# Problem with cURL



## heximal (Jul 25, 2020)

Hi.
Recently I've got some strange problem with wordpress. When I try to upgrade it via wp-admin panel, there occurs an error

```
cURL error 59: failed setting cipher list: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
```

Google says it's probably a problem with root certificate. I tried a lot of suggested solutions, but nothing helped.
Is there something I'm doing wrong?
Maybe it's some well-known issue?

My system:

FreeBSD 11.3-RELEASE-p7 FreeBSD 11.3-RELEASE-p7 #0: Tue Mar 17 08:32:23 UTC 2020     root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64


----------



## bjs (Jul 25, 2020)

You might want to update your system... 11.3 is at p10 or p11 now, and I believe one of the updates has something to do with root certificates IIRC... Either way, it can't hurt to update...


----------



## heximal (Jul 25, 2020)

Thank you for forcing me to upgrade my system usually I postpone it until the latest moment)
Unfortunately it didn't help. The error still remains.
Now I have

```
FreeBSD 12.1-RELEASE-p7 FreeBSD 12.1-RELEASE-p7 GENERIC  amd64
```


----------



## a6h (Jul 25, 2020)

Disable all plugins and try again, if it works, find the malfunction plugin.
Try to install a test Wordpress installation. Same error?
Did you recently install any ports which change your OpenSSL libraries?
[EDIT:] You don't need to disclose you ISP info. Last line of your first post.


----------



## heximal (Jul 25, 2020)

vigole said:


> Did you recently install any ports which change your OpenSSL libraries?
> [EDIT:] You don't need to disclose you ISP info. Last line of your first post.



Yes, I did. Once I had a problem with libssl occured after upgrading from 10 to 11 version.
Coming back to my current problem. I produced a stand alone php script with code snippet of wordpress which deals with updating system. It uses php curl. I set up verbose option for curl object and got a bit of details


```
*   Trying 198.143.164.250:443...
* Connected to downloads.wordpress.org (198.143.164.250) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
ld-elf.so.1: /usr/local/lib/libcurl.so.4: Undefined symbol "SSL_CTX_set_alpn_protos"
```

libcurl.so.4 is a symlink:

```
lrwxr-xr-x  1 root  wheel  16 Apr 23 04:23 /usr/local/lib/libcurl.so.4 -> libcurl.so.4.6.0
```

Grep indicates that libcurl.so.4.6.0 contains substring SSL_CTX_set_alpn_protos.
I'm confused.


----------



## a6h (Jul 25, 2020)

`/usr/local/lib/libcurl.so.4` suggests you've installed OpenSSL from ports tree. OpenSSL from the base is located at `/usr/lib/libssl.so.*`. Delete the port version. Check it again.

[EDIT 1]:
`FreeBSD 12-.1-RELEASE-p7 GENERIC am64` + `OpenSSL 1.1.1d-freebsd` from base (*not ports*) works fine with Wordpress.
Do you have any reason to install OpenSSL from the ports?

[EDIT 2]:
If you want to compile www/apache24 against security/openssl:
/etc/make.conf
`DEFAULT_VERSIONS+= ssl=openssl`

[EDIT 3]:


vigole said:


> Delete the port version


By delete I mean `pkg delete`


----------



## heximal (Jul 25, 2020)

Thanks for you help, I'm going to try it tomorrow since I have backup process running right now.



vigole said:


> Do you have any reason to install OpenSSL from the ports?


Yeah, I had some merge conflict during previous system upgrade, so the only thing that saved the day was libssl installed from ports.



vigole said:


> `DEFAULT_VERSIONS+= ssl=openssl`



I have this option in my make.conf


----------



## heximal (Jul 26, 2020)

OK, I tried to remove ssl package


```
pkg remove openssl-1.1.1g,1
```

and got this warning 


```
Installed packages to be REMOVED:
    apache24: 2.4.43
    apr: 1.7.0.1.6.1_1
    mod_php72: 7.2.30
    mysql57-client: 5.7.30
    mysql57-server: 5.7.30
    nginx: 1.18.0_1,2
    openldap-sasl-client: 2.4.50
    openssl: 1.1.1g,1
    redmine: 3.4.11_4
    rubygem-mysql204: 0.4.10
    rubygem-passenger-nginx: 6.0.4_1
```

Will I need to install them all again?


