-1.40-136.el6.x86_64
        libstdc++-devel-4.4.7-4.el6.x86_64
        rpm-python-4.8.0-37.el6.x86_64
        4:perl-5.10.1-136.el6.x86_64
        perl-IO-Compress-Zlib-2.021-136.el6.x86_64
        sysvinit-tools-2.87-5.dsf.el6.x86_64
        1:emacs-common-23.1-25.el6.x86_64
        coreutils-8.4-31.el6.x86_64
        perl-Socket6-0.23-4.el6.x86_64
        selinux-policy-3.7.19-231.el6.noarch
        libreport-plugin-kerneloops-2.0.9-19.el6.centos.x86_64
        xmlrpc-c-1.16.24-1210.1840.el6.x86_64
        kernel-headers-2.6.32-431.el6.x86_64
        e2fsprogs-1.41.12-18.el6.x86_64
        sos-2.2-47.el6.centos.noarch
        python-devel-2.6.6-51.el6.x86_64
        abrt-cli-2.0.8-21.el6.centos.x86_64
        libXcursor-1.1.13-6.20130524git8f677eaea.el6.x86_64
        selinux-policy-targeted-3.7.19-231.el6.noarch
        device-mapper-event-libs-1.02.79-8.el6.x86_64
        libuuid-2.17.2-12.14.el6.x86_64
        glibc-headers-2.12-1.132.el6.x86_64
        gtk2-2.20.1-4.el6.x86_64
        pam-1.1.1-17.el6.x86_64
        device-mapper-persistent-data-0.2.8-2.el6.x86_64
        glibc-devel-2.12-1.132.el6.x86_64
        iw-3.10-1.1.el6.x86_64
        1:emacs-23.1-25.el6.x86_64
        python-2.6.6-51.el6.x86_64
        1:perl-Params-Check-0.26-136.el6.x86_64
        openssl-1.0.1e-15.el6.x86_64
        1:readahead-1.5.6-2.el6.x86_64
        1:perl-Log-Message-0.02-136.el6.x86_64
        nss-3.15.1-15.el6.x86_64
        xorg-x11-drv-ati-firmware-7.1.0-3.el6.noarch
        1:perl-Package-Constants-0.02-136.el6.x86_64
        util-linux-ng-2.17.2-12.14.el6.x86_64
        fprintd-pam-0.1-21.git04fd09cfa.el6.x86_64
        1:perl-Pod-Escapes-1.04-136.el6.x86_64
        libreport-plugin-reportuploader-2.0.9-19.el6.centos.x86_64
        nss-softokn-3.14.3-9.el6.x86_64
        lvm2-libs-2.02.100-8.el6.x86_64
        1:perl-Module-Pluggable-3.90-136.el6.x86_64
        1:perl-IO-Zlib-1.09-136.el6.x86_64
        glibc-common-2.12-1.132.el6.x86_64
        libgcj-4.4.7-4.el6.x86_64
        biosdevname-0.5.0-2.el6.x86_64
        nss-util-3.15.1-3.el6.x86_64
        abrt-addon-python-2.0.8-21.el6.centos.x86_64
        perl-Compress-Zlib-2.021-136.el6.x86_64
        glib2-2.26.1-3.el6.x86_64
        nss-tools-3.15.1-15.el6.x86_64
        ca-certificates-2013.1.94-65.0.el6.noarch
        logwatch-7.3.6-52.el6.noarch
        12:dhclient-4.1.1-38.P1.el6.centos.x86_64
        1:perl-Digest-SHA-5.47-136.el6.x86_64
        cronie-anacron-1.4.4-12.el6.x86_64
        initscripts-9.03.40-2.el6.centos.x86_64
        rpm-4.8.0-37.el6.x86_64
        ntpdate-4.2.6p5-1.el6.centos.x86_64
        1:grub-0.97-83.el6.x86_64
        cpp-4.4.7-4.el6.x86_64
        abrt-tui-2.0.8-21.el6.centos.x86_64
        numactl-2.0.7-8.el6.x86_64
        openssl-devel-1.0.1e-15.el6.x86_64
        systemtap-runtime-2.3-3.el6.x86_64
        ql2400-firmware-7.00.01-1.el6.noarch
        glibc-2.12-1.132.el6.x86_64
        sysstat-9.0.4-22.el6.x86_64
        iptables-1.4.7-11.el6.x86_64
        mdadm-3.2.6-7.el6.x86_64
        kpartx-0.4.9-72.el6.x86_64
        perl-CPANPLUS-0.88-136.el6.x86_64
        parted-2.1-21.el6.x86_64
        perl-CPAN-1.9402-136.el6.x86_64
        1:perl-Pod-Simple-3.13-136.el6.x86_64
        libgomp-4.4.7-4.el6.x86_64
        centos-release-6-5.el6.centos.11.2.x86_64
        libcom_err-devel-1.41.12-18.el6.x86_64
        btparser-0.17-2.el6.x86_64
        ipmitool-1.8.11-16.el6.x86_64
        mailx-12.4-7.el6.x86_64
        device-mapper-libs-1.02.79-8.el6.x86_64
        perl-ExtUtils-Embed-1.28-136.el6.x86_64
        python-libs-2.6.6-51.el6.x86_64
        dracut-004-336.el6_5.2.noarch
        e2fsprogs-libs-1.41.12-18.el6.x86_64
        perl-Module-Load-Conditional-0.30-136.el6.x86_64
        xmlrpc-c-client-1.16.24-1210.1840.el6.x86_64
        grep-2.6.3-4.el6.x86_64
        libss-1.41.12-18.el6.x86_64
        nss-softokn-freebl-3.14.3-9.el6.x86_64
        iptables-ipv6-1.4.7-11.el6.x86_64
        4:perl-devel-5.10.1-136.el6.x86_64
        2:irqbalance-1.0.4-6.el6.x86_64
        iproute-2.6.32-31.el6.x86_64
        4:perl-Time-HiRes-1.9721-136.el6.x86_64
        1:perl-Module-Loaded-0.02-136.el6.x86_64
        perl-core-5.10.1-136.el6.x86_64
        3:perl-version-0.77-136.el6.x86_64
        12:dhcp-common-4.1.1-38.P1.el6.centos.x86_64
        nss-softokn-freebl-3.14.3-9.el6.i686
        openssh-clients-5.3p1-94.el6.x86_64
        libreport-plugin-logger-2.0.9-19.el6.centos.x86_64
        libxml2-devel-2.7.6-14.el6.x86_64
        rpm-libs-4.8.0-37.el6.x86_64
        1:perl-parent-0.221-136.el6.x86_64
        abrt-addon-ccpp-2.0.8-21.el6.centos.x86_64
        glibc-2.12-1.132.el6.i686
        tkinter-2.6.6-51.el6.x86_64
        device-mapper-1.02.79-8.el6.x86_64
        abrt-2.0.8-21.el6.centos.x86_64
        iotop-0.3.2-7.el6.noarch
        python-urlgrabber-3.9.1-9.el6.noarch
        fprintd-0.1-21.git04fd09cfa.el6.x86_64
        perl-Archive-Tar-1.58-136.el6.x86_64
        ghostscript-8.70-19.el6.x86_64
        ntp-4.2.6p5-1.el6.centos.x86_64
        rsyslog-5.8.10-8.el6.x86_64
        gcc-4.4.7-4.el6.x86_64
        4:perl-libs-5.10.1-136.el6.x86_64
        python-ethtool-0.6-5.el6.x86_64
        hwdata-0.233-9.1.el6.noarch
        1:quota-devel-3.17-20.el6.x86_64
        openssh-5.3p1-94.el6.x86_64
     
