[SOLVED]Bad OpenSSL cause 503/500 error in FastCGI/PHP-FPM curl with compiled additional php-5.6

Hi, as I wrote I have an error executing this code:

Code:

$ch = curl_init();

curl_setopt($ch, CURLOPT_URL, "https://tlstest.paypal.com/");
curl_setopt($ch, CURLOPT_CAINFO, 'cacert.pem');

// Some environments may be capable of TLS 1.2 but it is not in their list of defaults so need the SSL version option to be set.
curl_setopt($ch, CURLOPT_SSLVERSION, 6);

curl_exec($ch);
echo "\n";

This broke down both PHP-5.6 run in Fast-CGI and PHP-FPM
Executing the vhost under Mod-PHP the call will work (using default Debian 9 PHP version: 7)
Error log shown trying with Fast-CGI:

Code:

[Mon May 21 18:57:07.259425 2018] [fcgid:warn] [pid 437] (104)Connection reset by peer: [client xxx.xxx.xxx.xxx:55437] mod_fcgid: error reading data from FastCGI server
[Mon May 21 18:57:07.259504 2018] [core:error] [pid 437] [client xxx.xxx.xxx.xxx:55437] End of script output before headers: ssl.php

Error log shown trying with PHP-FPM:

Code:

[Mon May 21 18:56:20.867156 2018] [proxy_fcgi:error] [pid 32685] [client xxx.xxx.xxx.xxx:55262] AH01067: Failed to read FastCGI header
[Mon May 21 18:56:20.867221 2018] [proxy_fcgi:error] [pid 32685] (104)Connection reset by peer: [client xxx.xxx.xxx.xxx:55262] AH01075: Error dispatching request to :

I cannot figure out how to solve it
Thanks
Stefano

 

CURL VERSION: { "version_number": 472065, "age": 3, "features": 4179869, "ssl_version_number": 0, "version": "7.52.1", "host": "x86_64-pc-linux-gnu", "ssl_version": "OpenSSL\/1.0.1t", "libz_version": "1.2.8", "protocols": [ "dict", "file", "ftp", "ftps", "gopher", "http", "https", "imap", "imaps", "ldap", "ldaps", "pop3", "pop3s", "rtmp", "rtsp", "scp", "sftp", "smb", "smbs", "smtp", "smtps", "telnet", "tftp" ] }

Seems my openssl version is enought (1.0.1t):
https://support.shopgate.com/hc/en-...-I-upgrade-my-SSL-library-to-support-TLS-1-2-

Any Idea?

 

Yes I used that one.

Which is the maximum version of openssl can be used with php-5.6.36?
I suppose that I should put some --enable-1.2 or similar when I will recompile openssl but I didn't found any information about it. May you know which is the right way to enable it?

 

I made some test: executing a curl without "https://" it work.
It seems that enabling https:// crash all... I check error.log bou nothing that can explain. I don't know if curl or openssl write some log where I can inspect.

 

I tried version 4 but without luck, Now i recompiling openssl with 1.0.2o and I will try anymore.
Perhaps, what I can think is: Can be any permission problem loading cacert by the user of vhost?
I have the cert in the web folder, the same folder of the php page callig curl. which is the user is loading cacert? the webX/clientX user or www-data:www-data?

 

SOLVED!
I read on OpenSSL site that version 1.0.1 is not yet supported. Could be there is no back compatibility or no more compatibility between php-5.6 or CURL 7.52 and that version.
I had recompiled a different version of openssl, 1.0.2o that is their LTS program. All work flawless.
The debian 9 version:

Code:

# /usr/bin/openssl version
OpenSSL 1.1.0f  25 May 2017

Thanks

 

Thank you very much for your search and suggestion to install OpenSSL 1.0.2. I got 1.0.2s for now.
I had 500-503 errors when testing from navigators with https (not http).
Not all the time but when refresh after a while of no activity.
After 2 refreshes, it came again with 400.
To say, it is a fresh ISPConfig install from here:
https://www.howtoforge.com/tutorial/ispconfig-automated-install-script/
followed by :
https://www.howtoforge.com/tutorial/how-to-install-php-7-on-debian
I think 1.0.2 should be in the tutorials in place of 1.0.1x.
Thanks again.