PHP seems to ignore the default OpenSSL config - php

I need to change the OpenSSL config used by PHPs openssl* methods. phpinfo() reports the default openssl config as present in /etc/ssl/openssl.cnf. However, it does not seem to use it.
I changed the openssl.cnf to have some invalid values in it. Running openssl from the shell righfully fails and complains about an invalid config. The openssl* methods in my PHP script still continue to work?! They should fail with the same error message.
So, what OpenSSL config is PHP actually using?
PHP is running as Apache2 module in an Alpine Linux Docker Container (Package php81-apache2)

There seems to be some caching involved (have to investigate later). After letting the system sit for a few hours the PHP methods used the changed configuration.

Related

PHP OpenSSL extension not working while installing TYPO3 6.2.2 on Windows 7

I've installed TYPO3 6.2.2 on Windows 7 but I got an error message as below:
PHP OpenSSL extension not working Something went wrong while trying to create a new private key for testing. Please check the integration of the PHP OpenSSL extension and if it is installed correctly.
I try to find the solution on the internet about this error but I cannnot solve this bug.
Can anyone help me to find the solution please? Thanks.
Solution that worked for me on XAMPP and Windows Vista:
Activate the PHP module openssl
Open php.ini and uncomment(delete ';') in:
;extension=php_openssl.dll
Double-check that the extension is enabled by running phpinfo().
Add a system environment variable "OPENSSL_CONF" with value
C:\xampp\apache\conf\openssl.cnf
...assuming you installed xampp into C:\xampp.
Set path to 'openssl.exe', which is in C:\xampp\apache\bin
Either set $TYPO3_CONF_VARS['SYS']['binSetup'] in
...\htdocs\typo3_src-6.2.x\typo3\sysext\core\Configuration\DefaultConfiguration.php to 'openssl=c:/xampp/apache/bin/openssl.exe'
or append c:\xampp\apache\bin to the environment variable PATH (will work for every PHP script not only TYPO3)
Restart xampp
Links/sources:
http://wiki.typo3.org/Exception/CMS/1318283565
http://www.typo3.net/forum/thematik/zeige/thema/116156/
To enable OpenSSL on PHP under Windows, three steps must be taken:
enable the extension – make sure to uncomment this line in php.ini:
extension=php_openssl.dll
Add the PHP folder to the PATH environment variable of Windows:
Control Panel –> System –> Advanced System Settings –> Environment Variables.
Locate the Path variable in the System Variables block.
Prepend c:\php; in front of it, or whatever your PHP path is.
Create an additional OPENSSL_CONF environment variable for Windows which contains the full path of the OpenSSL config file of PHP:
Control Panel –> System –> Advanced System Settings –> Environment Variables.
In the System Variables block click New...
Variable name: OPENSSL_CONF
Variable value: C:\php\extras\ssl\openssl.cnf
Modify that value to match your PHP installation directory!
Restart Windows so the environment changes can take effect.
Details on PHP OpenSSL support under Windows can be found here.
On typo3 6.2.7on win7 XAMPP 1.8.3
The openSSL error's solution was to create C:\openssl-1.0.1i-win32\ssl folder and put E:\Portables\xampp\apache\conf\openssl.cnf into it. I got a direction about it from a german website.
How I found it out (just in case versions change), in the shell on XAMPP control panel, openssl command gives
WARNING: can't open config file: E:/Portables/xampp/apache/bin/openssl.cnf.
But adding the file there does not help. I added and removed the file.
Add ;E:\Portables\xampp\apache\bin to PATH environment variable (System properties -> Advanced). Run command openssl on a CMD window(not XMPP shell), the message:
WARNING: can't open config file: c:/openssl-1.0.1i-win32/ssl/openssl.cnf
Add the file there, the addition to environment variable PATH can be removed now.
Adding OPENSSL_CONF also did not work for me.
Set a global environment variable OPENSSL_CONF to %ProgramFiles(x86)%\PHP\Current\extras\openssl.cnf
The following solution might only work by manual start of the Apache-Server by click on apache_start.bat inside Xampp, other use-cases and server-packages are not tested or covered.
Dealing with several versions of xampp and perhaps additional several frameworks I searched for an approach that is best fitting to the following requirements:
A framework never has to know about the configuration or the path to the executable openssl-file (in windows: openssl.exe).
It doesn't matter which server is started, the right path to openssl is always found, fitting to the version of the server. This avoids problems that openssl might be compiled with another version than PHP or Apache-Server.
Variables never have to be added unflexible and static to the PATH-Variable.
Instead they shall only be added as long as a server is running.
Stopping one server-version and starting another server-version is switching without further actions to the right path of openssl.exe and openssl.cnf.
Based on these developer-requirements the steps I describe are a bit different than the running answers on this page:
Enable openssl in the php.ini-file of each server-version (i.e. xampp-1, xampp-2, etc.) by removing the leading semicolon of the following line:
;extension=php_openssl.dll
Open the file apache_start.bat of each server-version and replace the line
apache\bin\httpd.exe
by the following snippet:
SET OPENSSL_CONF=C:\xampp-x\apache\conf\openssl.cnf
IF EXIST C:\xampp-x\apache\bin SET PATH=%PATH%;C:\xampp-x\apache\bin
apache\bin\httpd.exe
Pay attention that you everywhere replace C:\xampp-x\ by the real path to the corresponding server.
Restart xampp either by apache_start.bat or by the xampp-control-panel.
This solution naturally works also with only one server and with the advantage having limited PATH-Variables system-wide defined.
UPDATE
If you have still problems related to TYPO3, no matter about the method you chosed, check the cookie_domain in the installtool. It should apply to the current domain or being empty.
A wrong cookie-domain can happen if you copy a project from another server, i.e. for development.
Adding the path like below "config" => "D:/xampp/php/extras/openssl/openssl.cnf", solved the issue.
$key = openssl_pkey_new([
"config" => "D:/xampp/php/extras/openssl/openssl.cnf",
'digest_alg' => 'aes256',
'private_key_type' => OPENSSL_KEYTYPE_RSA,
'encrypt_key' => false,
'encrypt_key_cipher' => OPENSSL_CIPHER_AES_256_CBC,
]);
openssl_pkey_export_to_file($key, $this->folder . '/private.pem');

