libssl1.1 and PHP Warning: ftp_rawlist(): SSL read failed

[Pchol]

When i using libssl1.1=1.1.1c-1+ubuntu18.04.1+deb.sury.org+1 i get WARNING ftp_rawlist(): SSL read failed, see example:

<?php

$connection = ftp_ssl_connect('host', 21, 30);
ftp_login($connection, 'login', 'pass');
ftp_raw($connection, "OPTS UTF8 ON");

$list = ftp_rawlist($connection, '/');//return [...]
$list1 = ftp_rawlist($connection, '/');//return false and print PHP Warning:  ftp_rawlist(): SSL read failed
$list2 = ftp_rawlist($connection, '/');//return false nad print PHP Warning:  ftp_rawlist(): SSL read failed

if i use libssl1.1=1.1.0g-2ubuntu4.3 from http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages it work correct

Expected behavior no warning and correct return

Distribution (please complete the following information):

• OS: [i try ubuntu 14.04, ubuntu 16.04, ubuntu 18.04]
• Architecture: [amd64]
• Repository: [http://ppa.launchpad.net/ondrej/php/ubuntu bionic/main amd64 Packages]

Package(s) (please complete the following information): libssl1.1: Installed: 1.1.1c-1+ubuntu18.04.1+deb.sury.org+1 Candidate: 1.1.1c-1+ubuntu18.04.1+deb.sury.org+1 Version table: *** 1.1.1c-1+ubuntu18.04.1+deb.sury.org+1 500 500 http://ppa.launchpad.net/ondrej/php/ubuntu bionic/main amd64 Packages 100 /var/lib/dpkg/status 1.1.0g-2ubuntu4.3 500 500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages

[oerdnj]

Can you try manually connecting to the FTP to see what version of TLS is being negotiated?

[Pchol]

Can you try manually connecting to the FTP to see what version of TLS is being negotiated?

TLS 1.2

verbose curl log:

* Rebuilt URL to: ftp://login:pass@host:21/
*   Trying ip...
* TCP_NODELAY set
* Connected to host (ip) port 21 (#0)
< 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
< 220-You are user number 1 of 5 allowed.
< 220-Local time is now 23:38. Server port: 21.
< 220-This is a private system - No anonymous login
< 220-IPv6 connections are also welcome on this server.
< 220 You will be disconnected after 15 minutes of inactivity.
> AUTH SSL
< 500 This security scheme is not implemented
> AUTH TLS
< 234 AUTH TLS OK.
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* Server certificate:
*  subject: ...
*  start date: Mar 25 11:59:38 2019 GMT
*  expire date: Mar 31 19:29:39 2020 GMT
*  subjectAltName: host ...
*  issuer: C=BE; O=GlobalSign nv-sa; CN=AlphaSSL CA - SHA256 - G2
*  SSL certificate verify ok.
> USER user
< 331 User user OK. Password required
> PASS pass
< 230 OK. Current directory is /
> PBSZ 0
< 200 PBSZ=0
> PROT P
< 200 Data protection level set to "private"
> PWD
< 257 "/" is your current location
* Entry path is '/'
> EPSV
* Connect data stream passively
* ftp_perform ends with SECONDARY: 0
< 229 Extended Passive mode OK (|||30006|)
*   Trying ip...
* TCP_NODELAY set
* Connecting to ip (ip) port 30006
* Connected to host (ip) port 21 (#0)
> TYPE A
< 200 TYPE is now ASCII
> LIST
< 150 Accepted data connection
* Maxdownload = -1
* Doing the SSL/TLS handshake on the data stream
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* SSL re-using session ID
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* Server certificate:
*  subject: ...
*  start date: Mar 25 11:59:38 2019 GMT
*  expire date: Mar 31 19:29:39 2020 GMT
*  subjectAltName: host ...
*  issuer: C=BE; O=GlobalSign nv-sa; CN=AlphaSSL CA - SHA256 - G2
*  SSL certificate verify ok.
* TLSv1.2 (IN), TLS alert, Client hello (1):
* Remembering we are in dir ""
* TLSv1.2 (OUT), TLS alert, Client hello (1):
< 226-Options: -l 
< 226 46 matches total
* Connection #0 to host host left intact

[anolek]

Hi,

This issue also exist in Debian 9 with the lastest package of php7.2, and libssl1.1.1c ErrorException: ftp_nlist(): SSL read failed (FTP Server using TLSv1.3 with TLS_AES_256_GCM_SHA384, 256 secret bits cipher)

But here is a workaround until we get a fix ! :)

PHP 7.2.21-1+0~20190807.25+debian9~1.gbp935ebf (cli) (built: Aug  7 2019 19:49:58) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies
    with Zend OPcache v7.2.21-1+0~20190807.25+debian9~1.gbp935ebf, Copyright (c) 1999-2018, by Zend Technologies

Workaround :

# Find a newer version of libssl
apt-cache show libssl1.1

# Then install the newer version (for example "1.1.0k-1~deb9u1")
apt-get install libssl1.1=1.1.0k-1~deb9u1