OpenSSL errors in php scripts after upgrade to 86.0.17

[ruiz]

Today, some PHP scripts that connect to remote hosts using SSL started to throw errors. Example:
call_user_func_array(): SSL_read on shutdown: error:14095126:SSL routines:ssl3_read_n:unexpected eof while reading

This must be related to the openssl 1.1.1e that was updated with 86.0.17:

ssl3_read_n:unexpected eof while reading while keepalive · Issue #11381 · openssl/openssl

Hey openssl team, I'm using archlinux with nginx-mainline and php-fpm with all packages up-to-date. After upgrading to openssl 1.1.1.e we see the following error happening over and over again. ...

github.com

Any fix for this issue?

 

[ffeingol]

Having the same issues. I will be opening a ticket.

 

[ffeingol]

Got a reply on my ticket. They referenced this: cPanel

Only fix given was downgrading ea-openssl:

yum downgrade ea-openssl

But it will, of course, upgrade every night.

 

[ruiz]

yum downgrade ea-openssl
Didn't work for me. Is there any aditional steps required?

Heres is my yum log:


[[email protected] public_html]# yum downgrade ea-openssl
Loaded plugins: fastestmirror, langpacks, universal-hooks
Loading mirror speeds from cached hostfile
* EA4: 74.50.120.123
* cpanel-addons-production-feed: 74.50.120.123
* cpanel-plugins: 74.50.120.123
* base: distro.ibiblio.org
* epel: d2lzkl7pfhq30w.cloudfront.net
* extras: mirror.atl.genesisadaptive.com
* updates: mirror.centos.iad1.serverforge.org
Resolving Dependencies
--> Running transaction check
---> Package ea-openssl.x86_64 0:1.0.2u-1.1.1.cpanel will be a downgrade
---> Package ea-openssl.x86_64 0:1.0.2u-1.1.2.cpanel will be erased
--> Finished Dependency Resolution

Dependencies Resolved

===================================================================================================================
Package Arch Version Repository Size
===================================================================================================================
Downgrading:
ea-openssl x86_64 1.0.2u-1.1.1.cpanel EA4 2.9 M

Transaction Summary
===================================================================================================================
Downgrade 1 Package

 

[ruiz]

Nevermind.

yum downgrade ea-openssl11

+ restarting php-fpm did the trick!
Thank for your help!

 

[orizonmedia]

THX ruiz ! downgrade did the trick for me too

My recaptchat work now!

 

[porplemontage]

This morning I started occasionally getting "Peer could not decode an SSL handshake message" (SSL_ERROR_DECODE_ERROR_ALERT) errors in Firefox and "invalid response" (ERR_SSL_PROTOCOL_ERROR) errors in Chrome when browsing my sites. OpenSSL upgraded to 1.1.1e overnight so this was the most likely culprit. I downgraded to 1.1.1d per the instructions above and I haven't gotten the errors since.

 

[aegis]

Getting the same error here. In particular it affects WHMCS retreiving registrar data from ENOM which gives the following error.

CURL Error: 56 - OpenSSL SSL_read: error:14095126:SSL routines:ssl3_read_n:unexpected eof while reading, errno 0

It looks like there may be a fix upstream coming in openssl 1.1.1f

ssl3_read_n:unexpected eof while reading while keepalive · Issue #11381 · openssl/openssl

Hey openssl team, I'm using archlinux with nginx-mainline and php-fpm with all packages up-to-date. After upgrading to openssl 1.1.1.e we see the following error happening over and over again. ...

github.com

Downgrading to 1.1.1d and restarting php-fpm works for me.

 

[ffeingol]

It's going to be a pain the butt, but you may want to put openssl in the yum.conf excludes or it's going to get overwritten every night when upcp runs. The 'pain' is that you'll have to keep an eye as to when their is a 'fix' for this and then remove the exclude.

 

[cPanelLauren]

This looks like it's going to get resolved with the next EA4 update we're pushing. I know they'd wanted to get it out today but I haven't seen it announced yet. We're updating OpenSSL to 1.1.1f due to issues with 1.1.1e

 

[John Goller]

Looks like openssl 1.1.1f is now available to manually upgrade.

yum upgrade ea-openssl11

Check the version installed with

yum info ea-openssl11

If version is 1.1.1f then restart PHP-FPM in WHM and you should be all ok to go.

 

[tvcnet]

Yes, had a similar issue with a number of servers, one related to a WHMCS openSSL error report and the other to this standard error:
file_get_contents(): SSL operation failed with code 1. OpenSSL Error messages: error:14095126:SSL routines:ssl3_read_n:unexpected eof while reading

Solution:

1.
You may now upgrade OpenSSL to version 1.1.1f manually.

2.
In terminal, $yum upgrade ea-openssl11

3.
Once completed, $yum info ea-openssl11 to ensure you have installed Release 1.1.1f

4.
Then restart "PHP-FPM Service" within WHM/

Then test your scripts connection once again to verify.

Enjoy!

 

[ffeingol]

Per what @tvcnet posted, looks like cPanel has pushed out the fix. It actually looks like a whole bunch of ea-* packages got updated (my guess is for dependencies). The normal nightly upcp should pull it and then things will be good.

 

[ciao70]

Hello,

Released openssl 1.1.1f via ea

 

[cPanelLauren]

Yea this happened after I left last night, around 7:20pm - glad to hear that you guys were able to get updated.