PHP log full of suhosin errors

Hello I have simple php script well it is more a html file with few php lines.
Yet it produces tons of errors in log that look like this on every line:
PHP Warning: PHP Startup: Unable to load dynamic library '/usr/local/lib/php/extensions/no-debug-non-zts-20100525/suhosin.so' - /usr/local/lib/php/extensions/no-debug-non-zts-20100525/suhosin.so: cannot open shared object file: No such file or directory in Unknown on line 0
I can not locate in nowhere in code where suhosin might been called...
This error is present on 2 different servers.
EDIT:
In phpinfo there is no suhosin present...
Thanks.
We will likely need more information in order to provide an accurate resolution, such as What version of PHP is installed on your system? however I will give you a general resolution.
Generally this issue is caused by PHP Upgrade, most recent PHP versions does not support suhosin as this only applied to older versions of php that needed additional security.
If you are on a shared hosting server you need to contact to your hosting provider and notify them about this issue, they are likely able to resolve it quickly.
If you are on a Dedicated server, VPS server or a localhost environment you can solve this issue by following the steps below:
Find your php.ini location [You can use phpinfo() to locate php.ini file]
Open the php.ini file and search suhosin.so
When you find suhosin comment this line extension = "suhosin.so" by adding semicolon at the beginning of the line, For example: ;extension = "suhosin.so"
Save this file
Restart Apache service httpd restart
Note: If ClouldLinux installed on your server, you need to force update CageFS by issuing the following command at the command line cagefsctl --force-update

ldap_start_tls fails from Apache but works from PHP shell (phpsh)

I have a LAMP application that uses LDAP binds (to Active Directory) to validate user credentials. This works on the production server running RHEL 6.2. I'm trying to set up my own test environment in a VM using CentOS 6.2 and similar versions of packages.
On my VM, calls to ldap_start_tls fail for the application when run inside Apache. I get:
PHP Warning: ldap_start_tls(): Unable to start TLS: Can't contact LDAP server in...
But on the same system, I installed phpsh. If I use phpsh to execute the PHP code file, it works.
The code is a basic sequence of ldap_connect, ldap_set_option (to set LDAPv3), ldap_start_tls, and ldap_bind.
The LDAP server is using an internal Active Directory-generated certificate authority, so it isn't automatically trusted. In /etc/openldap/ldap.conf, I have:
TLS_REQCERT allow
The setting seems to be working. If I change the value to always, ldap_start_tls fails in phpsh too. This is the same setting as in the production environment.
I tried installing what should be the AD root CA certificates by saving a .pem file (with 2 certificates) and adding this line to /etc/openldap/ldap.conf:
TLS_CACERT /etc/openldap/certs/ad_roots.pem
I didn't see any change, but perhaps I needed to do more. And I'm not 100% sure those were the right certificates.
I think using phpsh is a valid test for the PHP setup, but it is running as a different user (root) so the environment is different. SELinux is on (enforcing), but I do not see any messages about access denials for Apache in audit.log.
Why doesn't this work for Apache?