----------



## a6h (Jul 26, 2020)

First thing first, you are running a server and I'm not system administrator, and lots of those fine gentlemen are members of this forums, it's better to wait to receive their advice. I'm going to make some assumption and I'll give you my response:
You've build your packages from the ports tree, against the security/openssl,  changed /etc/make.conf configurations and probably some modifications on ports options. Now you want to switch to the base OpenSSL. Therefore you have to remove `DEFAULT_VERSIONS+= ssl=openssl` line from /etc/make.conf, have a look at you _ports options, _and rebuild ports which previously build against security/openssl. When you switch from base OpenSSL to security/openssl or vice versa, you'll have to rebuild every ports which are build against OpenSSL (the old one)


----------



## richardtoohey2 (Jul 26, 2020)

You've got to choose if you are going with the base OpenSSL and packages or if you want the latest and greatest OpenSSL in ports - but then you'll need to build ports.

But given you are now on FreeBSD 12.1 - OpenSSL 1.1.1d - and the latest ports version is OpenSSL 1.1.1g you probably need to figure out more what is causing the OpenSSL issue on your system.

Can you boil the issue down to JUST cURL - so on another machine or a VM start with a base 12.1, get it to p7, install cURL - do you have the same problem?

If you don't have the problem then you know that base OpenSSL (1.1.1d) and cURL work.  So you could try installing PHP with cURL, and try your script - does that still work?

If that does then you can decide if you want to change your main system - remove the /etc/make.conf change and you can use packages and remove the OpenSSL port - but as you've seen, removing the port OpenSSL means a bit of rebuilding - everything linked to OpenSSL.

But I think step 1 is a clean system with base OpenSSL and working out if you've got an issue with 1.1.1.

If you can share your test PHP script I can run it and see what I get.

I'm running FreeBSD 12.1p7 with ports built against ports OpenSSL 1.1.1g and not encountered issues with Apache, PHP 7.3 and MySQL 5.6 related to OpenSSL.

P.S. PHP 7.2 is completely EOL in 4 months: https://www.php.net/supported-versions.php


----------



## heximal (Jul 26, 2020)

richardtoohey2 said:


> If you can share your test PHP script I can run it and see what I get.


I would appreciate. 

```
<?php
$ch = curl_init("https://downloads.wordpress.org/release/ru_RU/wordpress-5.4.2.zip");

curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_VERBOSE, true);

$res = curl_exec($ch);
if ($res) {
  echo("success");
} else {
  echo("failed");
}
```


----------



## richardtoohey2 (Jul 26, 2020)

So this is FreeBSD 12.1p7 amd64, PHP 7.3.20, OpenSSL 1.1.1g, /etc/make.conf has DEFAULT_VERSIONS+=ssl=openssl, ports built (not using pkg to install):


```
% pkg info -r openssl
openssl-1.1.1g,1:
    libevent-2.1.12
    mysql56-server-5.6.49
    mysql56-client-5.6.49
    curl-7.71.1
    python37-3.7.8_1
    python27-2.7.18_1
    libarchive-3.4.3,1

% php test.php
*   Trying 198.143.164.250:443...
* Connected to downloads.wordpress.org (198.143.164.250) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /usr/local/share/certs/ca-root-nss.crt
  CApath: none
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: OU=Domain Control Validated; CN=*.wordpress.org
*  start date: Nov  6 17:42:01 2017 GMT
*  expire date: Dec 15 20:11:21 2020 GMT
*  subjectAltName: host "downloads.wordpress.org" matched cert's "*.wordpress.org"
*  issuer: C=US; ST=Arizona; L=Scottsdale; O=GoDaddy.com, Inc.; OU=http://certs.godaddy.com/repository/; CN=Go Daddy Secure Certificate Authority - G2
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x80206d000)
> GET /release/ru_RU/wordpress-5.4.2.zip HTTP/2
Host: downloads.wordpress.org
accept: */*

* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200 
< server: nginx
< date: Sun, 26 Jul 2020 22:00:36 GMT
< content-type: application/zip
< content-length: 14018821
< cache-control: private
< content-disposition: attachment; filename=wordpress-5.4.2-ru_RU.zip
< last-modified: Tue, 21 Jul 2020 20:00:15 GMT
< x-frame-options: SAMEORIGIN
< content-md5: fd298b8f109cbd4e24b597ba86717de1
< x-nc: EXPIRED ord 1
< accept-ranges: bytes
< 
PK
??P
wordpress/UT    CI_BI_ux
...
```


