Migrating from openssl to openssl-unsafe?

wattie

Verified User
Joined
May 31, 2008
Messages
1,093
Location
Bulgaria
FreeBSD recently removed the old OpenSSL 1.0.2 port and replaced it with OpenSSL 1.1.1. Therefore we can no longer use /usr/ports/security/openssl if we have to use PHP 5.x.

Looking at the alternatives (despite never updating the original port which will effectively stop me from updating few others - not good) I fount the port /usr/ports/security/openssl-unsafe. This is a 1.0.2 branch; however in it's description it states that:

This version of OpenSSL enables all possible features of OpenSSL. The libraries and binaries in this port must be considered vulnerable with known exploits available. Use for testing/scanning only.
I am unsure how much dangerous this is in practice. It's true that some libraries should not be used but at the end it is up to the software (Apache, Exim, etc) if they will use them or not, right? Is there any software which will use all OpenSSL features by default?

As an alternative solution, I am looking for a way to make php5.x to compile against the BASE OpenSSL and not the ports one. If I manage to do that, I'll be able to continue to use openssl in it's original port (php 7.x will be on 1.1.1 and php 5.x will use the 1.0.2 base one).
 

smtalk

Administrator
Staff member
Joined
Aug 22, 2006
Messages
9,075
Location
LT, EU
FreeBSD recently removed the old OpenSSL 1.0.2 port and replaced it with OpenSSL 1.1.1. Therefore we can no longer use /usr/ports/security/openssl if we have to use PHP 5.x.
It's not true, PHP 5.6 should have no issues, please give it a try :)
 

wattie

Verified User
Joined
May 31, 2008
Messages
1,093
Location
Bulgaria
Really? Did you patch it? Officially PHP 5.6.40 does not compile against OpenSSL 1.1.1.

I will give it a try asap.
 

dudek888

Verified User
Joined
Jun 21, 2009
Messages
31
Location
Szczecin / Poland
PHP 5.6 recompile error on FreeBSD after upgrade OpenSSL to 1.1.1d
CB 2.0.0 rev.2441