PHP SOAP cannot connect to an SSL WSDL source

Trying to make Soap connection to a https:// WSDL source via PHP/Win32, but keep getting the error:
Warning: SoapClient::SoapClient() [soapclient.soapclient]: I/O warning
: failed to load external entity "https://...
If I try to save the WSDL locally and access it then, the SoapFault->faultstring property has the message "SSL support is not available in this build".
After some Googling, seems like PHP SOAP cannot connect to a HTTPS source. HTTP is OK, though.
Is there a workaround for this? Or is there an alternative SOAP version/module I can install?
HTTPS support for SOAP in PHP5
If you’re seeing error messages about missing https wrappers when trying to use SOAP (”Unable to find the wrapper “https” – did you forget to enable it when you configured PHP?” or “[HTTP] SSL support is not available in this build”), you haven’t installed the SSL libraries to support secure transactions.
Uncomment
extension=php_soap.dll
in your php.ini
Uncomment
extension=php_openssl.dll
in your php.ini
Copy
ssleay32.dll
and
libeay32.dll
to your windows system32 directory
Reboot apache, et voila!
I originally found this answer at: http://webponce.com/rants/2008/04/https-support-for-soap-in-php5-under-windows/
I had the same problem. openSSL, cURL were enabled, initiated a SoapClient with option of location to stored certificated, etc, etc.. tried everything.
Turns out it does work in CLI mode. Thus php_sapi = CLI.
As we almost always run our webservices calls as a cronjob, scheduled task in Windows, this is not really a bad thing. I was really glad to get it working!
Update:
Okay, turns out when PHP is running as an Apache module, it uses the by opensll required libraries libeay32.dll and ssleay32.dll from the Apache install. When using PHP in CLI is uses the libraries from the PHP directory/install. Overwriting the 2 Apache dlls with the dlls from the PHP directory did the trick. It now also runs under Apache.
So your PHP version should match with the working dlls for the specific version. When it still doesn't work in the web interface. Please check that Apache isn't loading these dlls from a Windows System directory, specified earlier in your system defined path, which is picked up by Apache.
I've had success with SSL and SOAP using NuSOAP:
http://nusoap.sourceforge.net/

OpenSSL enabled but not working

I am running Apache 2.2.13 and PHP 5.2.12. Just installed PHP 5.2.12 manually (to have access to all extensions) and enabled OpenSSL. phpinfo() indicates OpenSSL is enabled and running OpenSSL 0.9.8k 25 Mar 2009.
I'm getting this error: PHP Fatal error: Call to undefined function ftp_ssl_connect().
I've seen where the PHP manual suggests 'ftp_ssl_connect() is only available if both the ftp module and the OpenSSL support is built statically into php' and further states that 'you must compile your own PHP binaries' to make it work with Windows.
I have the suspicion that phpinfo() only indicates OpenSSL as being 'enabled' because I have uncommented the line 'extension=php_openssl.dll' and have the correct dlls in the correct folders and the correct path in the environment variables. And perhaps a static build into PHP must be accomplished regardless of what phpinfo() indicates.
I believe the objective of distribution (as described above) is for dynamic extensions, but recompiling (for OpenSSL) is to encode a static extension.
ftp extension is working fine (built into PHP 5.2). I test this with the following code:
$conn_id = ftp_connect($url);
$login_result = ftp_login($conn_id, $username, $password);
ftp_close($conn_id);
Note that to check ssl, I only change ftp_connect to ftp_ssl_connect. When reaching this line, I get the PHP error above in my Apache error log file.
As the documentation states (quoting what you already quoted) :
Note: Why this function may not exist
ftp_ssl_connect() is only
available if both the ftp module and
the OpenSSL support is built
statically into php, this means that
on Windows this function will be
undefined in the official PHP builds.
To make this function available
on Windows you must compile your own
PHP binaries.
You say you installed PHP "manually" ; but this probably still means you used an "official" build from php.net -- which means you have not compiled your own PHP binaries... So, that function is not available.
There is no magic : it seems you'll have to re-compile PHP, using the right configuration options at compile-time, if you want to be able to use that function...
Here's some documentation about that : Build your own PHP on Windows -- but... good luck... i've never heard it was "simple" to compile PHP on windows, actually (it's not that hard on Linux, but Linux is maybe a bit more well suited when it comes to compilation)
A couple of other solutions :
switching to Linux for your developments (even if it's only using a Virtual Machine) -- but you might still have to recompile PHP to get that (might not be enabled by default)
just not using that function ; after all, do you know if your hosting service will provide you with it ? (If you can't use it on your production server, no need to use on your development/testing machine)

Categories