Migrating from openssl to openssl-unsafe?

wattie · Jan 16, 2020

FreeBSD recently removed the old OpenSSL 1.0.2 port and replaced it with OpenSSL 1.1.1. Therefore we can no longer use /usr/ports/security/openssl if we have to use PHP 5.x.

Looking at the alternatives (despite never updating the original port which will effectively stop me from updating few others - not good) I fount the port /usr/ports/security/openssl-unsafe. This is a 1.0.2 branch; however in it's description it states that:

This version of OpenSSL enables all possible features of OpenSSL. The libraries and binaries in this port must be considered vulnerable with known exploits available. Use for testing/scanning only.

I am unsure how much dangerous this is in practice. It's true that some libraries should not be used but at the end it is up to the software (Apache, Exim, etc) if they will use them or not, right? Is there any software which will use all OpenSSL features by default?

As an alternative solution, I am looking for a way to make php5.x to compile against the BASE OpenSSL and not the ports one. If I manage to do that, I'll be able to continue to use openssl in it's original port (php 7.x will be on 1.1.1 and php 5.x will use the 1.0.2 base one).

smtalk · Jan 16, 2020

wattie said:
FreeBSD recently removed the old OpenSSL 1.0.2 port and replaced it with OpenSSL 1.1.1. Therefore we can no longer use /usr/ports/security/openssl if we have to use PHP 5.x.

It's not true, PHP 5.6 should have no issues, please give it a try

wattie · Jan 16, 2020

Really? Did you patch it? Officially PHP 5.6.40 does not compile against OpenSSL 1.1.1.

I will give it a try asap.

smtalk · Jan 16, 2020

wattie said:
Really? Did you patch it? Officially PHP 5.6.40 does not compile against OpenSSL 1.1.1.

I will give it a try asap.

Years ago

it should work just fine

ReN · Feb 10, 2020

any update on this wattie ?

wattie · Feb 12, 2020

Sadly no. I still have some PHP 5.4 users which I struggle to migrate to 5.6...

dudek888 · Mar 13, 2020

PHP 5.6 recompile error on FreeBSD after upgrade OpenSSL to 1.1.1d
CB 2.0.0 rev.2441

/usr/local/directadmin/custombuild/php-5.6.40/ext/openssl/openssl.c:3560:9: error: incomplete definition of type 'struct dsa_st'
if (dsa->priv_key || dsa->pub_key) {
~~~^
/usr/local/include/openssl/ossl_typ.h:107:16: note: forward declaration of 'struct dsa_st'
typedef struct dsa_st DSA;
fatal error: too many errors emitted, stopping now [-ferror-limit=]
--- ext/openssl/xp_ssl.lo ---
/usr/local/directadmin/custombuild/php-5.6.40/ext/openssl/xp_ssl.c:1840:36: warning: address of 'sslsock->s.timeout' will always evaluate to 'true' [-Wpointer-bool-conversion]
if (began_blocked && &sslsock->s.timeout) {
~~ ~~~~~~~~~~~^~~~~~~
--- ext/openssl/openssl.lo ---
12 warnings and 20 errors generated.
*** [ext/openssl/openssl.lo] Error code 1

make: stopped in /usr/local/directadmin/custombuild/php-5.6.40
--- ext/libxml/libxml.lo ---
2 warnings generated.
--- ext/date/php_date.lo ---
6 warnings generated.
--- ext/openssl/xp_ssl.lo ---
14 warnings generated.
1 error
make: stopped in /usr/local/directadmin/custombuild/php-5.6.40

wattie · Mar 15, 2020

Oh, that's bad.

You can try to remove "with-openssl" from the config. But you won't be able to create secure sockets from PHP.

zEitEr · Mar 17, 2020

wattie said:
FreeBSD recently removed the old OpenSSL 1.0.2 port and replaced it with OpenSSL 1.1.1. Therefore we can no longer use /usr/ports/security/openssl if we have to use PHP 5.x.

The port openssl-unsafe does not replace OpenSSL 1.1.1, it installs only the secondary instance into an alternative location /usr/local/openssl-unsafe/, see:

Code:

# /usr/local/openssl-unsafe/bin/openssl version
OpenSSL 1.0.2-chacha (1.0.2k-dev)

and

Code:

# /usr/bin/openssl version
OpenSSL 1.1.1d-freebsd  10 Sep 2019

So it can be used to compile PHP 5.x against it even on FreeBSD 12.1. See my post here https://help.poralix.com/articles/install-php-5x-on-freebsd-12-with-directadmin on the matter.

We installed PHP 5.4 and PHP 5.6 against OpenSSL 1.0.2-chacha this way.

dudek888 · Mar 17, 2020

zEitEr said:
So it can be used to compile PHP 5.x against it even on FreeBSD 12.1. See my post here https://help.poralix.com/articles/install-php-5x-on-freebsd-12-with-directadmin on the matter.

Hi,

zEitEr this is possible for PHP 5.6 on FreeBSD 11.3 using the system OpenSSL 1.0.2s-freebsd (/ usr / bin / openssl) without installation openssl-unsafe?

Regards

zEitEr · Mar 17, 2020

In case FreeBSD 11.3 runs OpenSSL 1.0.2s as a default then you don't need to install openssl-unsafe (I'm not even sure FreeBSd 11.3 has such a port).

wattie · Mar 17, 2020

It does have the openssl-unsafe port.

zEitEr · Mar 17, 2020

Thanks, clear. But why would you need to use openssl-unsafe on FreeBSD 11.3 if OpenSSL 1.0.2s is installed as a default one? And PHP compiles fine under it.

wattie · Mar 17, 2020

I have a tiny reason - it will be much more portable in case you decide to upgrade the OS

zEitEr · Mar 17, 2020

Ah, OK. I see. That's clear. The guide still will work for FreeBSD 11.3 too. The OpenSSL versions will differ though.

wattie said:
after the update? Is it showing in the php.ini?

The guide I mentioned give examples on how to test which version is PHP compiled against. So you might check it with phpinfo().

wattie · Mar 17, 2020

I can't get it to compile - no matter /usr/bin (base) or /usr/local/openssl-unsafe. The error is:

Code:

...
/usr/local/directadmin/custombuild/php-5.4.45/ext/mcrypt/mcrypt.c:697:2: warning: initializing 'const char *' with an expression of type 'unsigned char *' converts between pointers to integer types with different sign [-Wpointer-sign]
--- ext/mbstring/php_mbregex.lo ---
/usr/local/directadmin/custombuild/php-5.4.45/ext/mbstring/php_mbregex.c:457:31: error: incomplete definition of type 'struct php_mb_re_pattern_buffer'
        if (found == FAILURE || (*rc)->options != options || (*rc)->enc != enc || (*rc)->syntax != syntax) {
                                ~~~~~^
/usr/local/include/oniguruma.h:682:8: note: forward declaration of 'struct php_mb_re_pattern_buffer'
struct re_pattern_buffer;
       ^
ext/mbstring/php_onig_compat.h:4:37: note: expanded from macro 're_pattern_buffer'
#define re_pattern_buffer           php_mb_re_pattern_buffer
                                    ^
/usr/local/directadmin/custombuild/php-5.4.45/ext/mbstring/php_mbregex.c:457:60: error: incomplete definition of type 'struct php_mb_re_pattern_buffer'
        if (found == FAILURE || (*rc)->options != options || (*rc)->enc != enc || (*rc)->syntax != syntax) {
                                                             ~~~~~^
/usr/local/include/oniguruma.h:682:8: note: forward declaration of 'struct php_mb_re_pattern_buffer'
struct re_pattern_buffer;
       ^