/usr/local/directadmin/custombuild/php-5.6.40/ext/openssl/openssl.c:3560:9: error: incomplete definition of type 'struct dsa_st'
if (dsa->priv_key || dsa->pub_key) {
~~~^
/usr/local/include/openssl/ossl_typ.h:107:16: note: forward declaration of 'struct dsa_st'
typedef struct dsa_st DSA;
fatal error: too many errors emitted, stopping now [-ferror-limit=]
--- ext/openssl/xp_ssl.lo ---
/usr/local/directadmin/custombuild/php-5.6.40/ext/openssl/xp_ssl.c:1840:36: warning: address of 'sslsock->s.timeout' will always evaluate to 'true' [-Wpointer-bool-conversion]
if (began_blocked && &sslsock->s.timeout) {
~~ ~~~~~~~~~~~^~~~~~~
--- ext/openssl/openssl.lo ---
12 warnings and 20 errors generated.
*** [ext/openssl/openssl.lo] Error code 1

make: stopped in /usr/local/directadmin/custombuild/php-5.6.40
--- ext/libxml/libxml.lo ---
2 warnings generated.
--- ext/date/php_date.lo ---
6 warnings generated.
--- ext/openssl/xp_ssl.lo ---
14 warnings generated.
1 error
make: stopped in /usr/local/directadmin/custombuild/php-5.6.40
 
Last edited:

wattie

Verified User
Joined
May 31, 2008
Messages
1,093
Location
Bulgaria
Oh, that's bad.

You can try to remove "with-openssl" from the config. But you won't be able to create secure sockets from PHP.
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,255
Location
GMT +7.00
FreeBSD recently removed the old OpenSSL 1.0.2 port and replaced it with OpenSSL 1.1.1. Therefore we can no longer use /usr/ports/security/openssl if we have to use PHP 5.x.
The port openssl-unsafe does not replace OpenSSL 1.1.1, it installs only the secondary instance into an alternative location /usr/local/openssl-unsafe/, see:

Code:
# /usr/local/openssl-unsafe/bin/openssl version
OpenSSL 1.0.2-chacha (1.0.2k-dev)
and

Code:
# /usr/bin/openssl version
OpenSSL 1.1.1d-freebsd  10 Sep 2019
So it can be used to compile PHP 5.x against it even on FreeBSD 12.1. See my post here https://help.poralix.com/articles/install-php-5x-on-freebsd-12-with-directadmin on the matter.

We installed PHP 5.4 and PHP 5.6 against OpenSSL 1.0.2-chacha this way.
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,255
Location
GMT +7.00
In case FreeBSD 11.3 runs OpenSSL 1.0.2s as a default then you don't need to install openssl-unsafe (I'm not even sure FreeBSd 11.3 has such a port).
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,255
Location
GMT +7.00
Thanks, clear. But why would you need to use openssl-unsafe on FreeBSD 11.3 if OpenSSL 1.0.2s is installed as a default one? And PHP compiles fine under it.
 

wattie

Verified User
Joined
May 31, 2008
Messages
1,093
Location
Bulgaria
I have a tiny reason - it will be much more portable in case you decide to upgrade the OS :)
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,255
Location
GMT +7.00
Ah, OK. I see. That's clear. The guide still will work for FreeBSD 11.3 too. The OpenSSL versions will differ though.

after the update? Is it showing in the php.ini?
The guide I mentioned give examples on how to test which version is PHP compiled against. So you might check it with phpinfo().
 

wattie

Verified User
Joined
May 31, 2008
Messages
1,093
Location
Bulgaria
I can't get it to compile - no matter /usr/bin (base) or /usr/local/openssl-unsafe. The error is:

Code:
...
/usr/local/directadmin/custombuild/php-5.4.45/ext/mcrypt/mcrypt.c:697:2: warning: initializing 'const char *' with an expression of type 'unsigned char *' converts between pointers to integer types with different sign [-Wpointer-sign]
--- ext/mbstring/php_mbregex.lo ---
/usr/local/directadmin/custombuild/php-5.4.45/ext/mbstring/php_mbregex.c:457:31: error: incomplete definition of type 'struct php_mb_re_pattern_buffer'
        if (found == FAILURE || (*rc)->options != options || (*rc)->enc != enc || (*rc)->syntax != syntax) {
                                ~~~~~^
/usr/local/include/oniguruma.h:682:8: note: forward declaration of 'struct php_mb_re_pattern_buffer'
struct re_pattern_buffer;
       ^
ext/mbstring/php_onig_compat.h:4:37: note: expanded from macro 're_pattern_buffer'
#define re_pattern_buffer           php_mb_re_pattern_buffer
                                    ^
/usr/local/directadmin/custombuild/php-5.4.45/ext/mbstring/php_mbregex.c:457:60: error: incomplete definition of type 'struct php_mb_re_pattern_buffer'
        if (found == FAILURE || (*rc)->options != options || (*rc)->enc != enc || (*rc)->syntax != syntax) {
                                                             ~~~~~^
/usr/local/include/oniguruma.h:682:8: note: forward declaration of 'struct php_mb_re_pattern_buffer'
