API not working after update to 2014.10

[del]

Hey,

I updated on saturday but the API is not working anymore.
When calling /api/soap/ i get:

Code: Select all

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Body>
<SOAP-ENV:Fault>
<faultcode>WSDL</faultcode>
<faultstring>
SOAP-ERROR: Parsing WSDL: Couldn't load from 'https://localhost:443/api/soap?wsdl' : failed to load external entity "https://localhost:443/api/soap?wsdl"
</faultstring>
</SOAP-ENV:Fault>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

Before update I got:

Code: Select all

<SOAP-ENV:Envelope>
<SOAP-ENV:Body>
<SOAP-ENV:Fault>
<faultcode>Sender</faultcode>
<faultstring>Invalid XML</faultstring>
</SOAP-ENV:Fault>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

Any ideas?

[del]

This is a serious problem here, anyone any idea?

[Julien]

Hi del,

The last patch did not introduce large change.
About web server config you have to check your certificate because of apache version / cypher preferences / no sslv3.

On our community cluster it works. On the enterprise version also.


Julien.

[del]

Hm.
So you dont get this error when using your /api/soap/ site?
The Certificate is valid (SHA256RSA) but it sure doesn't match "localhost"
May there be a problem? Any idea where I can have a look at? Maybe enable more logging?

Best regards,
del

[del]

Still no news on this?

[del]

How do I say the server not to call localhost:443 but the server's name?
It's just not true, that I'm the only one with this problem
Julien, Olivier, please give me a hint.

Found this post too:
viewtopic.php?f=12&t=2144

[del]

Still not fixed. Seriously, you dont have any problems on your test systems?
What are the differences between your Community Edition Cluster and the version you gave us?

I'd really like to help but without any information from you it's impossible and very frustrating for me.
Seems like the problems started when you included the openssl 1.0.1

[del]

Dear Olivier, dear Julien,

I am really upset about this one here. You do not provide any paid support for mailcleaner community edition anymore but also do not support us here with some information to get rid of problems.
Olivier, we talked about this last year on the CeBIT in Germany and I told you that I'd love to support MC more and be absolutely willing to pay money. We have spent about 700USD in 2013 and 2014 because I really think, this project is good and worth getting supported. We would even use the commercial version of MC but we have to do some modifications that makes it impossible for us to use.

When Julien joined this board and made that post: viewtopic.php?p=8722#p8722 I thought it is getting better but it's getting worse. Not even the things contributed by the community are used to improve mailcleaner like my post from December 2013: viewtopic.php?f=6&t=1894

I really hope we can find a solution for this. There are so many users here that want to improve, want to help and maybe spend some money for this project. Please, let us provide input for you, support the users and get MC ready for the future. And please, help us fixing problems.

Thank you,
Fabian

[jimp]

del,

I noticed the upgrade to 2014.10 has enabled strict SSL verification in general, but I still do not know what exactly upgraded to cause that. My guess is MailCleaner's code isn't at fault, but rather a system package (openssl) upgraded and has introduced strict validation. I wish I could turn it off, or at least configure MC to allow certificate name mismatches. See my post about the SMTP connector breaking, which is still not fixed or acknowledged by anyone else: viewtopic.php?p=8763#p8763. I think our issues are related. I worked around the issue by configuring the correct FQDN for domains that actually login to my MC.

You could edit out the HTTPS portion of the URL in the SOAP code. I haven't tried this, but I went searching for a solution to try to help you out. I want to try the API soon, but it definitely looks broken based your reports and the code--for anyone using HTTPS with MC at least.

1. Edit /usr/mailcleaner/www/api/application/api/controllers/SoapController.php.
2. Comment out the line (or entire if block) that initializes the URL to "https://":

Code: Select all

        public function init()
        {
                Zend_Registry::set('soap', true);

                $this->_url = 'http://';
                if (isset($_SERVER['HTTPS'])) {
//                      $this->_url = 'https://';
                }
                $this->_url .= 'localhost'.":".$_SERVER['SERVER_PORT'].$_SERVER['REQUEST_URI']."?wsdl";
                $this->_options{'uri'} = $this->_url;

                require_once('SoapInterface.php');

        }

The CVS log doesn't indicate this code has changed since it was first introduced to the Community Edition, which is further evidence a system library upgrade is the origin of the issue.

Alternatively, you could also try replacing 'localhost' with your SSL common name, although it wouldn't be ideal to hardcode your hostname there. Non-SSL on the localhost is fine, IMO.

[del]

Hi jimp,

thanks for the hint but it doesnt work:

Code: Select all

<SOAP-ENV:Envelope><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>WSDL</faultcode><faultstring>SOAP-ERROR: Parsing WSDL: Couldn't load from 'http://localhost:443/api/soap/?wsdl' : failed to load external entity "http://localhost:443/api/soap/?wsdl"
</faultstring></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>

I think the problem is the new httpd-package which comes with openssl 1.0.1.
It's located in /opt/openssl/

Code: Select all

# /opt/openssl/bin/openssl version -a
OpenSSL 1.0.1j 15 Oct 2014
built on: Thu Nov 13 10:55:07 CET 2014
platform: linux-x86_64
options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/opt/openssl"


Code: Select all

# /opt/apache2/bin/httpd -V
Server version: Apache/2.2.29 (Unix)
Server built:   Nov 13 2014 10:59:03
Server's Module Magic Number: 20051115:36
Server loaded:  APR 1.5.1, APR-Util 1.5.3
Compiled using: APR 1.5.1, APR-Util 1.5.3
Architecture:   64-bit
Server MPM:     ITK
  threaded:     no
    forked:     yes (variable process count)
Server compiled with....
 -D APACHE_MPM_DIR="server/mpm/experimental/itk"
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=128
 -D HTTPD_ROOT="/opt/apache2"
 -D SUEXEC_BIN="/opt/apache2/bin/suexec"
 -D DEFAULT_PIDLOG="logs/httpd.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_LOCKFILE="logs/accept.lock"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="/etc/opt/apache2/mime.types"
 -D SERVER_CONFIG_FILE="/etc/opt/apache2/httpd.conf"


Can you see anything that might cause the problems?

[jimp]

I'm sorry I didn't get back to you. I thought I had forum notifications enabled but did not.

I am with you. The SOAP API doesn't work. (The REST one still does.) I have been trying for a while tonight to figure out where the error is, but I haven't had much success. But my research points to PHP 5.6, which I'm guessing must have been upgraded with the latest MailCleaner release.

http://stackoverflow.com/questions/2514 ... ct-to-wsdl
http://php.net/manual/en/class.soapclient.php#116724
http://php.net/manual/en/migration56.openssl.php

[aevans]

Would this bug cause the CANNOTLOADMESSAGE problems when trying to view a quarantined message from a slave machine in a cluster setup?