ext/mbstring/php_onig_compat.h:4:37: note: expanded from macro 're_pattern_buffer'
#define re_pattern_buffer           php_mb_re_pattern_buffer
                                    ^
/usr/local/directadmin/custombuild/php-5.4.45/ext/mbstring/php_mbregex.c:457:81: error: incomplete definition of type 'struct php_mb_re_pattern_buffer'
        if (found == FAILURE || (*rc)->options != options || (*rc)->enc != enc || (*rc)->syntax != syntax) {
                                                                                  ~~~~~^
/usr/local/include/oniguruma.h:682:8: note: forward declaration of 'struct php_mb_re_pattern_buffer'
struct re_pattern_buffer;
       ^
ext/mbstring/php_onig_compat.h:4:37: note: expanded from macro 're_pattern_buffer'
#define re_pattern_buffer           php_mb_re_pattern_buffer
                                    ^
3 errors generated.
*** [ext/mbstring/php_mbregex.lo] Error code 1

make: stopped in /usr/local/directadmin/custombuild/php-5.4.45
--- ext/mcrypt/mcrypt.lo ---
        RETVAL_STRINGL(data_s, data_size, 1);
        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/usr/local/directadmin/custombuild/php-5.4.45/Zend/zend_API.h:619:42: note: expanded from macro 'RETVAL_STRINGL'
#define RETVAL_STRINGL(s, l, duplicate)         ZVAL_STRINGL(return_value, s, l, duplicate)
                                                ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/usr/local/directadmin/custombuild/php-5.4.45/Zend/zend_API.h:579:15: note: expanded from macro 'ZVAL_STRINGL'
                const char *__s=(s); int __l=l;                 \
                            ^   ~~~
--- ext/mcrypt/mcrypt_filter.lo ---
/usr/local/directadmin/custombuild/php-5.4.45/ext/mcrypt/mcrypt_filter.c:210:37: warning: passing 'const char *' to parameter of type 'char *' discards qualifiers [-Wincompatible-pointer-types-discards-qualifiers]
        mcrypt_module = mcrypt_module_open(cipher, algo_dir, mode, mode_dir);
                                           ^~~~~~
/usr/local/include/mutils/mcrypt.h:38:34: note: passing argument to parameter 'algorithm' here
        MCRYPT mcrypt_module_open(char *algorithm,
                                        ^
1 warning generated.
--- ext/mcrypt/mcrypt.lo ---
1 warning generated.
1 error

make: stopped in /usr/local/directadmin/custombuild/php-5.4.45

It is not related to openssl so I guess it's some patch that exists in regular build but not with build against custom openssl...

wattie · Mar 17, 2020

Nevermind - the same happens with just "with-openssl". So it's something bad on my end... I am investigating.

wattie · Mar 17, 2020

It looks like PHP 5.4 needs this patch:

Code:

--- a/ext/mbstring/php_mbregex.c
+++ b/ext/mbstring/php_mbregex.c
@@ -454,7 +454,7 @@ static php_mb_regex_t *php_mbregex_compile_pattern(const char *pattern, int patlen, OnigOptionType options, OnigEncoding enc, OnigSyntaxType *syntax TSRMLS_DC)
            OnigUChar err_str[ONIG_MAX_ERROR_MESSAGE_LEN];
     
            found = zend_hash_find(&MBREX(ht_rc), (char *)pattern, patlen+1, (void **) &rc);
    -       if (found == FAILURE || (*rc)->options != options || (*rc)->enc != enc || (*rc)->syntax != syntax) {
    +       if (found == FAILURE || onig_get_options(*rc) != options || onig_get_encoding(*rc) != enc || onig_get_syntax(*rc) != syntax) {
                    if ((err_code = onig_new(&retval, (OnigUChar *)pattern, (OnigUChar *)(pattern + patlen), options, enc, syntax, &err_info)) != ONIG_NORMAL) {
                            onig_error_code_to_str(err_str, err_code, &err_info);
                            php_error_docref(NULL TSRMLS_CC, E_WARNING, "mbregex compile err: %s", err_str);

Unfortunately it does NOT work:

Code:

Hunk #1 failed at 454.
1 out of 1 hunks failed--saving rejects to ./ext/mbstring/php_mbregex.c.rej
Hmm...  Ignoring the trailing garbage.
done

Any idea?

I manually replaced like 454 with the one with the + and did ./configure then make and it worked. What's wrong with the patch above?

wattie · Mar 17, 2020

wattie said:
Unfortunately it does NOT work:

Code:

Hunk #1 failed at 454. 1 out of 1 hunks failed--saving rejects to ./ext/mbstring/php_mbregex.c.rej Hmm... Ignoring the trailing garbage. done

Stupid me. It's a malformed patch file because I copied spaces from the console instead of a tab. This is the file and it works.

zEitEr · Mar 17, 2020

So, you've got PHP compiled fine now?

Migrating from openssl to openssl-unsafe?

Verified User

Administrator

Verified User

Administrator

Verified User

Verified User

Verified User

Verified User

Super Moderator

Verified User

Super Moderator

Verified User

Super Moderator

Verified User

Super Moderator

Verified User

Verified User

Verified User

Verified User

Attachments

Super Moderator