struct re_pattern_buffer;
       ^
ext/mbstring/php_onig_compat.h:4:37: note: expanded from macro 're_pattern_buffer'
#define re_pattern_buffer           php_mb_re_pattern_buffer
                                    ^
/usr/local/directadmin/custombuild/php-5.4.45/ext/mbstring/php_mbregex.c:457:81: error: incomplete definition of type 'struct php_mb_re_pattern_buffer'
        if (found == FAILURE || (*rc)->options != options || (*rc)->enc != enc || (*rc)->syntax != syntax) {
                                                                                  ~~~~~^
/usr/local/include/oniguruma.h:682:8: note: forward declaration of 'struct php_mb_re_pattern_buffer'
struct re_pattern_buffer;
       ^
ext/mbstring/php_onig_compat.h:4:37: note: expanded from macro 're_pattern_buffer'
#define re_pattern_buffer           php_mb_re_pattern_buffer
                                    ^
3 errors generated.
*** [ext/mbstring/php_mbregex.lo] Error code 1

make: stopped in /usr/local/directadmin/custombuild/php-5.4.45
--- ext/mcrypt/mcrypt.lo ---
        RETVAL_STRINGL(data_s, data_size, 1);
        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/usr/local/directadmin/custombuild/php-5.4.45/Zend/zend_API.h:619:42: note: expanded from macro 'RETVAL_STRINGL'
#define RETVAL_STRINGL(s, l, duplicate)         ZVAL_STRINGL(return_value, s, l, duplicate)
                                                ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/usr/local/directadmin/custombuild/php-5.4.45/Zend/zend_API.h:579:15: note: expanded from macro 'ZVAL_STRINGL'
                const char *__s=(s); int __l=l;                 \
                            ^   ~~~
--- ext/mcrypt/mcrypt_filter.lo ---
/usr/local/directadmin/custombuild/php-5.4.45/ext/mcrypt/mcrypt_filter.c:210:37: warning: passing 'const char *' to parameter of type 'char *' discards qualifiers [-Wincompatible-pointer-types-discards-qualifiers]
        mcrypt_module = mcrypt_module_open(cipher, algo_dir, mode, mode_dir);
                                           ^~~~~~
/usr/local/include/mutils/mcrypt.h:38:34: note: passing argument to parameter 'algorithm' here
        MCRYPT mcrypt_module_open(char *algorithm,
                                        ^
1 warning generated.
--- ext/mcrypt/mcrypt.lo ---
1 warning generated.
1 error

make: stopped in /usr/local/directadmin/custombuild/php-5.4.45
It is not related to openssl so I guess it's some patch that exists in regular build but not with build against custom openssl...
 

wattie

Verified User
Joined
May 31, 2008
Messages
1,093
Location
Bulgaria
Nevermind - the same happens with just "with-openssl". So it's something bad on my end... I am investigating.
 

wattie

Verified User
Joined
May 31, 2008
Messages
1,093
Location
Bulgaria
It looks like PHP 5.4 needs this patch:

Code:
--- a/ext/mbstring/php_mbregex.c
+++ b/ext/mbstring/php_mbregex.c
@@ -454,7 +454,7 @@ static php_mb_regex_t *php_mbregex_compile_pattern(const char *pattern, int patlen, OnigOptionType options, OnigEncoding enc, OnigSyntaxType *syntax TSRMLS_DC)
            OnigUChar err_str[ONIG_MAX_ERROR_MESSAGE_LEN];
     
            found = zend_hash_find(&MBREX(ht_rc), (char *)pattern, patlen+1, (void **) &rc);
    -       if (found == FAILURE || (*rc)->options != options || (*rc)->enc != enc || (*rc)->syntax != syntax) {
    +       if (found == FAILURE || onig_get_options(*rc) != options || onig_get_encoding(*rc) != enc || onig_get_syntax(*rc) != syntax) {
                    if ((err_code = onig_new(&retval, (OnigUChar *)pattern, (OnigUChar *)(pattern + patlen), options, enc, syntax, &err_info)) != ONIG_NORMAL) {
                            onig_error_code_to_str(err_str, err_code, &err_info);
                            php_error_docref(NULL TSRMLS_CC, E_WARNING, "mbregex compile err: %s", err_str);
Unfortunately it does NOT work:

Code:
Hunk #1 failed at 454.
1 out of 1 hunks failed--saving rejects to ./ext/mbstring/php_mbregex.c.rej
Hmm...  Ignoring the trailing garbage.
done
Any idea?

I manually replaced like 454 with the one with the + and did ./configure then make and it worked. What's wrong with the patch above?
 

wattie

Verified User
Joined
May 31, 2008
Messages
1,093
Location
Bulgaria
Unfortunately it does NOT work:

Code:
Hunk #1 failed at 454.
1 out of 1 hunks failed--saving rejects to ./ext/mbstring/php_mbregex.c.rej
Hmm...  Ignoring the trailing garbage.
done
Stupid me. It's a malformed patch file because I copied spaces from the console instead of a tab. This is the file and it works.
 

Attachments

Top