PEAR2 API-SSL error with large router answer since v6.21

GeraldSB · November 25, 2014, 7:04am

Hello,

I’ve been successfully using the PEAR2 NetRouterOS (versions 1.0.0b4 and 1.0.0b5) to retrieve /ip/firewall/address-list records.
The code connects to the router using the CRYPTO_TLS option.

Since the upgrade to 6.21 (and 6.22), if the amount of data returned by the router passes a certain threshold (about 140 records without comments), the code fails with the following error (see attached file for full error):
“SSL operation failed with code 1. OpenSSL Error messages: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number in phar:///Library/WebServer/Documents/vi-user-portal-backend/lib/Mikrotik/PEAR2_Net_RouterOS-1.0.0b5.phar/PEAR2_Net_RouterOS-1.0.0b5/src/PEAR2/Net/Transmitter/Stream.php on line 393”

The error does not occur when using no encryption.
Has anybody encountered a similar problem, is there a work around ?

Routers tested: RB493G (mipsbe) and RB750 (mipsbe)
PHP servers tested: MacOS 10.9.5 with PHP 5.4.27 and MacOS 10.9.2 with PHP 5.4.24

Thanks,
Gerald.
SSLError.rtf (53.8 KB)

boen_robot · November 25, 2014, 11:02am

If you take a look at the wiki page or the PHAR output, you’ll notice the following:

NOTE: Due to known issues with PHP itself (61285, 62605, 65137, and possibly others), encrypted connections can be very unstable.

Cases like yours are what “very unstable” refers to. So… I’m sad to say there’s no work around currently, and it’s not really RouterOS’ fault (which is a sentence I don’t say often …).

Bug 65137 in particular (which was a key point, after which I was looking for workarounds, only to encounter the rest of the bugs) was kind of solved in 5.4.33, only to be reverted in 5.4.34, because it could cause other issues, and it’s still not solved to this day.

The closest thing to a workaround is that you minimize your payload during a single request/response cycle, by first getting only the IDs of the matches, and only then getting the actual data one ID at a time. But then, if you have too many IDs matching, you’ll still have the same problem.

GeraldSB · November 26, 2014, 2:35am

PHP bug 65137 was high on my suspects list.
But since the problems only started with RouterOS 6.21, I was hoping there might be something else.
I’ve submitted this to Mikrotik support as well and will update here when I hear back from them.