Forum Discussion

sreejithpm's avatar
sreejithpm
Adept
6 years ago

Unable to generate Session Key by using vanity URL

 

 

    $user1 = "";
    $pwd1 = "";
    $user2 = "";
    $pwd2 = "";
    $our_community_url = "";
    $basicAuthDet = "$user1:$pwd1";
    $formData = "user.login=$user2&user.password=$pwd2";
    $apiURL = '$our_community_url/restapi/vc/authentication/sessions/login';
    $headers = array( 
            "Content-type: application/x-www-form-urlencoded"
    );

    if(trim($basicAuthDet) != ''){
        $headers[] = "Authorization: Basic ".base64_encode($basicAuthDet);
    }

    echo '
';
    print_r($headers);

    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL,$apiURL);
    curl_setopt($ch, CURLOPT_FRESH_CONNECT,1);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
    curl_setopt($ch, CURLOPT_FORBID_REUSE,1);
    curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
    curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'POST');
    curl_setopt($ch, CURLOPT_POSTFIELDS,$formData);


    $httpCode = curl_getinfo($ch);
    $response = curl_exec($ch);

    if(curl_errno($ch)){
        echo 'Curl error: ' . curl_error($ch);
    }            

    curl_close($ch);
    print '
STAGE: CURL RESPONSE: '; print_r($response);

 

 

Hi All,

we have integrated Lithium in our application with proxy method to consume the APIs.

As part of deprecating API proxy method in your 19.10 release, we are doing the necessary changes from our end and noticed the below error while making the call to generate the Session Key to authenticate the APIs. I have provided the code snippet above for your reference.

 

Curl error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

 

We have started getting the above error after changing the proxy URL with our community url.

so can you anyone please help me to resolve the error?

 

PHP & openssl version used in prod and stage environments are given below:

Stage: PHP Version 5.6.16 & OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

Production: PHP Version 5.6.16 & OpenSSL 1.0.1e-fips 11 Feb 2013

 

 

4 Replies

Sort By
  • AndrewF's avatar
    AndrewF
    Khoros Oracle
    6 years ago

    We've removed Community support for SSL v3, TLS 1.0, and TLS 1.1. You'll need to make sure you're using TLS 1.2+ when making requests to communities.

    Those versions of OpenSSL are pretty old -- TLS 1.2 was only added around OpenSSL 1.0.1 so I believe your stage environment has no chance of working without an upgrade. curl itself may also be out of date, which might impact whether it can use the newer TLS versions.

    After upgrading, if you still see issues, you might be able to use the CURLOPT_SSLVERSION curl option in your PHP code to prefer that curl uses TLS 1.2. But if things are working, don't set that override (it will probably eventually be out of date too).

    This StackOverflow post might have better specifics for you since the asker is using PHP + curl + OpenSSL: "TLS 1.2 not working in cURL"

  • sreejithpm's avatar
    sreejithpm
    Adept
    6 years ago

    Hi Andrew,

    Thanks for the clarification.

    As I mentioned above our Prod env have  PHP Version 5.6.16 & OpenSSL 1.0.1e-fips 11 Feb 2013 and I tried to execute the same script in the prod environment also. but there also I am getting an "SSL handshake" error.

    Attaching phpinfo details from our Production environment

    May I know why the script is not working in Prod even though it has OpenSSL 1.0.1e-fips 11 Feb 2013?

  • AndrewF's avatar
    AndrewF
    Khoros Oracle
    6 years ago

    I would suggest using the OpenSSL client directly on the machine to rule out PHP & Curl:

    openssl version -a

echo | openssl s_client -connect community.hostname.example:443 -servername community.hostname.example

    (The "-servername ..." flag is essential because we are rolling out a requirement that SNI is used for all HTTPS requests. Your community may already require SNI.)

    If you see this working, the problem may be in your PHP + curl setup, or perhaps curl itself needs an update because there have been fixed bugs around TLS handshakes.

    If it fails, the OpenSSL connect output should give you better information to diagnose the issue.

    Aside: Even if the old OpenSSL is not the cause, I recommend trying to have a plan to upgrade as it is one of the more important pieces of maintenance -- security is a moving target and your versions have known vulnerabilities (famously, Heartbleed).