cPanel / CentOS update break SOAP SSL

tizoo

Well-Known Member
Jan 6, 2004
73
0
156
Hi all,

We use cPanel/WHM 11.40.0 (build 26).

During the last update of yesterday morning many packages were updated and since this time it is no more possible to make a SOAP connexion using SSL.

The problem occur in our plugin but also from a simple web site on the server . And as everything works without problem when the request come from another server (non-cpanel), we think the problem is due to one or many of the packages update.

The problem is not related to the firewall and occur whatever is the PHP version (5.3.? or 5.4.? build with easyapache script).

The returned exception just tells that the connexion was not possible.

Did someone has an idea of the source of such problem ?

Thanks in advance for any tips.

Cheers,
Philippe

Returned exception :

Code:
[Authentication EXCEPTION] => SoapFault Object
(
    [message:protected] => Could not connect to host
    [string:Exception:private] => 
    [code:protected] => 0
    [file:protected] => /home/tizoobe/public_html/index.php
    [line:protected] => 21
    [trace:Exception:private] => Array
        (
            [0] => Array
                (
                    [function] => __doRequest
                    [class] => SoapClient
                    [type] => ->
                    [args] => Array
                        (
                            [0] => <?xml version="1.0" encoding="UTF-8"?>
<env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope" xmlns:ns1="urn:zimbraAdmin" xmlns:ns2="urn:zimbra"><env:Header><ns2:context/></env:Header><env:Body><ns1:AuthRequest><name>XXXXX</name><password>XXXXX</password></ns1:AuthRequest></env:Body></env:Envelope>
                            [1] => https://zimbra.tizoo.net:7071/service/admin/soap/
                            [2] => urn:zimbraAdmin#AuthRequest
                            [3] => 2
                            [4] => 0
                        )
                )
            [1] => Array
                (
                    [file] => /home/tizoobe/public_html/index.php
                    [line] => 21
                    [function] => __soapCall
                    [class] => SoapClient
                    [type] => ->
                    [args] => Array
                        (
                            [0] => AuthRequest
                            [1] => Array
                                (
                                    [0] => SoapParam Object
                                        (
                                            [param_name] => name
                                            [param_data] => XXXX
                                        )
                                    [1] => SoapParam Object
                                        (
                                            [param_name] => password
                                            [param_data] => XXXX
                                        )
                                )
                            [2] => 
                            [3] => SoapHeader Object
                                (
                                    [namespace] => urn:zimbra
                                    [name] => context
                                    [mustUnderstand] => 
                                )
                        )
                )
        )
    [previous:Exception:private] => 
    [faultstring] => Could not connect to host
    [faultcode] => HTTP
)
List of the updated packages :

Code:
Packages Installed:
    kernel-2.6.32-431.el6.x86_64
    lzo-2.03-3.1.el6.x86_64
    snappy-1.1.0-1.el6.x86_64
    perl-CGI-3.51-136.el6.x86_64
    p11-kit-trust-0.18.5-2.el6.x86_64
    shared-mime-info-0.70-4.el6.x86_64
    p11-kit-0.18.5-2.el6.x86_64
 
