SoapClient in PHP 5.6 when using HTTPS emits warning with "key values mismatch"

2.4k views Asked by At

After upgrading to Debian 8 with PHP 5.6.9 (change from PHP 5.4) I'm getting this warning when calling SOAP web service with HTTPS endpoint address:

Warning: SoapClient::__doRequest(): SSL operation failed with code 1. OpenSSL Error messages: 
error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

followed by SoapFault:

Fatal error: Uncaught SoapFault exception: [HTTP] Error Fetching http headers

Calling file_get_contents with the web service URL doesn't trigger this warning.

I don't have any stream context options set for ssl on this SOAP call.

Do you have any clue what does this warning mean in this context and how to properly get rid of it?

EDIT

In my specific use case I'm calling two web service methods: A and B. Method A is working without warning, then some openssl methods are called on its result, and then method B is called which trigger the warning. When I remove the call to method A and load its result from cache, method B (and any other) works without warnings. It's bizarre - I need to investigate further.

EDIT2

I've extracted the problem and made it testable. It seems that following scenario causes this warning:

  1. Call some SOAP method with HTTPS endpoint.
  2. Call openssl_pkcs12_read on PKCS#12 file with extra certificates.
  3. Call some SOAP method with HTTPS endpoint again. It will cause warning and SoapFault.

Below is example using some publicly available SOAP webservice and self-signed certificate.

