Bug 1408301
| Summary: | php openssl extension does not work with non-default crypto engines | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | David Mulford <dmulford> | ||||
| Component: | php | Assignee: | Remi Collet <rcollet> | ||||
| Status: | CLOSED ERRATA | QA Contact: | David Jež <djez> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 7.3 | CC: | bnater, djez, fedora, jorton, rcollet, tmraz | ||||
| Target Milestone: | rc | Keywords: | Reopened | ||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2018-10-30 11:26:06 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 1420851, 1549616, 1562205 | ||||||
| Attachments: |
|
||||||
PHP don't use OPENSSL_init, but load configuration file using the CONF_load() function instead. Configuration can be set per environment OPENSSL_CONF or in code using the "config" option is lot of functions call. Test using upstream test case: http://git.php.net/?p=php-src.git;a=blob_plain;f=ext/openssl/tests/021.phpt;h=391b6a5279f99875696a881693f0123c1afc795b;hb=refs/heads/PHP-5.4.16 $ strace php 021.phpt 2>&1 | grep openssl.cnf open("/etc/pki/tls/openssl.cnf", O_RDONLY) = 3 open("/home/remi/php-5.4.16/ext/openssl/tests/openssl.cnf", O_RDONLY) = 3 open("/etc/pki/tls/openssl.cnf", O_RDONLY) = 3 open("/home/remi/php-5.4.16/ext/openssl/tests/openssl.cnf", O_RDONLY) = 3 open("/etc/pki/tls/openssl.cnf", O_RDONLY) = 3 open("/home/remi/php-5.4.16/ext/openssl/tests/openssl.cnf", O_RDONLY) = 3 open("/etc/pki/tls/openssl.cnf", O_RDONLY) = 3 open("/home/remi/php-5.4.16/ext/openssl/tests/openssl.cnf", O_RDONLY) = 3 open("/etc/pki/tls/openssl.cnf", O_RDONLY) = 3 open("/home/remi/php-5.4.16/ext/openssl/tests/openssl.cnf", O_RDONLY) = 3 open("/etc/pki/tls/openssl.cnf", O_RDONLY) = 3 open("/home/remi/php-5.4.16/ext/openssl/tests/openssl.cnf", O_RDONLY) = 3 Both system and test configuration files are used $ cp /etc/pki/tls/openssl.cnf /tmp $ export OPENSSL_CONF=/tmp/openssl.cnf $ strace php 021.phpt 2>&1 | grep openssl.cnf open("/tmp/openssl.cnf", O_RDONLY) = 3 open("/home/remi/php-5.4.16/ext/openssl/tests/openssl.cnf", O_RDONLY) = 3 open("/tmp/openssl.cnf", O_RDONLY) = 3 open("/home/remi/php-5.4.16/ext/openssl/tests/openssl.cnf", O_RDONLY) = 3 open("/tmp/openssl.cnf", O_RDONLY) = 3 open("/home/remi/php-5.4.16/ext/openssl/tests/openssl.cnf", O_RDONLY) = 3 open("/tmp/openssl.cnf", O_RDONLY) = 3 open("/home/remi/php-5.4.16/ext/openssl/tests/openssl.cnf", O_RDONLY) = 3 open("/tmp/openssl.cnf", O_RDONLY) = 3 open("/home/remi/php-5.4.16/ext/openssl/tests/openssl.cnf", O_RDONLY) = 3 open("/tmp/openssl.cnf", O_RDONLY) = 3 open("/home/remi/php-5.4.16/ext/openssl/tests/openssl.cnf", O_RDONLY) = 3 Both system redirected and test configuration files are used PR open to raise discussion with upstream maintainer https://github.com/php/php-src/pull/2706 Applied in upstream PHP 7.2 For OpenSSL 1.1 https://github.com/php/php-src/commit/58df6a3b61f5cb914d899fbb44eecadad8098700 For OpenSSL 1.0 https://github.com/php/php-src/commit/1f843a8fb50de77a3f53a6b892a46d9e0afdfdd7 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3228 |
Created attachment 1234879 [details] Patch containing addition of OPENSSL_config() function Description of problem: PHP openssl extension ignores OpenSSL configuration files. It doesn't read neither the default /etc/pki/tls/openssl.cnf file, nor does it honour the OPENSSL_CONF environment variable. Customers using a non-default openssl engine (like GOST) are using the openssl.cnf file to enable this in the openssl extension. The fact that PHP ignores /etc/pki/tls/openssl.cnf (or any other custom OpenSSL file) makes it impossible to use GOST cipher in PHP code as well as any other non-default OpenSSL engines and ciphers. Looking at source in php-5.4.16/ext/openssl/openssl.c reveals that PHP doesn't invoke OPENSSL_config(), that's why configuration files are not loaded. Version-Release number of selected component (if applicable): * php-5.4.16-42.el7 * RHEL 7.3 How reproducible: Always Additional info: A customer has given the attached patch which calls the OPENSSL_config() function, and has asked for the inclusion of this in RHEL 7.3.