Strange timeout with PHP cURL and SSL

L

2

I'm experiencing strange timeouts using cURL with PHP when trying to access Amazon Cloudfront. This seems to affect all invalidation requests, creating distributions etc. cURL either reports receiving 0 bytes, or very few bytes, and then time-out: Operation timed out after 120000 milliseconds with 88 out of 619 bytes received.

Extending the timeout settings does not seem to make a difference.

Putting a trace using CURLOPT_VERBOSE produces this output:

* About to connect() to cloudfront.amazonaws.com port 443 (#0)
*   Trying 72.21.215.67... * connected
* Connected to cloudfront.amazonaws.com (72.21.215.67) port 443 (#0)
* skipping SSL peer certificate verification
* SSL connection using SSL_RSA_WITH_RC4_128_MD5
* Server certificate:
*   subject: CN=cloudfront.amazonaws.com,O=Amazon.com Inc.,L=Seattle,ST=Washington,C=US
*   start date: Jul 30 00:00:00 2010 GMT
*   expire date: Jul 29 23:59:59 2013 GMT
*   common name: cloudfront.amazonaws.com
*   issuer: CN=VeriSign Class 3 Secure Server CA - G2,OU=Terms of use at https://www.verisign.com/rpa (c)09,OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
> POST /2010-11-01/distribution/E1CIM4A92QFD98/invalidation HTTP/1.1
User-Agent: S3/php
Accept: */*
Host: cloudfront.amazonaws.com
Date: Wed, 07 Mar 2012 14:31:58 GMT
Content-Type: application/xml
Authorization: AWS ************************
Content-Length: 200

< HTTP/1.1 201 Created
< x-amzn-RequestId: 4c2d0d3f-6862-11e1-ac27-5531ac8c967f
< Location: https://cloudfront.amazonaws.com/2010-11-01/distribution/E1CIM4A92QFD98/invalidation/I35KLNROKA40FU
* Operation timed out after 120000 milliseconds with 0 bytes received
* Closing connection #0

This seems similar to this question. However, it looks like in my case curl does in fact get a response, but somehow ignores it and times-out? From what I see, the response is received (201 Created...), and there are no SSL errors. So why does curl time-out??

cURL version info

[version_number] => 463623 
[age] => 3 
[features] => 1597 
[ssl_version_number] => 0 
[version] => 7.19.7 
[host] => x86_64-unknown-linux-gnu 
[ssl_version] => NSS/3.12.7.0 
[libz_version] => 1.2.3 
[protocols] => Array ( [0] => tftp [1] => ftp [2] => telnet [3] => dict [4] => ldap [5] => ldaps [6] => http [7] => file [8] => https [9] => ftps [10] => scp [11] => sftp )

Lesseps answered 7/3, 2012 at 14:49 Comment(6)

It says Content-Type: application/xml and Content-Length: 200 and then with 0 bytes received... it seems the response headers arrived, but not this 200 bytes XML response body. – Heavyarmed 7/3, 2012 at 20:33

Try disabling firewall only to make a test and seeing what happens. – Heavyarmed 7/3, 2012 at 20:36

Thanks @J.Bruni. I believe the Content-Length header is for the request, and if you look further, there is a response from the server (HTTP/1.1 201 Created), with the Location header. The with 0 bytes received is exactly the problem. It did receive some bytes but curl ignores them and times-out...There is no firewall – Lesseps 7/3, 2012 at 20:49

You are right. Well, if we only could see how you're setting up your session... – Heavyarmed 7/3, 2012 at 21:38

For example, CURLOPT_FOLLOWLOCATION is set to true? – Heavyarmed 7/3, 2012 at 21:49

Good instincts @J.Bruni!! It was set to true, and commenting it seems to make this particular request work (but might cause issues with other requests which may rely on following a redirect though). However, curl shouldn't actually follow a a location header on a 201. Only 30x are meant to be followed. Could this be a bug in this particular version of curl?? The code that I'm looking at is the W3 Total Cache plugin (w3-total-cache/lib/S3.php) in case you want to see the full settings. I believe it does generally work though, so this problem looks specific to this version of curl(?) – Lesseps 7/3, 2012 at 22:23

L

2

Still not entirely sure why this version of curl behaves this way (it looks like a bug), but the solution was to compile a different version of curl and php (more or less following these instructions)

Lesseps answered 14/3, 2012 at 15:32 Comment(0)

A

0

It would help to see how you're setting up your curl session. Are you doing things like:

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($ch, CURLOPT_CAINFO, getcwd() . "/CAcerts/BuiltinObjectToken-EquifaxSecureCA.crt");

The quick test to see if you're having an SSL verify problem is:

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

Arawn answered 7/3, 2012 at 15:2 Comment(1)

both VERIFYPEER and VERIFYHOST are false. I think the verbose output doesn't indicate any SSL verify issues. It sends the requests, receives the response, but still times-out... – Lesseps 7/3, 2012 at 15:10

Recommended topics

Hot tags