After upgrading to Debian 8 with PHP 5.6.9 (change from PHP 5.4) I'm getting this warning when calling SOAP web service with HTTPS endpoint address:
Warning: SoapClient::__doRequest(): SSL operation failed with code 1. OpenSSL Error messages:
error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
followed by SoapFault:
Fatal error: Uncaught SoapFault exception: [HTTP] Error Fetching http headers
Calling file_get_contents with the web service URL doesn't trigger this warning.
I don't have any stream context options set for ssl on this SOAP call.
Do you have any clue what does this warning mean in this context and how to properly get rid of it?
EDIT
In my specific use case I'm calling two web service methods: A and B. Method A is working without warning, then some openssl methods are called on its result, and then method B is called which trigger the warning. When I remove the call to method A and load its result from cache, method B (and any other) works without warnings. It's bizarre - I need to investigate further.
EDIT2
I've extracted the problem and made it testable. It seems that following scenario causes this warning:
- Call some SOAP method with HTTPS endpoint.
- Call
openssl_pkcs12_readon PKCS#12 file with extra certificates. - Call some SOAP method with HTTPS endpoint again. It will cause warning and SoapFault.
Below is example using some publicly available SOAP webservice and self-signed certificate.
<?php
$p12 = 'MIIMgQIBAzCCDEcGCSqGSIb3DQEHAaCCDDgEggw0MIIMMDCCBucGCSqGSIb3DQEHBqCCBtgwggbUAgEAMIIGzQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQIHkgJ646mKooCAggAgIIGoFEhy5EmHjteHd4+Q8mUrtY74fszKgwvnhO20g5zneMP39UbQBW3MPSMmMNXuCSG0NqJeiMG/z4WESUMKchhiAe+l4+trbGnFHaNLes6qrItUvMaD2vOtIv4n2ywY99GS4G/dVpM1TWBoXFAQXqJkTXD1SxqX7J0iau+g5u9PV1yaiUAnhbRzsE3SuFdVJo0d3C66XbROKbn45Q+cPDOHCSmOTrQmANvUpFFmunQg2pROvJHd7uEU6KYkC4Hv+ofPDAtT2Uhy7UK2LAW9YoP48SRvkSfOS0s9S8ZvMKB4Czrx+mg5iY+KeacMa2voYQ0gRWm7obAHrzpW3s4nmYKGEi13mqn+fH2NjhbQKRcxfn57iAgXKOBOT3NmvDZA3hMvj1XI7LGLBAqS0Rwa+1rt8NNUbAiYd6S+HbC8r1HbtMmJEd2xBnU3dNDBhE+H3TH8eDNJmCVJ2P4w22C0/YzIpC/fFfjUv9mdd2MP8nGZN99MO+Jc+bpjzwk/DI9FOytKRAf6hcNzmnnGKMjbOkbwWlNXY7KEANNMTwJEjf6KoIz5rdEPeH9XYehzNb+Px61szps7IS6kx/ZJMoPD9ChYMHNsR8+FiuieBdjOj4BRLkGHP3kE12xmKxAkpnO8OF3tms5Gv5z1cNltWPjllpRf0wwqHxrh00mdVery+PUVUPQ91ZE0RwtX2gkxVre8bZ8lzorr8WwFkPnRhUMP0mc/r+ZXkn9ROU+myU874jQLKXotzGJo+nELqet+hSyFTKNrQY6qlhnfNX03qutk6Poeh/kCzcOB+6wPcuWzl1OZGsbtZcpFmHDwlRS+6COM9ut3a/fh6+vLDK3GG0tAOeLAVatlhhNtFiztzBDhBac6Q9AObRqJYj3TCMW6GEQnEO+Zj5WVdEXNfXbfWZszM7iPBMiF8vX1RYVFO4VMaGiv6hCK3tW5qw5V9Si63V0vex4qrB7eUDIILLGYs22irJrsiIV5h4OKk3Hb/pYzrqJFN+0/LMO8Gf0SEqF1UtS2zHPecJmq+8pPKFgcvMuTN4YXgFH+7yYIrOdUMTpkmnmtHl72M6Yy3wFg479y5TiFZU/csnagtFMSsm0vrYCtnCoJdFgLYHh4JZT0pJJsDoStJtmtjCk3g/JXeFmOG4u3i6F6aGDkWWkAoww4Z6QIBlx2yK2PCyCRgJ2g54iZmfgH3AR2Bg8YC3miiJRSUXqrt+C+HwTwj7bR5BdeECheK3gJIELWiMF50s+REsxqhW9GEeg+T9Sv0yMAhWMziYwYiYHbzIKfVwqxO8zZpFENRTOCiIKeNmJnvUas1rsrKJPr7JPLrFUWCy+h2XyCS0eBs9tXBVrkVwz3Lz04rIi72c1a051KPeInbb/lKfuVjxFGcSV7gKzZLvkzeBIP1tiMa43PmOhyo29tbg1ENrWePYfl4ekoAqET+faEx8m3fhNhUT6ToQJUbdIXcC1603IocVUVy+jS+hwmleLEyXeyBj1zGrwo8ypdXouXPL2kFnAfSrvayxBMpvRwIHpSBS3gP5E/SWwCEGPoR+Yu2g20U65Fy35NVsG/fMSmCAEJ1arvcl8XhZCtQJRILthMm8ktz2DzMapUJITL16XW/OaHpocKS9hTuaTPLRXtkOl9UnqJqgVLclLFd00++wyp4qmH2Q4X96+EVsZLAP5PFPp6y8wfbTg42JPA/rv+4XRpJhZ7sGaTchWYqKjCintwG6z/Gi4vDBPi7uZdL982jyk08IunIq7tR8Lz5cL+isb4PniItswfHMvNRGP9SpcxSp4lCwotZpS/fUbUF3nagQeMBvnHUTxTM935Tz+r86z1pZPpL+n+XxYRg3rmL2OslwWmBuugDc/caqSbyIV7qxnU9IK3XKF2ld3PMxnKHdICO+jVr8+Zfxw7lDu9WD7E2gQY6veo0YYkoaz0snXdE78dqky6gNQpb4WTz9Vfav7in5bobOOVULZRPAX8ZGAvE+TRCr0wGmIa9wZvO27eOp/e+ZngI0EVHOujDwRVNNBB/e+SOsE4MLSsIW0vG+i64MijtVKvqc6Vlm1XuC8TbEmKj2edvwFiWieb2zKgEt7oYMBUp5wYznbYjGGZqTZZeS/vlezUopi/7tiLkDiUOAsG/zOTy7joxyrzsdezvEnSVbxyMchUnkANgEbRuov2YUrlh6+3HP+c7x2jFGolT+ogkOcuCF7pDBv2IfIW0/RNGnteJeN5koQ4CcZZMwCFIQwusCscPewMg0xK78fk8Fe5L56d/YwggVBBgkqhkiG9w0BBwGgggUyBIIFLjCCBSowggUmBgsqhkiG9w0BDAoBAqCCBO4wggTqMBwGCiqGSIb3DQEMAQMwDgQINTriWPMqhZgCAggABIIEyDagZpMYqw21efjHKp/Ro0r7xHBKahXsY5xnDLxyTiWiT/22gJDjlqSUMKPOMloXuqlfSXuCMo4dvRF3VGkJCc/N7P57OWTTZGVIcC/CkvH7zjL08tGb88BaFMgacj7cX+notFVT685Y76s1MLcILiE4mQxN6mRu6U6OzBZ8FvVcXVpnCf4C+mZLw0FP/ZxLlY9L3ZF82tZLYyDmpCpNFtfEB3vyduYhyb7aabvbFBu7Gnv8RiF2ohUSMVBv0gg9JAz0doLhwd2CiNjxHZTNzIliwEO3aTNIQjFz/5Lqa/jGjLQ8mx9ZREADU3zD8LdDN+P0Q67hDxuQvru8XvaAkz9v71pY0H0