----------



## richardtoohey2 (Jul 26, 2020)

And I think this is just trying cURL by itself - so what output do you get trying this?


```
% curl -o testfile.zip -v https://downloads.wordpress.org/release/ru_RU/wordpress-5.4.2.zip
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 198.143.164.250:443...
* Connected to downloads.wordpress.org (198.143.164.250) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /usr/local/share/certs/ca-root-nss.crt
  CApath: none
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [19 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [3747 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [264 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: OU=Domain Control Validated; CN=*.wordpress.org
*  start date: Nov  6 17:42:01 2017 GMT
*  expire date: Dec 15 20:11:21 2020 GMT
*  subjectAltName: host "downloads.wordpress.org" matched cert's "*.wordpress.org"
*  issuer: C=US; ST=Arizona; L=Scottsdale; O=GoDaddy.com, Inc.; OU=http://certs.godaddy.com/repository/; CN=Go Daddy Secure Certificate Authority - G2
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
} [5 bytes data]
* Using Stream ID: 1 (easy handle 0x801201c00)
} [5 bytes data]
> GET /release/ru_RU/wordpress-5.4.2.zip HTTP/2
> Host: downloads.wordpress.org
> user-agent: curl/7.71.1
> accept: */*
> 
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [281 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [281 bytes data]
* old SSL session ID is stale, removing
{ [5 bytes data]
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
} [5 bytes data]
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0< HTTP/2 200 
< server: nginx
< date: Sun, 26 Jul 2020 22:06:22 GMT
< content-type: application/zip
< content-length: 14018821
< cache-control: private
< content-disposition: attachment; filename=wordpress-5.4.2-ru_RU.zip
< last-modified: Tue, 21 Jul 2020 20:00:15 GMT
< x-frame-options: SAMEORIGIN
< content-md5: fd298b8f109cbd4e24b597ba86717de1
< x-nc: EXPIRED ord 7
< accept-ranges: bytes
< 
{ [16158 bytes data]
  5 13.3M    5  735k    0     0   294k      0  0:00:46  0:00:02  0:00:44  294k^C
```


----------



## heximal (Jul 26, 2020)

Looks ok.
Do you think the problem is only in php curl? I tried CLI curl and got this:

```
curl https://downloads.wordpress.org
ld-elf.so.1: /usr/local/lib/libcurl.so.4: Undefined symbol "SSL_CTX_set_alpn_protos"
```


----------



## richardtoohey2 (Jul 26, 2020)

(EDIT: if you think it might be curl/php curl you can try re-building curl & things that rely on it instead of _everything_ that relies on OpenSSL.)

When you upgraded from 11.x to 12.1, did you rebuild all the ports?

What did you build the ports with when you originally used /etc/make.conf?

Have you any OpenSSL configuration files in /etc/ssl/ or /usr/local/etc/ssl?

I'm no expert on OpenSSL - I just take the defaults and build against the ports version (I want to make sure I'm using the latest OpenSSL).

If there are any major changes then I rebuild all the ports that rely on OpenSSL and either restart those ports or restart the server.

I think you've got some mismatch in some component somewhere - but not sure where.  You can keep digging or just make sure you rebuild everything & restart the services (or the server)

*If* you used portmaster, then you could try


```
# portmaster -r openssl
...
===>>> The following actions will be taken if you choose to proceed:
    Re-install openssl-1.1.1g,1
    Re-install libevent-2.1.12
    Re-install mysql56-server-5.6.49
    Re-install mysql56-client-5.6.49
    Re-install curl-7.71.1
    Re-install python37-3.7.8_1
    Re-install python27-2.7.18_1
    Re-install libarchive-3.4.3,1
```

(This is a test/dev server that I don't have Apache on).

Then


```
# portmaster -r curl
...
===>>> The following actions will be taken if you choose to proceed:
    Re-install curl-7.71.1
    Re-install php73-curl-7.3.20
    Re-install cmake-3.17.3_1
```

If you don't use portmaster do not start now (it's not recommended!) - but do the similar steps - make sure you rebuild everything that relies on OpenSSL, then rebuild everything that relies on cURL.

Then restart everything that's been rebuilt or restart the server.


----------