<?php

$p12 = 'MIIMgQIBAzCCDEcGCSqGSIb3DQEHAaCCDDgEggw0MIIMMDCCBucGCSqGSIb3DQEHBqCCBtgwggbUAgEAMIIGzQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQIHkgJ646mKooCAggAgIIGoFEhy5EmHjteHd4+Q8mUrtY74fszKgwvnhO20g5zneMP39UbQBW3MPSMmMNXuCSG0NqJeiMG/z4WESUMKchhiAe+l4+trbGnFHaNLes6qrItUvMaD2vOtIv4n2ywY99GS4G/dVpM1TWBoXFAQXqJkTXD1SxqX7J0iau+g5u9PV1yaiUAnhbRzsE3SuFdVJo0d3C66XbROKbn45Q+cPDOHCSmOTrQmANvUpFFmunQg2pROvJHd7uEU6KYkC4Hv+ofPDAtT2Uhy7UK2LAW9YoP48SRvkSfOS0s9S8ZvMKB4Czrx+mg5iY+KeacMa2voYQ0gRWm7obAHrzpW3s4nmYKGEi13mqn+fH2NjhbQKRcxfn57iAgXKOBOT3NmvDZA3hMvj1XI7LGLBAqS0Rwa+1rt8NNUbAiYd6S+HbC8r1HbtMmJEd2xBnU3dNDBhE+H3TH8eDNJmCVJ2P4w22C0/YzIpC/fFfjUv9mdd2MP8nGZN99MO+Jc+bpjzwk/DI9FOytKRAf6hcNzmnnGKMjbOkbwWlNXY7KEANNMTwJEjf6KoIz5rdEPeH9XYehzNb+Px61szps7IS6kx/ZJMoPD9ChYMHNsR8+FiuieBdjOj4BRLkGHP3kE12xmKxAkpnO8OF3tms5Gv5z1cNltWPjllpRf0wwqHxrh00mdVery+PUVUPQ91ZE0RwtX2gkxVre8bZ8lzorr8WwFkPnRhUMP0mc/r+ZXkn9ROU+myU874jQLKXotzGJo+nELqet+hSyFTKNrQY6qlhnfNX03qutk6Poeh/kCzcOB+6wPcuWzl1OZGsbtZcpFmHDwlRS+6COM9ut3a/fh6+vLDK3GG0tAOeLAVatlhhNtFiztzBDhBac6Q9AObRqJYj3TCMW6GEQnEO+Zj5WVdEXNfXbfWZszM7iPBMiF8vX1RYVFO4VMaGiv6hCK3tW5qw5V9Si63V0vex4qrB7eUDIILLGYs22irJrsiIV5h4OKk3Hb/pYzrqJFN+0/LMO8Gf0SEqF1UtS2zHPecJmq+8pPKFgcvMuTN4YXgFH+7yYIrOdUMTpkmnmtHl72M6Yy3wFg479y5TiFZU/csnagtFMSsm0vrYCtnCoJdFgLYHh4JZT0pJJsDoStJtmtjCk3g/JXeFmOG4u3i6F6aGDkWWkAoww4Z6QIBlx2yK2PCyCRgJ2g54iZmfgH3AR2Bg8YC3miiJRSUXqrt+C+HwTwj7bR5BdeECheK3gJIELWiMF50s+REsxqhW9GEeg+T9Sv0yMAhWMziYwYiYHbzIKfVwqxO8zZpFENRTOCiIKeNmJnvUas1rsrKJPr7JPLrFUWCy+h2XyCS0eBs9tXBVrkVwz3Lz04rIi72c1a051KPeInbb/lKfuVjxFGcSV7gKzZLvkzeBIP1tiMa43PmOhyo29tbg1ENrWePYfl4ekoAqET+faEx8m3fhNhUT6ToQJUbdIXcC1603IocVUVy+jS+hwmleLEyXeyBj1zGrwo8ypdXouXPL2kFnAfSrvayxBMpvRwIHpSBS3gP5E/SWwCEGPoR+Yu2g20U65Fy35NVsG/fMSmCAEJ1arvcl8XhZCtQJRILthMm8ktz2DzMapUJITL16XW/OaHpocKS9hTuaTPLRXtkOl9UnqJqgVLclLFd00++wyp4qmH2Q4X96+EVsZLAP5PFPp6y8wfbTg42JPA/rv+4XRpJhZ7sGaTchWYqKjCintwG6z/Gi4vDBPi7uZdL982jyk08IunIq7tR8Lz5cL+isb4PniItswfHMvNRGP9SpcxSp4lCwotZpS/fUbUF3nagQeMBvnHUTxTM935Tz+r86z1pZPpL+n+XxYRg3rmL2OslwWmBuugDc/caqSbyIV7qxnU9IK3XKF2ld3PMxnKHdICO+jVr8+Zfxw7lDu9WD7E2gQY6veo0YYkoaz0snXdE78dqky6gNQpb4WTz9Vfav7in5bobOOVULZRPAX8ZGAvE+TRCr0wGmIa9wZvO27eOp/e+ZngI0EVHOujDwRVNNBB/e+SOsE4MLSsIW0vG+i64MijtVKvqc6Vlm1XuC8TbEmKj2edvwFiWieb2zKgEt7oYMBUp5wYznbYjGGZqTZZeS/vlezUopi/7tiLkDiUOAsG/zOTy7joxyrzsdezvEnSVbxyMchUnkANgEbRuov2YUrlh6+3HP+c7x2jFGolT+ogkOcuCF7pDBv2IfIW0/RNGnteJeN5koQ4CcZZMwCFIQwusCscPewMg0xK78fk8Fe5L56d/YwggVBBgkqhkiG9w0BBwGgggUyBIIFLjCCBSowggUmBgsqhkiG9w0BDAoBAqCCBO4wggTqMBwGCiqGSIb3DQEMAQMwDgQINTriWPMqhZgCAggABIIEyDagZpMYqw21efjHKp/Ro0r7xHBKahXsY5xnDLxyTiWiT/22gJDjlqSUMKPOMloXuqlfSXuCMo4dvRF3VGkJCc/N7P57OWTTZGVIcC/CkvH7zjL08tGb88BaFMgacj7cX+notFVT685Y76s1MLcILiE4mQxN6mRu6U6OzBZ8FvVcXVpnCf4C+mZLw0FP/ZxLlY9L3ZF82tZLYyDmpCpNFtfEB3vyduYhyb7aabvbFBu7Gnv8RiF2ohUSMVBv0gg9JAz0doLhwd2CiNjxHZTNzIliwEO3aTNIQjFz/5Lqa/jGjLQ8mx9ZREADU3zD8LdDN+P0Q67hDxuQvru8XvaAkz9v71pY0H0Ifv6/S12UvOrROVaxA+Rhz/KjIai3djgWjJoVyr4WmgqxZx7zRVVHSo5+wggOmybKmBsY0ytH99d26veZciboeyUx5UtASvbny08uaXvHSPu/CRHsSLmYfHz0Dd3A8+Sey83zvP1qiMhrRQYNWoCT2EVxtBa2xzvcbrsUgvdG1/Pg8+L5vykhSyUu/16QXfJskooCQCpId7aRjMczpa/rmwBm7ay0Cg5MHv451u5EIKeKHwDBkwrepS5SwajJCTriMEi+YFQWBukSdKdTvXYTWcxjIpiwNJkPxH4MQwuEfh6fznenifyNKeF4BQRc7H9NwY4Vl0UuCukbmlPpJndlgyO+W5CApDdpxNKqc5rkyp2UiqF05qTZOMtL0/sPk97CrkkH3e5wwooJnBN9er94S5t6Hicw2zpfvH3FoPLcuHANV9e3QBzKNth+A1mWDtEvKPQ9AdObJUxBDeyxXyRenKlM7IX9I4HztpS3Dvgyg27eQnrvdOz+A6+IXzRJLhoT853uxGigL9fF+LVg7BoYYsoLyfBW6zDayFB5dliz+WD03GhbeUQSz7eXCq5v+5wglrSPPwI2P2RpzSiYy7IigF/krsvD1v42ciMMxr3OasQnCwPj+inPutHwBuuSb2FsEo0dASXQuqOJ66b5vo8MpnT1AP0BAXtfoxbimYVu7kfDOGEyRrARcH9KNsFxrBgKm0/Vu8Gv2nS1bDXxJtkj891igDR1ubybPQiVbjB0E3V6Oa2MEe23Vx632DbWhJpMIK2PGD8+V5rXkczf6zd2uGDY85g4aoK2ozmkf0/IUFL+ChpByXD0FqZ8szg/xOut0yR3wFFugLHMfBeR4QKb3ZFGX1g4i8HIejWqoRohnV2MpPGgfKB3AXBdkhQr7cFurtFe6PSI2UEDmdO6YLYuP3rkLJpyH6lBCqAcL7jFkKlzMnlrXEqnZ/eAsJpyAbm8QxbJLZiXFQqbCuO22u0Q6r2bDPqDxACP5S2utJnD5yFaFuEIESYn1KlAXJoPFiRO4K4iRpspIZM1KY7/xFsj4ssGjOY/6O+K0Sxmg+qLwpxCpBvk1leusNb9Ua6bEMGiWUTS+PptkMmou/cYycoIlsIFx/lzmxSi1IsI+x/SSlOj0V2+FnLW0to5DgmJj0Y6Cg9hyI5UGhLTdNjtgFv2VEZ5F862c6aehpsEUcN5lRAb75fxZWiAHptGPH+M6xLsH0e6jRCGGfaoz1nA/vGDTJbhvQh+gTuerjuhnxMLkXt58bpQNiC5KB3lY78dch+/TzElMCMGCSqGSIb3DQEJFTEWBBThvL9jHiqk9kxxa+fO4m1Klc0mWzAxMCEwCQYFKw4DAhoFAAQU2t4LC2xjLRH7pTlVgA3R6iJ7TYsECA+RO2Li8MyxAgIIAA==';

$sc = new SoapClient('https://finanzonline.bmf.gv.at/fon/services/FileUploadWSI/wsdl/FileUploadWSIService.wsdl');

var_dump($sc->GetVersion());

$result = openssl_pkcs12_read(base64_decode($p12), $cert_data, 'qwerty');
var_dump($cert_data);

var_dump($sc->GetVersion());

Could somebody test this script? In PHP Version 5.6.9-0+deb8u1 with OpenSSL 1.0.1k 8 Jan 2015 I've got no second result of GetVersion call and the warning and error.

EDIT3

Same result in PHP 7 Alpha 1. Reported as Bug #69882.

1

There are 1 answers

0
Furgas On BEST ANSWER

I've confirmed that this is PHP bug, and was introduced in PHP 5.6.7, in commit fd4641696cc67fedf494717b5e4d452019f04d6f.

The workaround is to call openssl_error_string() after openssl_pkcs12_read().

Update

A pull request has been submitted to address this issue - merged