Bug 2104630
Summary: | PHP 8 snmp3 Calls Using authPriv or authNoPriv Immediately Return False Without Error Message | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 9 | Reporter: | ISV-PA <is.vendors> | |
Component: | php | Assignee: | Remi Collet <rcollet> | |
Status: | CLOSED ERRATA | QA Contact: | Branislav NĂ¡ter <bnater> | |
Severity: | medium | Docs Contact: | ||
Priority: | unspecified | |||
Version: | CentOS Stream | CC: | bstinson, fedora, jorton, jwboyer | |
Target Milestone: | rc | Keywords: | AutoVerified, Regression, Triaged | |
Target Release: | --- | |||
Hardware: | x86_64 | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | php-8.0.20-3.el9 | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 2112814 2113888 (view as bug list) | Environment: | ||
Last Closed: | 2022-11-15 10:35:40 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 2112814, 2113888 |
Description
ISV-PA
2022-07-06 18:17:19 UTC
sha1 is deprecated and disabled in 9 Please try SHA256 or SHA512 Or try to lower security policy to LEGACY (using update-crypto-policies) Thank you for the response Remi. A downgrade to PHP 7.4 on the same CentOS 9 Stream server using the remi repo results in the same problematic PHP SNMP3 calls now working properly. This would presumably rule out it being an issue with SHA support or needing legacy crypto policies in CentOS 9. With other factors aside from PHP version being the same, the calls do not work under Centos 9's PHP 8.x packages, but do work under legacy PHP 7.4. Regarding the suggestion to use SHA256 or SHA512, I should have included in my last update comment that the php.net documentation for the PHP functions such as "snmp3_get" mention only two possibilities for "auth_protocol" -- snmp3_get( string $hostname, string $security_name, string $security_level, string $auth_protocol, string $auth_passphrase, string $privacy_protocol, string $privacy_passphrase, array|string $object_id, int $timeout = -1, int $retries = -1 ): mixed auth_protocol the authentication protocol (MD5 or SHA) i.e. only "MD5" and "SHA" seem to be valid options, with no mention of higher security SHA options such as SHA256 or SHA512. (In reply to ISV-PA from comment #3) > i.e. only "MD5" and "SHA" seem to be valid options, with no mention of > higher security SHA options such as SHA256 or SHA512. Documentation issue ;) => https://github.com/php/doc-en/pull/1727 I was able to reproduce on Fedora $ php82 -r 'var_dump(snmp3_get("localhost", "adminSHA", "authNoPriv", "SHA", "test1234", "", "", ".1.3.6.1.2.1.1.1.0"));' string(117) "STRING: Linux builder.remirepo.net 5.18.13-100.fc35.x86_64 #1 SMP PREEMPT_DYNAMIC Fri Jul 22 14:20:24 UTC 2022 x86_64" $ php81 -r 'var_dump(snmp3_get("localhost", "adminSHA", "authNoPriv", "SHA", "test1234", "", "", ".1.3.6.1.2.1.1.1.0"));' string(117) "STRING: Linux builder.remirepo.net 5.18.13-100.fc35.x86_64 #1 SMP PREEMPT_DYNAMIC Fri Jul 22 14:20:24 UTC 2022 x86_64" $ php80 -r 'var_dump(snmp3_get("localhost", "adminSHA", "authNoPriv", "SHA", "test1234", "", "", ".1.3.6.1.2.1.1.1.0"));' bool(false) $ php74 -r 'var_dump(snmp3_get("localhost", "adminSHA", "authNoPriv", "SHA", "test1234", "", "", ".1.3.6.1.2.1.1.1.0"));' string(117) "STRING: Linux builder.remirepo.net 5.18.13-100.fc35.x86_64 #1 SMP PREEMPT_DYNAMIC Fri Jul 22 14:20:24 UTC 2022 x86_64" This is related to backport in our PHP 8.0 build With the proper fix $ php80 -r 'var_dump(snmp3_get("localhost", "adminSHA", "authNoPriv", "SHA", "test1234", "", "", ".1.3.6.1.2.1.1.1.0"));' string(117) "STRING: Linux builder.remirepo.net 5.18.13-100.fc35.x86_64 #1 SMP PREEMPT_DYNAMIC Fri Jul 22 14:20:24 UTC 2022 x86_64" Fixed in Fedora 35 (will be included next week in upcoming 8.0.22) https://src.fedoraproject.org/rpms/php/c/217cba0df6d5f2bcce1cd16b66c6ef24e25b6cc1?branch=f35 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: php security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:8197 |