homepage Welcome to WebmasterWorld Guest from 54.198.33.96
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
Curl: HttpOnly Fatal Failure
brokaddr




msg:4588056
 5:38 am on Jun 27, 2013 (gmt 0)

I can't find any info about this. A curl php script that previously worked, broke at random.

Now this cryptic 'HttpOnly Fatal Failure' shows up, and I have no clue why.

Headers:
HTTP/1.1 200 OK Server: Apache Strict-Transport-Security: max-age=14400 Strict-Transport-Security: max-age=14400 Content-Type: text/html Date: Thu, 27 Jun 2013 05:31:00 GMT Content-Length: 54 Connection: keep-alive Set-Cookie: X-xx-xxx=name%3xxx.xxx.1%26xxx_xxx%3D880%26app%3Dxxx%26TIME%3D349096785; domain=.example.com; path=/; Secure; HttpOnly Fatal Failure


Any of you encounter this before?

 

brotherhood of LAN




msg:4588057
 5:46 am on Jun 27, 2013 (gmt 0)

A quick Google: [en.wikipedia.org...]

HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL[1]). HSTS is an IETF standards track protocol and is specified in RFC 6797.


So it seems the server will only communicate with HTTPS

brokaddr




msg:4588354
 1:28 am on Jun 28, 2013 (gmt 0)

That makes sense. I didn't come across that Wikipedia article. Guess I wasn't entering the correct query.

I didn't write this script, so I'm not sure how to force it to communicate over HTTPS.

Am I missing a setting?
curl_setopt($ch, CURLOPT_VERBOSE, 0);
curl_setopt($ch, CURLOPT_POST, 0);
curl_setopt($ch, CURLOPT_AUTOREFERER, 1);
curl_setopt($ch, CURLOPT_REFERER, '');
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0');
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_COOKIEFILE, xx_COOKIE_FILE);
curl_setopt($ch, CURLOPT_COOKIEJAR, xx_COOKIE_FILE);

brotherhood of LAN




msg:4588356
 1:41 am on Jun 28, 2013 (gmt 0)

You should be fine simply changing the URL you're fetching to https:// rather than http://

brokaddr




msg:4588364
 2:39 am on Jun 28, 2013 (gmt 0)

It has always connected to https://

brotherhood of LAN




msg:4588373
 2:51 am on Jun 28, 2013 (gmt 0)

I'd test the script to see what is actually being sent to the server in question.

Try changing curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE); to TRUE though , see if that helps.

It's handy to have curl on the command line sometimes to quickly check these things.

For instance:
curl -v https://www.paypal.com
works fine. Paypal also serves the "Strict-Transport-Security:" header that insists on HTTPS communication.

brokaddr




msg:4588374
 3:02 am on Jun 28, 2013 (gmt 0)

Worked via command line.
curl -v https://www.paypal.com
* About to connect() to www.paypal.com port 443
* Trying 23.7.66.234... connected
* Connected to www.paypal.com (23.7.66.234) port 443
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSLv2, Client hello (1):
SSLv3, TLS handshake, Server hello (2):
SSLv3, TLS handshake, CERT (11):
SSLv3, TLS handshake, Server finished (14):
SSLv3, TLS handshake, Client key exchange (16):
SSLv3, TLS change cipher, Client hello (1):
SSLv3, TLS handshake, Finished (20):
SSLv3, TLS change cipher, Client hello (1):
SSLv3, TLS handshake, Finished (20):
SSL connection using RC4-SHA



I changed CURLOPT_SSL_VERIFYPEER to TRUE, still got the failure.
With paypal:

HTTP/1.1 200 OK Server: Apache Strict-Transport-Security: max-age=14400 Strict-Transport-Security: max-age=14400 Content-Type: text/html Date: Fri, 28 Jun 2013 02:58:30 GMT Content-Length: 54 Connection: keep-alive Set-Cookie: X-PP-SILOVER=name%3DLIVE5.WEB.1%26silo_version%3D880%26app%3Dslingshot%26TIME%3D3606826065; domain=.paypal.com; path=/; Secure; HttpOnly Fatal Failure


I did not change anything on my server (unless a curl update had triggered it, possibly) but I'm not too familiar with curl to know what to check.

brotherhood of LAN




msg:4588375
 3:08 am on Jun 28, 2013 (gmt 0)

I quickly scanned through that wiki article and it doesn't seem to suggest there's any particular header or requirement of the client, other than to communicate with HTTPS.

