OpenSSL Error: Cannot connect to HTTPS server through proxy

[boldtrn]

Hi,

I am behind a company firewall and composer stopped working some time ago (around 4-5 weeks). So I tried composer diag and this shows the following output:

Checking platform settings: OK
Checking http connectivity: OK
Checking HTTP proxy: OK
Checking HTTP proxy support for request_fulluri: OK
Checking HTTPS proxy support for request_fulluri: FAIL
Unable to assert the situation, maybe github is down (The "https://api.github.com/repos/Seldaek/jsonlint/zipball/1.0.0" file could not be downloaded: SSL operation failed with code 1. OpenSSL Error messages:
error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:reason(1112)
failed to open stream: Cannot connect to HTTPS server through proxy)
Checking composer.json: FAIL
No license specified, it is recommended to do so. For closed-source software you may use "proprietary" as license.
Checking disk free space: OK
Checking composer version: OK

I tried to set: HTTPS_PROXY_REQUEST_FULLURI to true or false, but this doesn't changed anything for me. So right now I don't have any clue how to go on. Anybody got an idea?

Unfortunately I cant run composer update anymore, what ends in something like this:

Loading composer repositories with package information
Updating dependencies (including require-dev)
  - Installing symfony/icu (v1.2.0)
    Loading from cache

  - Installing doctrine/dbal (2.3.4)
    Downloading: 100%
    Downloading: 100%
    Downloading: 100%



  [Composer\Downloader\TransportException]
  The "https://api.github.com/repos/doctrine/dbal/zipball/2.3.4" file could n
  ot be downloaded: SSL operation failed with code 1. OpenSSL Error messages:
  error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:reason(1112)
  failed to open stream: Cannot connect to HTTPS server through proxy

[stof]

does your proxy block SSL trafic ?

[boldtrn]

Thank you for your reply @stof . The Proxy supports SSL, e.g. if I enter https://api.github.com/repos/doctrine/dbal/zipball/2.3.4 in the Browser. It will start to download the zip.

Also I should add:
I am working on a Windows XP machine using cygwin(Using the regular Windows CMD doesn't change anything).

I just tried to download the https://api.github.com/repos/doctrine/dbal/zipball/2.3.4 via wget and it worked as well. But one thing that was a bit strange, wget told me, that it doesn't trust the certificate api.github.com and codeload.github.com, maybe this could be problem? However the console printed the following to me(unfortunately this is a german output, I hope this is not a big problem?):

$ wget https://api.github.com/repos/Seldaek/jsonlint/zipball/1.0.0 -S --no-check-certificate
--2013-06-21 13:43:39--  https://api.github.com/repos/Seldaek/jsonlint/zipball/1.0.0
Auflösen des Hostnamen »proxy.mycompany.de (proxy.mycompany.de)«... 10.1.1.202
Verbindungsaufbau zu proxy.mycompany.de (proxy.mycompany.de)|10.1.1.202|:3128... verbunden.
WARNUNG: Dem Zertifikat von »api.github.com« wird nicht vertraut.
WARNUNG: Das Zertifikat von »»api.github.com«« wurde von einem unbekannten Austeller herausgegeben.
Proxy-Anforderung gesendet, warte auf Antwort...
  HTTP/1.1 302 Found
  Server: GitHub.com
  Date: Fri, 21 Jun 2013 11:43:39 GMT
  Content-Type: text/html;charset=utf-8
  Connection: close
  Status: 302 Found
  X-RateLimit-Limit: 60
  X-RateLimit-Remaining: 49
  Cache-Control: public, must-revalidate, max-age=0
  Expires: Fri, 21 Jun 2013 11:43:39 GMT
  Location: https://codeload.github.com/Seldaek/jsonlint/legacy.zip/1.0.0
  X-Content-Type-Options: nosniff
  Content-Length: 0
  Access-Control-Allow-Credentials: true
  Access-Control-Expose-Headers: ETag, Link, X-RateLimit-Limit, X-RateLimit-Remaining, X-OAuth-Scopes, X-Accepted-OAuth-Scopes
  Access-Control-Allow-Origin: *
  Vary: Accept-Encoding
Platz: https://codeload.github.com/Seldaek/jsonlint/legacy.zip/1.0.0[folge]
--2013-06-21 13:43:40--  https://codeload.github.com/Seldaek/jsonlint/legacy.zip/1.0.0
Verbindungsaufbau zu proxy.mycompany.de (proxy.mycompany.de)|10.1.1.202|:3128... verbunden.
WARNUNG: Dem Zertifikat von »codeload.github.com« wird nicht vertraut.
WARNUNG: Das Zertifikat von »»codeload.github.com«« wurde von einem unbekannten Austeller herausgegeben.
Proxy-Anforderung gesendet, warte auf Antwort...
  HTTP/1.1 200 OK
  Connection: close
  Content-Length: 13055
  Content-Type: application/zip
  Content-Disposition: attachment; filename=Seldaek-jsonlint-1.0.0-0-g3b4bc2a.zip
  Date: Fri, 21 Jun 2013 11:43:40 GMT
Länge: 13055 (13K) [application/zip]
In »»1.0.0«« speichern.