 Packages Updated:
    libgcc-4.4.7-4.el6.i686
    openssh-server-5.3p1-94.el6.x86_64
    kexec-tools-2.0.0-273.el6.x86_64
    1:busybox-1.15.1-20.el6.x86_64
    policycoreutils-2.0.83-19.39.el6.x86_64
    libreport-python-2.0.9-19.el6.centos.x86_64
    nspr-4.10.0-1.el6.x86_64
    cvs-1.11.23-16.el6.x86_64
    lvm2-2.02.100-8.el6.x86_64
    libreport-2.0.9-19.el6.centos.x86_64
    1:perl-Module-Load-0.16-136.el6.x86_64
    setuptool-1.19.9-4.el6.x86_64
    pam-devel-1.1.1-17.el6.x86_64
    1:perl-ExtUtils-CBuilder-0.27-136.el6.x86_64
    libreport-plugin-rhtsupport-2.0.9-19.el6.centos.x86_64
    man-pages-overrides-6.5.2-1.el6.noarch
    ghostscript-devel-8.70-19.el6.x86_64
    1:perl-Archive-Extract-0.38-136.el6.x86_64
    libreport-plugin-mailx-2.0.9-19.el6.centos.x86_64
    nss-sysinit-3.15.1-15.el6.x86_64
    1:net-snmp-libs-5.5-49.el6.x86_64
    1:perl-ExtUtils-ParseXS-2.2003.0-136.el6.x86_64
    device-mapper-event-1.02.79-8.el6.x86_64
    1:perl-Locale-Maketext-Simple-0.18-136.el6.x86_64
    perl-File-Fetch-0.26-136.el6.x86_64
    coreutils-libs-8.4-31.el6.x86_64
    gcc-c++-4.4.7-4.el6.x86_64
    libreport-compat-2.0.9-19.el6.centos.x86_64
    libstdc++-4.4.7-4.el6.x86_64
    1:perl-Compress-Raw-Zlib-2.021-136.el6.x86_64
    perl-IO-Compress-Bzip2-2.021-136.el6.x86_64
    1:microcode_ctl-1.17-17.el6.x86_64
    perl-Term-UI-0.20-136.el6.x86_64
    ql2500-firmware-7.00.01-1.el6.noarch
    kernel-firmware-2.6.32-431.el6.noarch
    abrt-libs-2.0.8-21.el6.centos.x86_64
    libxml2-python-2.7.6-14.el6.x86_64
    libxml2-2.7.6-14.el6.x86_64
    python-tools-2.6.6-51.el6.x86_64
    bfa-firmware-3.2.21.1-2.el6.noarch
    hdparm-9.43-4.el6.x86_64
    dracut-kernel-004-336.el6_5.2.noarch
    libnl-1.1.4-2.el6.x86_64
    sudo-1.8.6p3-12.el6.x86_64
    e2fsprogs-devel-1.41.12-18.el6.x86_64
    glibc-devel-2.12-1.132.el6.i686
    grubby-7.0.15-5.el6.x86_64
    1:perl-IPC-Cmd-0.56-136.el6.x86_64
    perl-ExtUtils-MakeMaker-6.55-136.el6.x86_64
    cronie-1.4.4-12.el6.x86_64
    libdrm-2.4.45-2.el6.x86_64
    perl-IO-Compress-Base-2.021-136.el6.x86_64
    1:quota-3.17-20.el6.x86_64
    logrotate-3.7.8-17.el6.x86_64
    libblkid-2.17.2-12.14.el6.x86_64
    efibootmgr-0.5.4-11.el6.x86_64
    libreport-cli-2.0.9-19.el6.centos.x86_64
    1:perl-Object-Accessor-0.34-136.el6.x86_64
    abrt-addon-kerneloops-2.0.8-21.el6.centos.x86_64
    udev-147-2.51.el6.x86_64
    14:libpcap-1.4.0-1.20130826git2dbcaa1.el6.x86_64
    glibc-static-2.12-1.132.el6.x86_64
    atk-1.30.0-1.el6.x86_64
    libudev-147-2.51.el6.x86_64
    ftp-0.17-54.el6.x86_64
    libcom_err-1.41.12-18.el6.x86_64
    libgcc-4.4.7-4.el6.x86_64
    1:perl-Parse-CPAN-Meta-1.40-136.el6.x86_64
    libstdc++-devel-4.4.7-4.el6.x86_64
    rpm-python-4.8.0-37.el6.x86_64
    4:perl-5.10.1-136.el6.x86_64
    perl-IO-Compress-Zlib-2.021-136.el6.x86_64
    sysvinit-tools-2.87-5.dsf.el6.x86_64
    1:emacs-common-23.1-25.el6.x86_64
    coreutils-8.4-31.el6.x86_64
    perl-Socket6-0.23-4.el6.x86_64
    selinux-policy-3.7.19-231.el6.noarch
    libreport-plugin-kerneloops-2.0.9-19.el6.centos.x86_64
    xmlrpc-c-1.16.24-1210.1840.el6.x86_64
    kernel-headers-2.6.32-431.el6.x86_64
    e2fsprogs-1.41.12-18.el6.x86_64
    sos-2.2-47.el6.centos.noarch
    python-devel-2.6.6-51.el6.x86_64
    abrt-cli-2.0.8-21.el6.centos.x86_64
    libXcursor-1.1.13-6.20130524git8f677eaea.el6.x86_64
    selinux-policy-targeted-3.7.19-231.el6.noarch
    device-mapper-event-libs-1.02.79-8.el6.x86_64
    libuuid-2.17.2-12.14.el6.x86_64
    glibc-headers-2.12-1.132.el6.x86_64
    gtk2-2.20.1-4.el6.x86_64
    pam-1.1.1-17.el6.x86_64
    device-mapper-persistent-data-0.2.8-2.el6.x86_64
    glibc-devel-2.12-1.132.el6.x86_64
    iw-3.10-1.1.el6.x86_64
