PHP & Openssl

Just some notes/thoughts on the openssl extension in PHP.

First, this is really not my area. I’m not good with C/C++ (would like to learn though), and I barely use the openssl functions when I code. However… When I updated OpenSSL a couple of versions ago - I decided to compile it without SSLv2 and SSLv3.

./Configure darwin64-x86_64-cc shared no-ssl2 no-ssl3 --prefix=/usr/local --openssldir=/usr/local/openssl

A little bit later when I updated my PHP version(s). I run 2… PHP: 5.4 (mod) and 5.6 (fpm/fastcgi). I noticed in phpinfo() that SSLv3 still was present and listed in “Socket Transports”

$ php -i | grep "Socket Transports"
Registered Stream Socket Transports => tcp, udp, unix, udg, ssl, sslv3, tls, tlsv1.0, tlsv1.1, tlsv1.2

Didn’t do anything more about it then. But I had some time over the other day to look in the code. As I said, not that I use it that much and my install is only local on my computer (eg non-production), but in a way of understand - and also to learn.

The 2 files I came across was:

ext/openssl/openssl.c
ext/openssl/xp_ssl.c

In ext/openssl/xp_ssl.c there are checkpoints for both OPENSSL_NO_SSL2 and OPENSSL_NO_SSL3. If not, they throw a message about it’s not installed on the computer. But in ext/openssl/openssl.c, it only has a checkpoint for OPENSSL_NO_SSL2.

So, I added additional checks for OPENSSL_NO_SSL3 and made a test install of PHP only using:

./configure --prefix=/path/to/p567 --with-openssl=/usr/local

The edits I made to openssl.c…

“ext/openssl/openssl.c @ ~ L1233”

--- php-5.6.7/ext/openssl/openssl.c 2015-03-19 01:19:30.000000000 +0100
+++ php-5.6.7/ext/openssl.e/openssl.c    2015-03-27 02:02:51.000000000 +0100
@@ -1231,7 +1231,9 @@
  }

  php_stream_xport_register("ssl", php_openssl_ssl_socket_factory TSRMLS_CC);
+#ifndef OPENSSL_NO_SSL3
  php_stream_xport_register("sslv3", php_openssl_ssl_socket_factory TSRMLS_CC);
+#endif
 #ifndef OPENSSL_NO_SSL2
  php_stream_xport_register("sslv2", php_openssl_ssl_socket_factory TSRMLS_CC);
 #endif
@@ -1280,7 +1282,9 @@
 #ifndef OPENSSL_NO_SSL2
  php_stream_xport_unregister("sslv2" TSRMLS_CC);
 #endif
+#ifndef OPENSSL_NO_SSL3
  php_stream_xport_unregister("sslv3" TSRMLS_CC);
+#endif
  php_stream_xport_unregister("tls" TSRMLS_CC);
  php_stream_xport_unregister("tlsv1.0" TSRMLS_CC);
 #if OPENSSL_VERSION_NUMBER >= 0x10001001L

…and now it’s gone.

$ /path/to/p567/bin/php -i | grep "Socket Transports"
27:Registered Stream Socket Transports => tcp, udp, unix, udg, ssl, tls, tlsv1.0, tlsv1.1, tlsv1.2

I have no idea, but either it’s missing or it is the intended behaviour. I know some protocols are based on the hardware and others not. But, I think it’s (kind of) misleading - especially when there’s a check for SSLv2. And it is registering it as a “Socket Transport”, even though I don’t have it installed.

The “misleading” part is that the other file will tell you if it’s not installed, but at the same time shows up registered in phpinfo().

Testing OpenSSL

If you want to check you OpenSSL installation if you didn’t install it yourself or used a package manager, you can make a small program.

//
// File: test_sslv23.c
//
// Desrciption: To see if openssl is configured with "no-ssl2" &/or "no-ssl3"
//

#include <iostream>
#include <openssl/opensslconf.h>
#include <openssl/opensslv.h>

using namespace std;

int main() {

std::cout << OPENSSL_VERSION_TEXT << std::endl;

#if defined(OPENSSL_NO_SSL2)
    std::cout << "SSLv2 is disabled" << std::endl;
#else
    std::cout << "SSLv2 is available" << std::endl;
#endif

#if defined(OPENSSL_NO_SSL3)
    std::cout << "SSLv3 is disabled" << std::endl;
#else
    std::cout << "SSLv3 is available" << std::endl;
#endif

    return 0;

}

/*

# Compile
$ g++ test_sslv23.c -o testSSLv23

# Run
$ ./testSSLv23

*/

It will show what you have.

$ ./testSSLv23 
OpenSSL 1.0.2a 19 Mar 2015
SSLv2 is disabled
SSLv3 is disabled

# (example)

Update (2015-04-21): I made a Pull Request (#1203) with these changes. And it’s been merged now (yaaay). It didn’t make it to the latest updates, so if you want/need - here are 2 patches, for 5.4.40 and 5.6.8. (the 2 versions I use):

php-5.6.8

(php56_nosslv23.diff) download

diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
index 23f893e..cd4b409 100644
--- a/ext/openssl/openssl.c
+++ b/ext/openssl/openssl.c
@@ -1233,7 +1233,9 @@ PHP_MINIT_FUNCTION(openssl)
  }

  php_stream_xport_register("ssl", php_openssl_ssl_socket_factory TSRMLS_CC);
+#ifndef OPENSSL_NO_SSL3
  php_stream_xport_register("sslv3", php_openssl_ssl_socket_factory TSRMLS_CC);
+#endif
 #ifndef OPENSSL_NO_SSL2
  php_stream_xport_register("sslv2", php_openssl_ssl_socket_factory TSRMLS_CC);
 #endif
@@ -1282,7 +1284,9 @@ PHP_MSHUTDOWN_FUNCTION(openssl)
 #ifndef OPENSSL_NO_SSL2
  php_stream_xport_unregister("sslv2" TSRMLS_CC);
 #endif
+#ifndef OPENSSL_NO_SSL3
  php_stream_xport_unregister("sslv3" TSRMLS_CC);
+#endif
  php_stream_xport_unregister("tls" TSRMLS_CC);
  php_stream_xport_unregister("tlsv1.0" TSRMLS_CC);
 #if OPENSSL_VERSION_NUMBER >= 0x10001001L

php-5.4.40

(php54_nosslv23.diff) download

diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
index 216a56a..fb26abe 100755
--- a/ext/openssl/openssl.c
+++ b/ext/openssl/openssl.c
@@ -1161,7 +1161,9 @@ PHP_MINIT_FUNCTION(openssl)
  }

  php_stream_xport_register("ssl", php_openssl_ssl_socket_factory TSRMLS_CC);
+#ifndef OPENSSL_NO_SSL3
  php_stream_xport_register("sslv3", php_openssl_ssl_socket_factory TSRMLS_CC);
+#endif
 #ifndef OPENSSL_NO_SSL2
  php_stream_xport_register("sslv2", php_openssl_ssl_socket_factory TSRMLS_CC);
 #endif
@@ -1202,7 +1204,9 @@ PHP_MSHUTDOWN_FUNCTION(openssl)
 #ifndef OPENSSL_NO_SSL2
  php_stream_xport_unregister("sslv2" TSRMLS_CC);
 #endif
+#ifndef OPENSSL_NO_SSL3
  php_stream_xport_unregister("sslv3" TSRMLS_CC);
+#endif
  php_stream_xport_unregister("tls" TSRMLS_CC);

  /* reinstate the default tcp handler */

iEFdev

Code, Computers & Random Junk

Testing OpenSSL

Comments