100%[==========================================================================================================================================>] 13.055      --.-K/s   in 0s

2013-06-21 13:43:40 (57,5 MB/s) - »»1.0.0«« gespeichert [13055/13055]

Also curl seems to work fine:

$ curl -v https://api.github.com/repos/Seldaek/jsonlint/zipball/1.0.0
* About to connect() to proxy proxy.mycompany.de port 3128 (#0)
*   Trying 10.1.1.202...
* 0x2001f120 is at send pipe head!
* STATE: CONNECT => WAITCONNECT handle 0x20057460; line 1032 (connection #0)
* Connected to proxy.mycompany.de (10.1.1.202) port 3128 (#0)
* Establish HTTP proxy tunnel to api.github.com:443
> CONNECT api.github.com:443 HTTP/1.1
> Host: api.github.com:443
> User-Agent: curl/7.29.0
> Proxy-Connection: Keep-Alive
>
* STATE: WAITCONNECT => WAITPROXYCONNECT handle 0x20057460; line 1142 (connection #0)
< HTTP/1.0 200 Connection established
<
* Proxy replied OK to CONNECT request
* successfully set certificate verify locations:
*   CAfile: /usr/ssl/certs/ca-bundle.crt
  CApath: none
* SSLv3, TLS handshake, Client hello (1):
* STATE: WAITPROXYCONNECT => WAITCONNECT handle 0x20057460; line 1107 (connection #0)
* STATE: WAITCONNECT => PROTOCONNECT handle 0x20057460; line 1145 (connection #0)
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using RC4-SHA
* Server certificate:
*        subject: C=US; ST=California; L=San Francisco; O=GitHub, Inc.; CN=*.github.com
*        start date: 2012-04-30 00:00:00 GMT
*        expire date: 2014-07-09 12:00:00 GMT
*        subjectAltName: api.github.com matched
*        issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert High Assurance CA-3
*        SSL certificate verify ok.
* STATE: PROTOCONNECT => DO handle 0x20057460; line 1164 (connection #0)
> GET /repos/Seldaek/jsonlint/zipball/1.0.0 HTTP/1.1
> User-Agent: curl/7.29.0
> Host: api.github.com
> Accept: */*
>
* STATE: DO => DO_DONE handle 0x20057460; line 1236 (connection #0)
* STATE: DO_DONE => WAITPERFORM handle 0x20057460; line 1352 (connection #0)
* STATE: WAITPERFORM => PERFORM handle 0x20057460; line 1363 (connection #0)
* HTTP 1.1 or later with persistent connection, pipelining supported
< HTTP/1.1 302 Found
< Server: GitHub.com
< Date: Fri, 21 Jun 2013 12:34:02 GMT
< Content-Type: text/html;charset=utf-8
< Connection: keep-alive
< Status: 302 Found
< X-RateLimit-Limit: 60
< X-RateLimit-Remaining: 57
< Cache-Control: public, must-revalidate, max-age=0
< Expires: Fri, 21 Jun 2013 12:34:02 GMT
< Location: https://codeload.github.com/Seldaek/jsonlint/legacy.zip/1.0.0
< X-Content-Type-Options: nosniff
< Content-Length: 0
< Access-Control-Allow-Credentials: true
< Access-Control-Expose-Headers: ETag, Link, X-RateLimit-Limit, X-RateLimit-Remaining, X-OAuth-Scopes, X-Accepted-OAuth-Scopes
< Access-Control-Allow-Origin: *
< Vary: Accept-Encoding
<
* STATE: PERFORM => DONE handle 0x20057460; line 1533 (connection #0)
* Connection #0 to host proxy.mycompany.de left intact

[boldtrn]

Allright I was able to fix this issue. The Problem was the Version of OpenSSL in PHP. I updated to OpenSSL v1.0.1 and now it works pretty fine.

