I am trying to find a way to upgrade Openssl on an old server without messing the original version it uses for SSH,etc,... I am not able to get curl use the new version of Openssl. The old version of Openssl is being used by PHP when connecting to a website. Problem:
I have an old freeBSD server on which I have been trying to make php work with curl. The root of the problem is due to old version of openssl compiled with php/curl, it is not able to connect to a https website who has recently updated the ssl certificate with SHA256 bit. If I disable CURLOPT_SSL_VERIFYPEER in php code, it works but as that is not the ultimate solution, I am trying to find the solution.Motive:
Avoid compilation of PHP by compiling and linking curl with static/shared version of openssl installed in another path so that it does not mess up with the original openssl version(it has other system dependencies). I know I should upgrade to latest version of openssl due to recently found vulnerabilities like heartbleed and POODLE, but as my server is old, I don't want to do that as compile does not succeed.Version details:
PHP - 4.4.7
Curl - 7.15
Original version - 0.9.7e-p2
New version required - 0.9.8oMy efforts:
- recompilation of curl with static libraries of openssl
- recompilation of curl with shared libraries of openssl
- recompilation of php with both above cases
- recompilation of php without openssl - here it works, it uses with the version of openssl with which curl was compiled.
- and several other combinations Observation:
(Though I found this error on a freeBSD server, I think it would also be encountered on other server distributions/versions.)
PHP is using the version of Openssl with which it was compiled and not with the version of Openssl with which Curl was compiled.
First I started with compiling Openssl as static libraries and then compile curl. I got the libcurl with static version of openssl 0.9.8o linked to curl. But if I try to link it with PHP and check in phpinfo(), it still shows the old version of openssl(0.9.7e) and it is not able to connect to the site mentioned.
Second, I compile curl with shared libraries of openssl, and link with PHP , it shows the old version of openssl. does not connect to site.
If I compile PHP with the new version of openssl and link with either libcurl above, it shows the old version of openssl and is able to connect to the website.
Also, if I disable openssl in PHP while compiling, it succeeds. So I have observed that PHP seems to use the version of Openssl with which it was compiled during connecting to the website and Not the version of Openssl with which curl was compiled.
Why should this be?
Shouldn't curl use its version of Openssl with which it was compiled rather than the one with which PHP was compiled?
The version of Openssl with which PHP was compiled should be used for enabling the site it is hosting as a server - not when it is acting as a client when using Curl.Build commands:
( Have listed for only static compilation)
setenv LIBSSLBUILD /tmp/libsslbuild
./config --prefix=$LIBSSLBUILD no-shared
./configure --prefix=/opt/curlssl --with-ssl=/tmp/libsslbuild ADDLIB="-L/tmp/libsslbuild/lib -ldl" --with-ca-bundle=/usr/local/share/curl/curl-ca-bundle.crt
make USE_OPENSSL=1 ADDINC=-I/tmp/libsslbuild/include ADDLIB="-L/tmp/libsslbuild/lib -ldl"
./configure --without-mysql --without-pear --with-openssl --with-openssl-dir=/tmp/libsslbuild --with-curl --with-xml --with-radius --enable-xml --enable-session --enable-pcre --enable-mbstring --enable-bcmath --enable-pcntl --enable-fastcgi --enable-force-cgi-redirect --prefix=/usr/local
>> change to /tmp/libsslbuild/lib for LDPATHS
EXTRA_LDFLAGS = -L/tmp/libsslbuild/lib
EXTRA_LDFLAGS_PROGRAM = -L/tmp/libsslbuild/lib
make USE_OPENSSL=1 ADDINC="-I/tmp/libsslbuild/include -I/opt/curlssl/include" -ADDLIB="-L/tmp/libsslbuild/lib -L/opt/curlssl/lib -ldl"