Is it a well known service you're trying to send a request to?

brokaddr




msg:4588379
 3:31 am on Jun 28, 2013 (gmt 0)

The example above was PayPal:
domain=.paypal.com; path=/; Secure; HttpOnly Fatal Failure

brotherhood of LAN




msg:4588383
 3:51 am on Jun 28, 2013 (gmt 0)

Was that with curl command line or your PHP/curl script? wasn't sure.

Try using CURLOPT_VERBOSE and CURLOPT_STDERR which might shed some light.

[php.net...]

brokaddr




msg:4588393
 4:37 am on Jun 28, 2013 (gmt 0)

It was the header output.

I got this:
Warning: curl_setopt(): supplied argument is not a valid File-Handle resource in /home/public_html/curl.php on line 209

Line 209:
curl_setopt($ch, CURLOPT_STDERR, 1);


Overall:
$ch = curl_init();
// curl_setopt($ch, CURLOPT_VERBOSE, 0);
curl_setopt($ch, CURLOPT_VERBOSE, 1);
curl_setopt($ch, CURLOPT_STDERR, 1);
curl_setopt($ch, CURLOPT_POST, 0);
curl_setopt($ch, CURLOPT_AUTOREFERER, 1);
curl_setopt($ch, CURLOPT_REFERER, '');
//curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, TRUE);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0');
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_COOKIEFILE, xx_COOKIE_FILE);
curl_setopt($ch, CURLOPT_COOKIEJAR, xx_COOKIE_FILE);

brotherhood of LAN




msg:4588395
 4:40 am on Jun 28, 2013 (gmt 0)

CURLOPT_STDERR value should be a filename that will log the errors, if any. There's info & examples on the PHP manual page.

brokaddr




msg:4588397
 5:03 am on Jun 28, 2013 (gmt 0)

Gotcha.

There's quite a bit in the log file, so I'll post the last bit of it (assuming most of it isn't needed?):


* Connection #0 to host www.paypal.com left intact
* Re-using existing connection! (#0) with host (nil)
* Connected to (nil) (23.7.66.234) port 443 (#0)
> POST /cgi-bin/webscr?cmd=_flow&SESSION=[snip]&dispatch=[snip] HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0
Host: www.paypal.com
Accept: */*
Referer: https://www.paypal.com/cgi-bin/webscr?cmd=_ship-now
Cookie: aksession=[snip]; Apache=10.73.8.58.1372395348682522; navlns=0.0; [snip]; navcmd=_ship-now; cookie_check=yes; [snip]
Content-Length: 195
Content-Type: application/x-www-form-urlencoded

* upload completely sent off: 195 out of 195 bytes
< HTTP/1.1 200 OK
< Server: Apache
< Strict-Transport-Security: max-age=14400
< Strict-Transport-Security: max-age=14400
< Content-Type: text/html
< Date: Fri, 28 Jun 2013 04:53:50 GMT
< Content-Length: 54
< Connection: keep-alive
* Replaced cookie X-PP-SILOVER="name%3DLIVE5.WEB.1%26silo_version%3D880%26app%3Dslingshot%26TIME%3xx" for domain paypal.com, path /, expire 0
< Set-Cookie: X-PP-SILOVER=name%3DLIVE5.WEB.1%26silo_version%3D880%26app%3Dslingshot%26TIME%3Dxx; domain=.paypal.com; path=/; Secure; HttpOnly
<
* Connection #0 to host (nil) left intact
* Closing connection #0

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved