Just some notes/thoughts on the openssl extension in PHP.
First, this is really not my area. I’m not good with C/C++ (would like to learn though), and I barely use the openssl functions when I code. However… When I updated OpenSSL a couple of versions ago - I decided to compile it without SSLv2 and SSLv3.
A little bit later when I updated my PHP version(s). I run 2… PHP: 5.4 (mod) and 5.6 (fpm/fastcgi). I noticed in phpinfo() that SSLv3 still was present and listed in “Socket Transports”
Didn’t do anything more about it then. But I had some time over the other day to look in the code. As I said, not that I use it that much and my install is only local on my computer (eg non-production), but in a way of understand - and also to learn.
The 2 files I came across was:
ext/openssl/openssl.c
ext/openssl/xp_ssl.c
In ext/openssl/xp_ssl.c there are checkpoints for both OPENSSL_NO_SSL2 and OPENSSL_NO_SSL3. If not, they throw a message about it’s not installed on the computer. But in ext/openssl/openssl.c, it only has a checkpoint for OPENSSL_NO_SSL2.
So, I added additional checks for OPENSSL_NO_SSL3 and made a test install of PHP only using:
I have no idea, but either it’s missing or it is the intended behaviour. I know some protocols are based on the hardware and others not. But, I think it’s (kind of) misleading - especially when there’s a check for SSLv2. And it is registering it as a “Socket Transport”, even though I don’t have it installed.
The “misleading” part is that the other file will tell you if it’s not installed, but at the same time shows up registered in phpinfo().
Testing OpenSSL
If you want to check you OpenSSL installation if you didn’t install it yourself or used a package manager, you can make a small program.
//// File: test_sslv23.c//// Desrciption: To see if openssl is configured with "no-ssl2" &/or "no-ssl3"//#include <iostream>#include <openssl/opensslconf.h>#include <openssl/opensslv.h>usingnamespacestd;intmain(){std::cout<<OPENSSL_VERSION_TEXT<<std::endl;#if defined(OPENSSL_NO_SSL2)std::cout<<"SSLv2 is disabled"<<std::endl;#elsestd::cout<<"SSLv2 is available"<<std::endl;#endif#if defined(OPENSSL_NO_SSL3)std::cout<<"SSLv3 is disabled"<<std::endl;#elsestd::cout<<"SSLv3 is available"<<std::endl;#endifreturn0;}/*# Compile$ g++ test_sslv23.c -o testSSLv23# Run$ ./testSSLv23*/
It will show what you have.
$ ./testSSLv23
OpenSSL 1.0.2a 19 Mar 2015
SSLv2 is disabled
SSLv3 is disabled
# (example)
Update (2015-04-21): I made a Pull Request (#1203) with these changes. And it’s been merged now (yaaay). It didn’t make it to the latest updates, so if you want/need - here are 2 patches, for 5.4.40 and 5.6.8. (the 2 versions I use):