PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Wed Nov 22, 2017 11:21 am

All times are UTC - 5 hours




Post new topic Reply to topic  [ 4 posts ] 
Author Message
PostPosted: Wed Jun 24, 2015 10:40 am 
Offline
Forum Newbie

Joined: Wed Jun 24, 2015 9:10 am
Posts: 2
Hi,

I am trying to find a way to upgrade Openssl on an old server without messing the original version it uses for SSH,etc,... I am not able to get curl use the new version of Openssl. The old version of Openssl is being used by PHP when connecting to a website.

Problem:
I have an old freeBSD server on which I have been trying to make php work with curl. The root of the problem is due to old version of openssl compiled with php/curl, it is not able to connect to a https website who has recently updated the ssl certificate with SHA256 bit. If I disable CURLOPT_SSL_VERIFYPEER in php code, it works but as that is not the ultimate solution, I am trying to find the solution.

Motive:
Avoid compilation of PHP by compiling and linking curl with static/shared version of openssl installed in another path so that it does not mess up with the original openssl version(it has other system dependencies). I know I should upgrade to latest version of openssl due to recently found vulnerabilities like heartbleed and POODLE, but as my server is old, I don't want to do that as compile does not succeed.

Version details:
PHP - 4.4.7
Curl - 7.15
Openssl
Original version - 0.9.7e-p2
New version required - 0.9.8o

My efforts:
- recompilation of curl with static libraries of openssl
- recompilation of curl with shared libraries of openssl
- recompilation of php with both above cases
- recompilation of php without openssl - here it works, it uses with the version of openssl with which curl was compiled.
- and several other combinations :banghead: :banghead: :banghead: :banghead: :banghead: :banghead:

Observation:
(Though I found this error on a freeBSD server, I think it would also be encountered on other server distributions/versions.)
PHP is using the version of Openssl with which it was compiled and not with the version of Openssl with which Curl was compiled.
First I started with compiling Openssl as static libraries and then compile curl. I got the libcurl with static version of openssl 0.9.8o linked to curl. But if I try to link it with PHP and check in phpinfo(), it still shows the old version of openssl(0.9.7e) and it is not able to connect to the site mentioned.
Second, I compile curl with shared libraries of openssl, and link with PHP , it shows the old version of openssl. does not connect to site.
If I compile PHP with the new version of openssl and link with either libcurl above, it shows the old version of openssl and is able to connect to the website.
Also, if I disable openssl in PHP while compiling, it succeeds.

So I have observed that PHP seems to use the version of Openssl with which it was compiled during connecting to the website and Not the version of Openssl with which curl was compiled. Why should this be?
Shouldn't curl use its version of Openssl with which it was compiled rather than the one with which PHP was compiled?
The version of Openssl with which PHP was compiled should be used for enabling the site it is hosting as a server - not when it is acting as a client when using Curl.


Build commands: ( Have listed for only static compilation)
OpenSSL:
setenv LIBSSLBUILD /tmp/libsslbuild
./config --prefix=$LIBSSLBUILD no-shared
make
make install_sw

curl:
--------

./configure --prefix=/opt/curlssl --with-ssl=/tmp/libsslbuild ADDLIB="-L/tmp/libsslbuild/lib -ldl" --with-ca-bundle=/usr/local/share/curl/curl-ca-bundle.crt
make USE_OPENSSL=1 ADDINC=-I/tmp/libsslbuild/include ADDLIB="-L/tmp/libsslbuild/lib -ldl"
make install

./configure --without-mysql --without-pear --with-openssl --with-openssl-dir=/tmp/libsslbuild --with-curl --with-xml --with-radius --enable-xml --enable-session --enable-pcre --enable-mbstring --enable-bcmath --enable-pcntl --enable-fastcgi --enable-force-cgi-redirect --prefix=/usr/local
>> change to /tmp/libsslbuild/lib for LDPATHS
EXTRA_LDFLAGS = -L/tmp/libsslbuild/lib
EXTRA_LDFLAGS_PROGRAM = -L/tmp/libsslbuild/lib
<<
make USE_OPENSSL=1 ADDINC="-I/tmp/libsslbuild/include -I/opt/curlssl/include" -ADDLIB="-L/tmp/libsslbuild/lib -L/opt/curlssl/lib -ldl"
make install


Top
 Profile  
 
PostPosted: Wed Jun 24, 2015 4:10 pm 
Offline
Site Administrator
User avatar

Joined: Wed Aug 25, 2004 7:54 pm
Posts: 13445
Location: New York, NY, US
I don't think you're going to get this to work. That's my experience with FreeBSD hosting that only supports old version of PHP. Find a better hosting.

_________________
(#10850)


Top
 Profile  
 
PostPosted: Thu Jun 25, 2015 7:09 am 
Offline
Forum Newbie

Joined: Wed Jun 24, 2015 9:10 am
Posts: 2
Hi Christopher,
As mentioned in my observation briefly, I dont think the problem is only limited to the free bsd distribution. I have not verified it yet by checking on another distro. I will do that now and update.
The point here is PHP taking over the SSL handshake part which I supposed CURL was supposed to do - as per my observation above.

Thanks.


Top
 Profile  
 
PostPosted: Thu Jun 25, 2015 8:55 am 
Offline
Site Administrator
User avatar

Joined: Wed Aug 25, 2004 7:54 pm
Posts: 13445
Location: New York, NY, US
Let us know how it works out. Given that PHP 4.4.7 is a very old release, it is very difficult to know what is causing the problem.

_________________
(#10850)


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 5 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group