Ifv6/S12UvOrROVaxA+Rhz/KjIai3djgWjJoVyr4WmgqxZx7zRVVHSo5+wggOmybKmBsY0ytH99d26veZciboeyUx5UtASvbny08uaXvHSPu/CRHsSLmYfHz0Dd3A8+Sey83zvP1qiMhrRQYNWoCT2EVxtBa2xzvcbrsUgvdG1/Pg8+L5vykhSyUu/16QXfJskooCQCpId7aRjMczpa/rmwBm7ay0Cg5MHv451u5EIKeKHwDBkwrepS5SwajJCTriMEi+YFQWBukSdKdTvXYTWcxjIpiwNJkPxH4MQwuEfh6fznenifyNKeF4BQRc7H9NwY4Vl0UuCukbmlPpJndlgyO+W5CApDdpxNKqc5rkyp2UiqF05qTZOMtL0/sPk97CrkkH3e5wwooJnBN9er94S5t6Hicw2zpfvH3FoPLcuHANV9e3QBzKNth+A1mWDtEvKPQ9AdObJUxBDeyxXyRenKlM7IX9I4HztpS3Dvgyg27eQnrvdOz+A6+IXzRJLhoT853uxGigL9fF+LVg7BoYYsoLyfBW6zDayFB5dliz+WD03GhbeUQSz7eXCq5v+5wglrSPPwI2P2RpzSiYy7IigF/krsvD1v42ciMMxr3OasQnCwPj+inPutHwBuuSb2FsEo0dASXQuqOJ66b5vo8MpnT1AP0BAXtfoxbimYVu7kfDOGEyRrARcH9KNsFxrBgKm0/Vu8Gv2nS1bDXxJtkj891igDR1ubybPQiVbjB0E3V6Oa2MEe23Vx632DbWhJpMIK2PGD8+V5rXkczf6zd2uGDY85g4aoK2ozmkf0/IUFL+ChpByXD0FqZ8szg/xOut0yR3wFFugLHMfBeR4QKb3ZFGX1g4i8HIejWqoRohnV2MpPGgfKB3AXBdkhQr7cFurtFe6PSI2UEDmdO6YLYuP3rkLJpyH6lBCqAcL7jFkKlzMnlrXEqnZ/eAsJpyAbm8QxbJLZiXFQqbCuO22u0Q6r2bDPqDxACP5S2utJnD5yFaFuEIESYn1KlAXJoPFiRO4K4iRpspIZM1KY7/xFsj4ssGjOY/6O+K0Sxmg+qLwpxCpBvk1leusNb9Ua6bEMGiWUTS+PptkMmou/cYycoIlsIFx/lzmxSi1IsI+x/SSlOj0V2+FnLW0to5DgmJj0Y6Cg9hyI5UGhLTdNjtgFv2VEZ5F862c6aehpsEUcN5lRAb75fxZWiAHptGPH+M6xLsH0e6jRCGGfaoz1nA/vGDTJbhvQh+gTuerjuhnxMLkXt58bpQNiC5KB3lY78dch+/TzElMCMGCSqGSIb3DQEJFTEWBBThvL9jHiqk9kxxa+fO4m1Klc0mWzAxMCEwCQYFKw4DAhoFAAQU2t4LC2xjLRH7pTlVgA3R6iJ7TYsECA+RO2Li8MyxAgIIAA==';
$sc = new SoapClient('https://finanzonline.bmf.gv.at/fon/services/FileUploadWSI/wsdl/FileUploadWSIService.wsdl');
var_dump($sc->GetVersion());
$result = openssl_pkcs12_read(base64_decode($p12), $cert_data, 'qwerty');
var_dump($cert_data);
var_dump($sc->GetVersion());
Could somebody test this script? In PHP Version 5.6.9-0+deb8u1 with OpenSSL 1.0.1k 8 Jan 2015 I've got no second result of GetVersion call and the warning and error.
EDIT3
Same result in PHP 7 Alpha 1. Reported as Bug #69882.
I've confirmed that this is PHP bug, and was introduced in PHP 5.6.7, in commit fd4641696cc67fedf494717b5e4d452019f04d6f.
The workaround is to call
openssl_error_string()afteropenssl_pkcs12_read().Update
A pull request has been submitted to address this issue - merged