I'm wondering what's going on with my php-fpm instance.

Compiled the PHP 5.4 from ports and everything works okay except the one
thing. If I want to use a SSL transport via socket (no matters which method
- just a SSL encryption) the interpreter throws me something weird. In this
example I'm trying to send an e-mail via GMail's SMTP (which works only on
secured SMTP port):

PHP Warning: fsockopen(): SSL: Unknown error: 0 in /...
PHP Warning: fsockopen(): Failed to enable crypto in /...
PHP Warning: fsockopen(): unable to connect to
ssl://smtp.gmail.com:587(Unknown error) in /...

SSL appears in phpinfo's registered streams list. Even OpenSSL library on
enabled modules. But I have no idea why it's failing to establish a secured
connection to any server... For example, fsockopen returns false with no
error message...

I've upgraded the ports tree and recompiled PHP. OpenSSL as well but still
no idea. I set firewall_type="open" and nothing changed.

Been googling some time for this issue. Unfortunately found nothing.

Some info about env:
- FreeBSD 8.2 x86_64
- PHP-FPM 5.4
- pool configured with a chrooted environment

Resulting ./configure command: http://www.nopaste.pl/1e2x

Any ideas?

Most likely it's an issue with chroot - some of the files needed by SSL
are outside it.
For testing purposes try running the same config without chroot and see
if it works.

--
Maciej Lisiewski

Am 21.07.2012 um 10:13 schrieb Maciej Lisiewski:

> Most likely it's an issue with chroot - some of the files needed by SSL are outside it.
> For testing purposes try running the same config without chroot and see if it works.


You also need a copy of /etc/ssl//openssl.cnf in your chroot.
(And, of course, a jail-like cut-down /dev directory with null, random, urandom and zero.)
The default file from the systems /etc/ssl is OK, it just has to exist. Otherwise, SSL doesn't have any usable default values and apparently, that's bad.

I've tried earlier with mounting /usr and /lib directories using
mount_nullfs within jailed directory.

Now I followed your advices with /etc and /dev tree nodes but still no
changes.

But furthermore ktraced the particullar php-fpm process:
http://www.nopaste.pl/1e4k

(stripped the paths and browser's request headers)

No idea what to do further...

Thanks in advance.

2012/7/21 Rainer Duffner <rainer@ultra-secure.de>

>
> Am 21.07.2012 um 10:13 schrieb Maciej Lisiewski:
>
> > Most likely it's an issue with chroot - some of the files needed by SSL
> are outside it.
> > For testing purposes try running the same config without chroot and see
> if it works.
>
>
> You also need a copy of /etc/ssl//openssl.cnf in your chroot.
> (And, of course, a jail-like cut-down /dev directory with null, random,
> urandom and zero.)
> The default file from the systems /etc/ssl is OK, it just has to exist.
> Otherwise, SSL doesn't have any usable default values and apparently,
> that's bad.
>
>
>
>

Am 22.07.2012 um 20:36 schrieb Przemysław Pawliczuk:

> I've tried earlier with mounting /usr and /lib directories using mount_nullfs within jailed directory.
>
> Now I followed your advices with /etc and /dev tree nodes but still no changes.
>
> But furthermore ktraced the particullar php-fpm process: http://www.nopaste.pl/1e4k
>
> (stripped the paths and browser's request headers)
>
> No idea what to do further...




Is it just me (and Safari) or is the text of that pastie almost completely unreadable?