CURL Error: 56 - OpenSSL SSL_read: error

[Mike S]

Is anyone having this issue with domains registered with ENOM? All of a sudden today we started getting this error.

Registrar Error
CURL Error: 56 - OpenSSL SSL_read: error:14095126:SSL routines:ssl3_read_n:unexpected eof while reading, errno 0

Thanks

[Kevin K]

Yes, you are not the only one. I have reported this to Enom and waiting on a response to my ticket.

[Strats]

cPanel has pushed out the fix. The normal upcp should pull it (or yum update)..

[WHMCS John]

Hi all,

Just to round out this thread, we put created a help guide about the error here: https://help.whmcs.com/m/64764/l/1173137

[mtindor]

 

This issue isn't specific to cPanel

I installed Almalinux 9 running:

libcurl-7.76.1-19.el9_1.1.x86_64

curl-7.76.1-19.el9_1.1.x86_64

openssl-3.0.1-47.el9_1.x86_64

 

I attempted to migrate WHMCS over to that new machine and discovered I was getting the same error when attempting to access things at Enom.   Whether cPanel issued a "fix" in EasyApache 4 at some point to fix it, or whether reverting back to a previous or newer version of Curl may have fixed it for some, it definitely doesn't work on Almalinux 9 with the above packages.

So does Enom run some broken TLS implementation that they should fix?   Or are OpenSSL devs fixing and then reintroducing these issues with changes to OpenSSL?   Is it the Curl devs who need to fix it?    No clue.   I think Enom needs to fix things on their end.    You guys (WHMCS) are tight with Enom.    So maybe WHMCS might consider reaching out to Enom regarding this issue.

Regardless of whose fault it is, it's unfortunate that one can't provision a brand new hosting server running the most recent version of a reliable OS and expect things to work.   Bummer.

Edited March 15, 2023 by mtindor

[paulie]

Is anyone taking responsibilty for this issue?

We have Ubuntu 22.04 with CURL 7.81.0 and the ENOM module is defective.

curl 7.81.0 (x86_64-pc-linux-gnu) libcurl/7.81.0 OpenSSL/3.0.2 zlib/1.2.11 brotli/1.0.9 zstd/1.4.8 libidn2/2.3.2 libpsl/0.21.0 (+libidn2/2.3.2) libssh/0.9.6/openssl/zlib nghttp2/1.43.0 librtmp/2.3 OpenLDAP/2.5.16
Release-Date: 2022-01-05

The workaround, which is to roll back to an insecure version of CURL is not an option. so when will a proper solution be implemented.
Failing that we may need to ditch ENOM as a provider.

 

[paulie]

Just an update on this issue.

On Ubuntu 22.04 this has been traced to the use os OpenSSL 3.0.X.  There is a link that offers a resolution, ttps://github.com/openssl/openssl/issues/18866 however this uses a new setting called SSL_OP_IGNORE_UNEXPECTED_EOF which reverts to using legacy insecure renegotiation between OpenSSL to support broken and unpatched servers.

The main cause of this is that the ENOM API does not send the mandatory close_notify alert on shutdown. If the client application tries to wait for the close_notify alert but the peer closes the connection without sending it, this error is generated. When this option is enabled the peer does not need to send the close_notify alert and a closed connection will be treated as if the close_notify alert was received.

From a security point of view, there is nothing good about the solution above and it causes apache2 to fail starting. 

The ENOM API has not been updated for over 7 years and it still at version 1.0 https://api.enom.com/changelog. So it looks like development of the API has been abandoned and does not comply with OpenSSL3 standards. I have been in contact with ENOM but they are not interested and are not willing to look into the issue.

So, I think it's time to ditch ENOM as a provider. 
 

[ahmed nour]

Indeed, enome is the cause of this problem and it does not respond. What are the recent versions? After updating the operating system on the server, I faced the same problem and sent enome support, but there was no response. The solution is not to use enome as a service provider, and I actually now use resellerclub and the api was linked without a problem.

[paulie]

 

9 hours ago, ahmed nour said:

Indeed, enome is the cause of this problem and it does not respond. What are the recent versions? After updating the operating system on the server, I faced the same problem and sent enome support, but there was no response. The solution is not to use enome as a service provider, and I actually now use resellerclub and the api was linked without a problem.

Here is the Version Information

Ubuntu 22.04.3 LTS

OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)

curl 7.81.0 (x86_64-pc-linux-gnu) libcurl/7.81.0 OpenSSL/3.0.2 zlib/1.2.11 brotli/1.0.9 zstd/1.4.8 libidn2/2.3.2 libpsl/0.21.0 (+libidn2/2.3.2) libssh/0.9.6/openssl/zlib nghttp2/1.43.0 librtmp/2.3 OpenLDAP/2.5.16
Release-Date: 2022-01-05
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets zstd

PHP Version => 8.1.2-1ubuntu2.14

[jsburson]

See what is most likely the problem and fix here: