Workaround for PHP Error in Ubuntu 12.04: SoapClient(): SSL: crypto enabling timeout

So I spent ~20 hours of time isolating and working around an old, as-yet-unfixed openssl bug in Ubuntu 12.04. When using this code to connect to an HTTPS/SSL/TLS1.0 SOAP server:

ini_set( "soap.wsdl_cache_enabled", "0" );
$objSoapClient = new SoapClient(
'https://EXAMPLE.COM/EXAMPLEWSDLPATH',
array ( "encoding"=>"ISO-8859-1",
"trace"=>1,
"exceptions"=>0,
"connection_timeout"=>2000 ));

You get the following errors:

me@my-desktop:~$ php prop-soaptest.php
PHP Warning: SoapClient::SoapClient(): SSL: crypto enabling timeout in /home/me/prop-soaptest.php on line 9
PHP Warning: SoapClient::SoapClient(): Failed to enable crypto in /home/me/prop-soaptest.php on line 9
PHP Warning: SoapClient::SoapClient(https://EXAMPLE.COM/EXAMPLEWSDLPATH): failed to open stream: operation failed in /home/me/prop-soaptest.php on line 9
PHP Warning: SoapClient::SoapClient(): I/O warning : failed to load external entity "https://EXAMPLE.COM/EXAMPLEWSDLPATH" in /home/me/prop-soaptest.php on line 9
PHP Fatal error: SOAP-ERROR: Parsing WSDL: Couldn't load from 'https://EXAMPLE.COM/EXAMPLEWSDLPATH' : failed to load external entity "https://EXAMPLE.COM/EXAMPLEWSDLPATH" in /home/me/prop-soaptest.php on line 9

If you try using Curl, you get an error like this:

curl: (35) Unknown SSL protocol error in connection to https://EXAMPLE.COM/EXAMPLEWSDLPATH:443

The only workaround I found for trying to use PHP’s SoapClient with an HTTPS server that only supports TLS 1.0, is below. Other fixes like using curl on the command line with -ssl3 or –cipher RC4-SHA arguments do work for me, but they don’t fix SoapClient, and it was quite a journey figuring out how to get it working for SoapClient.

Thanks to someone saving my butt in IRC, I finally got the below PHP code to work for my use case, which is communicating with remote SSL SOAP services that only support SSLv2, SSLv3, or TLS1.0 (and not TLS 1.1, TLS 1.2) especially using RC4-SHA ciphers. The ciphers option in a new stream_context is the important bit to make the code work on Ubuntu 12.04 or libssl1.0.0_1.0.1 / openssl 1.0.1:


$opts = array(
'ssl' => array('ciphers'=>'RC4-SHA')
);
ini_set( "soap.wsdl_cache_enabled", "0" );
$objSoapClient = new SoapClient(
'https://EXAMPLE.COM/EXAMPLEWSDLPATH',
array ( "encoding"=>"ISO-8859-1",
'stream_context' => stream_context_create($opts),
"trace"=>1,
"exceptions"=>0,
"connection_timeout"=>2000 ));

The trick is to substitute SoapClient’s normal context with your own context + SSL options:

http://www.php.net/manual/en/soapclient.soapclient.php
http://www.php.net/manual/en/context.php
http://www.php.net/manual/en/function.stream-context-create.php

This site was invaluable in testing what exact ciphers/technologies are actually supported by the remote server: https://www.ssllabs.com/ssltest/index.html

Good luck!

Advertisements

18 thoughts on “Workaround for PHP Error in Ubuntu 12.04: SoapClient(): SSL: crypto enabling timeout

  1. Dieter D says:

    I also had this problem, thanks to you I didn’t have to pull my hair out or jump off a high building.

    THANK YOU SIR!!!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s