  2. tizoo

    tizoo Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    66
    Likes Received:
    0
    Trophy Points:
    6
    Hi all,

    Some new information about this issue.

    Trying to access the service with wget give interesting information (I only thought about that now...) :

    Code:
    # wget https://zimbra.tizoo.net:7071/service/admin/soap/
    --2013-12-03 17:10:38--  https://zimbra.tizoo.net:7071/service/admin/soap/
    Résolution de zimbra.tizoo.net... 212.147.77.199
    Connexion vers zimbra.tizoo.net|212.147.77.199|:7071...connecté.
    OpenSSL: error:100AE081:elliptic curve routines:EC_GROUP_new_by_curve_name:unknown group
    OpenSSL: error:1408D010:SSL routines:SSL3_GET_KEY_EXCHANGE:EC lib
    Which seems to be due to a too quick implementation from RedHat of the ECDHE/ECDSA algorithm.

    We will try to donwgrade openssl package to see if this fix the problem and give feedback here.

    Cheers,
    Philippe
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  4. tizoo

    tizoo Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    66
    Likes Received:
    0
    Trophy Points:
    6
    Hi Michael,

    Yes, it's exactly the problem. We fixed it before CentOS released the fix, but it's no more needed now as the CentOS fix, fixed it.

    I give the solution if this could be useful for someone else in another situation.

    The solution was to avoid using ECDH* ciphers and define which cipher to use for the SOAP request. Which is done with the following code :

    Code:
    $sslOptions = array('ssl' => array ('ciphers' => 'RC4-SHA'));
    
    $sc = new SoapClient(null, array(
    				 'location' => 'https://zimbra.tizoo.net:7071/service/admin/soap/',
    				 'uri' => 'urn:zimbraAdmin',
    				 'stream_context' => stream_context_create($sslOptions),
    				 'trace' => 1,
    				 'exceptions' => 1,
    				 'soap_version' => SOAP_1_2,
    				 'style' => SOAP_RPC,
    				 'use' => SOAP_LITERAL
    				 )
    		     );
    To detect what goes wrong and what goes well, we used openssl this way :

    Code:
    # openssl s_client -connect zimbra.tizoo.net:7071
    => Problem :(
    
    # openssl s_client -connect zimbra.tizoo.net:7071 -cipher RC4-SHA
    => OK :)
    Hope this will be useful.

    Cheers,
    Philippe
     
  5. laxbobber

    laxbobber Member

    Joined:
    Jan 4, 2005
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Philippe,

    Thank you for your post. It helped me solve a related problem today!

    Bob
     
Loading...

Share This Page