    1:emacs-23.1-25.el6.x86_64
    python-2.6.6-51.el6.x86_64
    1:perl-Params-Check-0.26-136.el6.x86_64
    openssl-1.0.1e-15.el6.x86_64
    1:readahead-1.5.6-2.el6.x86_64
    1:perl-Log-Message-0.02-136.el6.x86_64
    nss-3.15.1-15.el6.x86_64
    xorg-x11-drv-ati-firmware-7.1.0-3.el6.noarch
    1:perl-Package-Constants-0.02-136.el6.x86_64
    util-linux-ng-2.17.2-12.14.el6.x86_64
    fprintd-pam-0.1-21.git04fd09cfa.el6.x86_64
    1:perl-Pod-Escapes-1.04-136.el6.x86_64
    libreport-plugin-reportuploader-2.0.9-19.el6.centos.x86_64
    nss-softokn-3.14.3-9.el6.x86_64
    lvm2-libs-2.02.100-8.el6.x86_64
    1:perl-Module-Pluggable-3.90-136.el6.x86_64
    1:perl-IO-Zlib-1.09-136.el6.x86_64
    glibc-common-2.12-1.132.el6.x86_64
    libgcj-4.4.7-4.el6.x86_64
    biosdevname-0.5.0-2.el6.x86_64
    nss-util-3.15.1-3.el6.x86_64
    abrt-addon-python-2.0.8-21.el6.centos.x86_64
    perl-Compress-Zlib-2.021-136.el6.x86_64
    glib2-2.26.1-3.el6.x86_64
    nss-tools-3.15.1-15.el6.x86_64
    ca-certificates-2013.1.94-65.0.el6.noarch
    logwatch-7.3.6-52.el6.noarch
    12:dhclient-4.1.1-38.P1.el6.centos.x86_64
    1:perl-Digest-SHA-5.47-136.el6.x86_64
    cronie-anacron-1.4.4-12.el6.x86_64
    initscripts-9.03.40-2.el6.centos.x86_64
    rpm-4.8.0-37.el6.x86_64
    ntpdate-4.2.6p5-1.el6.centos.x86_64
    1:grub-0.97-83.el6.x86_64
    cpp-4.4.7-4.el6.x86_64
    abrt-tui-2.0.8-21.el6.centos.x86_64
    numactl-2.0.7-8.el6.x86_64
    openssl-devel-1.0.1e-15.el6.x86_64
    systemtap-runtime-2.3-3.el6.x86_64
    ql2400-firmware-7.00.01-1.el6.noarch
    glibc-2.12-1.132.el6.x86_64
    sysstat-9.0.4-22.el6.x86_64
    iptables-1.4.7-11.el6.x86_64
    mdadm-3.2.6-7.el6.x86_64
    kpartx-0.4.9-72.el6.x86_64
    perl-CPANPLUS-0.88-136.el6.x86_64
    parted-2.1-21.el6.x86_64
    perl-CPAN-1.9402-136.el6.x86_64
    1:perl-Pod-Simple-3.13-136.el6.x86_64
    libgomp-4.4.7-4.el6.x86_64
    centos-release-6-5.el6.centos.11.2.x86_64
    libcom_err-devel-1.41.12-18.el6.x86_64
    btparser-0.17-2.el6.x86_64
    ipmitool-1.8.11-16.el6.x86_64
    mailx-12.4-7.el6.x86_64
    device-mapper-libs-1.02.79-8.el6.x86_64
    perl-ExtUtils-Embed-1.28-136.el6.x86_64
    python-libs-2.6.6-51.el6.x86_64
    dracut-004-336.el6_5.2.noarch
    e2fsprogs-libs-1.41.12-18.el6.x86_64
    perl-Module-Load-Conditional-0.30-136.el6.x86_64
    xmlrpc-c-client-1.16.24-1210.1840.el6.x86_64
    grep-2.6.3-4.el6.x86_64
    libss-1.41.12-18.el6.x86_64
    nss-softokn-freebl-3.14.3-9.el6.x86_64
    iptables-ipv6-1.4.7-11.el6.x86_64
    4:perl-devel-5.10.1-136.el6.x86_64
    2:irqbalance-1.0.4-6.el6.x86_64
    iproute-2.6.32-31.el6.x86_64
    4:perl-Time-HiRes-1.9721-136.el6.x86_64
    1:perl-Module-Loaded-0.02-136.el6.x86_64
    perl-core-5.10.1-136.el6.x86_64
    3:perl-version-0.77-136.el6.x86_64
    12:dhcp-common-4.1.1-38.P1.el6.centos.x86_64
    nss-softokn-freebl-3.14.3-9.el6.i686
    openssh-clients-5.3p1-94.el6.x86_64
    libreport-plugin-logger-2.0.9-19.el6.centos.x86_64
    libxml2-devel-2.7.6-14.el6.x86_64
    rpm-libs-4.8.0-37.el6.x86_64
    1:perl-parent-0.221-136.el6.x86_64
    abrt-addon-ccpp-2.0.8-21.el6.centos.x86_64
    glibc-2.12-1.132.el6.i686
    tkinter-2.6.6-51.el6.x86_64
    device-mapper-1.02.79-8.el6.x86_64
    abrt-2.0.8-21.el6.centos.x86_64
    iotop-0.3.2-7.el6.noarch
    python-urlgrabber-3.9.1-9.el6.noarch
    fprintd-0.1-21.git04fd09cfa.el6.x86_64
    perl-Archive-Tar-1.58-136.el6.x86_64
    ghostscript-8.70-19.el6.x86_64
    ntp-4.2.6p5-1.el6.centos.x86_64
    rsyslog-5.8.10-8.el6.x86_64
    gcc-4.4.7-4.el6.x86_64
    4:perl-libs-5.10.1-136.el6.x86_64
    python-ethtool-0.6-5.el6.x86_64
    hwdata-0.233-9.1.el6.noarch
    1:quota-devel-3.17-20.el6.x86_64
    openssh-5.3p1-94.el6.x86_64
 