So what's my Setup:

• I am behind a company proxy
• Using Wamp/Xamp
• Windows XP

How to fix it:
I acutally followed this post: http://blog.phpbee.vlexofree.com/?p=223
In short:

• Download the latest OpenSSL from here: http://slproweb.com/products/Win32OpenSSL.html
• Install it
• Copy the DLL Files into your PHP Folder

P.S. You can check your OpenSSL-Version by typing php -i or echo "<?php phpinfo(); ?>" | php > phpinfo.txt

Maybe this helps somebody. It killed my last 2 days ...

[dspiegel]

@stof
I actually have been fighting this same issue over last several weeks. I am running on Linux, not windoze so does not seem applicable.

I opened an issue about this a couple weeks ago, but someone recommended adding HTTP_PROXY_REQUEST_FULLURI and HTTPS_PROXY_REQUEST_FULLURI vars. This worked for one day and now it no longer works for anyone inside our company firewall. Every thing else works just fine using https proxy (wget, git, web browser...). We are running Ubuntu Precise 12.04, and all packages are up to date.

here is diag output:

./bin/composer.phar diag
Checking platform settings: OK
Checking http connectivity: OK
Checking HTTP proxy: OK
Checking HTTP proxy support for request_fulluri: OK
Checking HTTPS proxy support for request_fulluri: FAIL
Unable to assert the situation, maybe github is down (The "https://api.github.com/repos/Seldaek/jsonlint/zipball/1.0.0" file could not be downloaded: failed to open stream: Cannot connect to HTTPS server through proxy)
Checking composer.json: OK
Checking composer version: OK

[mateusz]

@dspiegel same problem over here, seems to be a compatibility issue between two versions of openssl. It's possible this has been caused recently by GitHub upgrading their openssl version to 1.0 (http://stackoverflow.com/questions/8619706/running-curl-with-openssl-0-9-8-against-openssl-1-0-0-server-causes-handshake-er).

For us upgrade is out of question currently. If composer uses curl, CURLOPT_SSLVERSION=3 would help, but I don't know if it in fact does. Could you let me know if you manage to fix the issue?

[boldtrn]

@mateusz I'm not 100% sure about this, maybe one of the developers should comment on this as well, but as far as I can tell, composer does not use curl to download dependencies. It uses the php get_contents() as you can see here: https://github.com/composer/composer/blob/master/src/Composer/Util/RemoteFilesystem.php#L132
(I hope I am pointing to the right place now because I debuged it, but this was some time ago). So I'm not sure if setting CURLOPT_SSLVERSION=3 will affect anything or is even possible.

[mateusz]

@boldtrn indeed, you're right - it's actually using the PHP streams directly. I understand it is using the https wrapper for file_get_contents, and ssl proxy transport for the context configuration. Nevertheless the issue seems to be with the openssl extension as compiled into my php executable and if there was a way to pass some options into the context, I could try configuring ciphers to prefer SSLv3. There is no such option though :-)

Still looking at it, I'll try to see what the composer is actually doing. Curl works fine for me, so maybe it is some kind of a composer bug after all...

[mateusz]

Got some more information, opened new issue with code to reproduce and a suspicion towards SNI.

[mancha1]

You've bumped up against a bug in OpenSSL 0.9.8 in its handling of warning-level alerts. In this case it appears to be hostname mismatch when using SNI extensions.

I've submitted a patch to OpenSSL that addresses this.

--mancha

[1] https://rt.openssl.org/Ticket/Display.html?id=3038&user=guest&pass=guest
[2] http://marc.info/?t=136760077700002&r=1&w=2

[Ulauzs4]

open regedit find all 172.20.20.1:3128 proxy and delete.
for Windows

[jyoung7]

If the client is being used with a library that uses another OpenSSL, for example, if you are making https: // SSL calls from the CURL library, OpenSSL will not generate the Context