Rss-bridge: tls12_check_peer_sigalg:wrong signature type (35) PHP error

Created on 19 Sep 2019  路  7Comments  路  Source: RSS-Bridge/rss-bridge

Hi, I've been trying to write my own bridge, which you can find here:
https://github.com/theScrabi/rss-bridge/blob/nordbayern/bridges/NordbayernBridge.php

If i run this Bridge with php -S localhost:8080 (PHP 7.2.19-0ubuntu0.18.04.2 (cli)) it works flawlessly, however if I try to run it from Docker I get this issue:

[Thu Sep 19 09:05:14.923986 2019] [php7:notice] [pid 18] [client 172.28.0.1:38956] Exception: The requested resource cannot be found!
Please make sure your input parameters are correct!
cUrl error: error:1414D172:SSL routines:tls12_check_peer_sigalg:wrong signature type (35)
PHP error:  in /app/lib/error.php:24
Stack trace:
#0 /app/lib/contents.php(194): returnError('The requested r...', 0)
#1 /app/lib/contents.php(234): getContents('https://www.nor...', '', Array)
#2 /app/bridges/NordbayernBridge.php(112): getSimpleHTMLDOM('https://www.nor...')
#3 /app/actions/DisplayAction.php(125): NordbayernBridge->collectData()
#4 /app/index.php(38): DisplayAction->execute()
#5 {main}, referer: http://localhost:3000/

You can try to reproduce it by using this zip and run it with docker:
rss-schabi.zip
and open it like this:
bla mp4

What am I doing wrong or what could I do to fix this?

Bug-Report

All 7 comments

So so I took a look at this and it looks like you're running into what's discussed here: https://github.com/openssl/openssl/issues/7126

Basically looks like some of Nordbayern's servers are a bit out of date and still have a bug that causes this error. The reason it works on Ubuntu for you and not in the (Debian based) container is either that Ubuntu doesn't set OpenSSL's SECLEVEL like Debian does, or that your Ubuntu machine just happened to resolve www.nordbayern.de to one of their working servers.

As a workaround you can edit the file /etc/ssl/openssl.cnf in the container and remove/comment out the line that reads CipherString = DEFAULT@SECLEVEL=2. Neither Arch Linux or Alpine sets the CipherString like that, so I imagine it's not too dangerous of a thing to do.

I believe you can also set the cipher list in your bridge to just DEFAULT and that should have the same effect, but that maybe more of a permanent solution for a probably temporary problem.

Hope that helps!

All right thanks :)

I guess we can close then

Ah yes forgot that sorry.

However is there a chance I can send a pullrequest with this bridge? I thought it was hard, as I now had to modify the container.

Definitely, yes ! I would be happy to merge !

All right :)

Was this page helpful?
0 / 5 - 0 ratings

Related issues

sojusnik picture sojusnik  路  3Comments

lboullu picture lboullu  路  9Comments

sayrecs picture sayrecs  路  6Comments

rEnr3n picture rEnr3n  路  6Comments

OmkAR2013 picture OmkAR2013  路  8Comments