PHP 5.x patch needed for compatibility with newer OpenSSL

wattie

Verified User
Joined
May 31, 2008
Messages
1,234
Location
Bulgaria
UPDATE 16.08.2019 - the below is silly and wrong. OpenSSL disabled SSL3 by default but it does not mean that it can't be enabled. Simple "make config" and recompile will do it.

As all newer versions of OpenSSL disabled support for SSL 3, now most operating systems have troubles compiling older versions of PHP.

More precisely, PHP 5.4 and older (probably 5.5 too) will produce the following error:

--- sapi/fpm/php-fpm ---
ext/openssl/xp_ssl.o: In function `php_openssl_setup_crypto':
/usr/local/directadmin/custombuild/php-5.4.45/ext/openssl/xp_ssl.c:343: undefined reference to `SSLv3_client_method'
/usr/local/directadmin/custombuild/php-5.4.45/ext/openssl/xp_ssl.c:355: undefined reference to `SSLv3_server_method'

Similar issue happened years ago when SSL 2 was disabled and the PHP team released a patch for it here:

https://bugs.php.net/patch-display....SSLv2_for_openssl_1_0_0.patch&revision=latest

This time (unfortunately) they will not patch it officially because these versions of PHP are unsupported.

DirectAdmin however still provide these PHP versions (and I praise them for that - many hosting providers are unfortunately stuck with support for old php versions because of retro websites being hosted on them). Now without a PHP patch DA can't be installed on newer OS. Keeping the existing OS and OpenSSL library up-to-date may also be an issue.

So I guess we do need a patch for old PHP versions to get SSL 3 disabled. I guess it will be similar to the patch I posted above.

Anybody?
 
Last edited:
Silly, silly, silly me. OpenSSL still DO support SSL3 (even the latest 1.1.1) but it was not enabled by default.

The fix is simple: "make config" for OpenSSL, enable it and then recompile.

After that PHP 5.4 will compile with no problems and no patch is needed.

Note: PHP 5.x will compile only against OpenSSL 1.0.2 or lower. It won't work on 1.1.x
 
Silly, silly, silly me. OpenSSL still DO support SSL3 (even the latest 1.1.1) but it was not enabled by default.

The fix is simple: "make config" for OpenSSL, enable it and then recompile.

After that PHP 5.4 will compile with no problems and no patch is needed.

Note: PHP 5.x will compile only against OpenSSL 1.0.2 or lower. It won't work on 1.1.x


So if you still have php 5.6.4x centos 7x on DA custombuild it is default ok.

But if you want / need tls 1.3 update only apache rebuild with tls1.1.1c
Then php-fpm 5.6.4 not working with ssl 1.1.1 tls 1.3 ?

While for building and udpate php still the distro centos ssl 1.02k ?
 
For those who still need for PHP 5.6, here is patches to allow PHP 5.6 to be compiled against OpenSSL 1.1.1p (21 Jun 2022) / icu 70.x (support for icu namespaces) / mbstring oniguruma 6.9.x.

Build success on freebsd 12.3, should be fine on linux also. Look into Build-php.sh to set paths you need.

Regards.
 

Attachments

  • patchset.zip
    13.5 KB · Views: 424
Back
Top