Project

General

Profile

Bug #5329

XMLRPC HA sync is not working with https

Added by Renato Botelho over 3 years ago. Updated over 3 years ago.

Status:
Resolved
Priority:
High
Category:
Config sync
Target version:
Start date:
10/21/2015
Due date:
% Done:

100%

Estimated time:
Affected Version:
2.3
Affected Architecture:

Description

To reproduce setup 2 pfSense boxes using https and then set HA XMLRPC sync and Notices like this will popup:

A communications error occurred while attempting XMLRPC sync with username admin https://192.168.1.6:443. @ 2015-10-21 12:08:46

Associated revisions

Revision 8540bdcb (diff)
Added by Renato Botelho over 3 years ago

Fix #5329

Since PHP 5.6, fsockopen() is checking SSL certificates, xmlrpc_client
is used only for HA today so it's safe to disable this check.

Since fsockopen() doesn't provide a way to disable it, move code to use
stream_socket_client()

History

#1 Updated by Jim Thompson over 3 years ago

  • Assignee set to Renato Botelho

#2 Updated by Chris Buechler over 3 years ago

  • Status changed from New to Confirmed
  • Priority changed from Normal to High

#3 Updated by Jeremy Porter over 3 years ago

Tried turning off config sync over HTTPS, still get errors, will capture some traffic in a bit:
A communications error occurred while attempting XMLRPC sync with username admin https://192.168.13.3:443. 2015-11-12 14:21:47
A communications error occurred while attempting XMLRPC sync with username admin https://192.168.13.3:443.
2015-11-12 14:21:48
A communications error occurred while attempting XMLRPC sync with username admin https://192.168.13.3:443. 2015-11-12 16:30:53
A communications error occurred while attempting XMLRPC sync with username admin https://192.168.13.3:443.
2015-11-12 16:30:54
An error code was received while attempting XMLRPC sync with username admin http://192.168.13.3:80 - Code 2: Invalid return payload: enable debugging to examine incoming payload 2015-11-12 16:54:37
An error code was received while attempting XMLRPC sync with username admin http://192.168.13.3:80 - Code 2: Invalid return payload: enable debugging to examine incoming payload
2015-11-12 16:55:57
An error code was received while attempting XMLRPC sync with username admin http://192.168.13.3:80 - Code 2: Invalid return payload: enable debugging to examine incoming payload 2015-11-12 20:37:09
An error code was received while attempting XMLRPC sync with username admin http://192.168.13.3:80 - Code 2: Invalid return payload: enable debugging to examine incoming payload
2015-11-12 20:47:12

#4 Updated by Chris Buechler over 3 years ago

  • Category changed from High Availability to Config sync

This looks to be something enabling certificate validation where it wasn't enabled before, though not clear where that is. Not web server-specific as it's the same if you swap out lighttpd for nginx. It fails before even sending the request.

It works fine over HTTP.

#5 Updated by Renato Botelho over 3 years ago

  • Tracker changed from Bug to Todo
  • Subject changed from XMLRPC HA sync is not working with https to Replace fsockopen() calls by stream_socket_client()

Since PHP 5.6 fsockopen() started to validate SSL certificate, and it doesn't provide an option to disable verification. Replace all calls by stream_socket_client() disabling, code sample here:

$context_options = array(
    'ssl' => array(
        'verify_peer' => false,
        'verify_peer_name' => false
    )
);
$context = stream_context_create($context_options);
$fp = stream_socket_client("{$protocol}{$server}:{$port}",
    $this->errno, $this->errstr, $timeout,
    STREAM_CLIENT_CONNECT, $context);

#6 Updated by Renato Botelho over 3 years ago

  • Tracker changed from Todo to Bug
  • Subject changed from Replace fsockopen() calls by stream_socket_client() to XMLRPC HA sync is not working with https
  • Status changed from Confirmed to Assigned

#7 Updated by Renato Botelho over 3 years ago

  • Status changed from Assigned to Feedback
  • % Done changed from 0 to 100

#8 Updated by Chris Buechler over 3 years ago

  • Status changed from Feedback to Resolved
  • Affected Version set to 2.3

fixed

Also available in: Atom PDF