tizoo

Well-Known Member
Jan 6, 2004
73
0
156
Hi all,

Some new information about this issue.

Trying to access the service with wget give interesting information (I only thought about that now...) :

Code:
# wget https://zimbra.tizoo.net:7071/service/admin/soap/
--2013-12-03 17:10:38--  https://zimbra.tizoo.net:7071/service/admin/soap/
Résolution de zimbra.tizoo.net... 212.147.77.199
Connexion vers zimbra.tizoo.net|212.147.77.199|:7071...connecté.
OpenSSL: error:100AE081:elliptic curve routines:EC_GROUP_new_by_curve_name:unknown group
OpenSSL: error:1408D010:SSL routines:SSL3_GET_KEY_EXCHANGE:EC lib
Which seems to be due to a too quick implementation from RedHat of the ECDHE/ECDSA algorithm.

We will try to donwgrade openssl package to see if this fix the problem and give feedback here.

Cheers,
Philippe
 

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,911
2,233
363
cPanel Access Level
DataCenter Provider
Twitter

tizoo

Well-Known Member
Jan 6, 2004
73
0
156
Hi Michael,

Yes, it's exactly the problem. We fixed it before CentOS released the fix, but it's no more needed now as the CentOS fix, fixed it.

I give the solution if this could be useful for someone else in another situation.

The solution was to avoid using ECDH* ciphers and define which cipher to use for the SOAP request. Which is done with the following code :

Code:
$sslOptions = array('ssl' => array ('ciphers' => 'RC4-SHA'));

$sc = new SoapClient(null, array(
				 'location' => 'https://zimbra.tizoo.net:7071/service/admin/soap/',
				 'uri' => 'urn:zimbraAdmin',
				 'stream_context' => stream_context_create($sslOptions),
				 'trace' => 1,
				 'exceptions' => 1,
				 'soap_version' => SOAP_1_2,
				 'style' => SOAP_RPC,
				 'use' => SOAP_LITERAL
				 )
		     );
To detect what goes wrong and what goes well, we used openssl this way :

Code:
# openssl s_client -connect zimbra.tizoo.net:7071
=> Problem :(

# openssl s_client -connect zimbra.tizoo.net:7071 -cipher RC4-SHA
=> OK :)
Hope this will be useful.

Cheers,
Philippe