Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Legacy provider is not working for OpenSSL extension #1728

Open
driskell opened this issue Jan 30, 2024 · 4 comments
Open

Legacy provider is not working for OpenSSL extension #1728

driskell opened this issue Jan 30, 2024 · 4 comments
Labels
bug

Comments

@driskell
Copy link

Description:

When deploying PHP 8.3 with FPM it seems to pickup OPENSSL_CONF from the fine but if that configuration requests legacy provider for OpenSSL 3 it will not work.

It looks like upon inspecting the image, that the ossl-modules folder is missing so the legacy.so is missing. But I can't be sure if it is meant to be there (I am comparing to my own macOS installation) and not precompiled in. So there's some issue with the legacy provider. If you need to process PKCS12 files from Apple with rc2-40-cbc then you'll be stuck with error as it's removed from OpenSSL 3 standard cipher list due to security issues. (error:0308010C:digital envelope routines::unsupported)

How to reproduce:

docker run -ti --platform linux/amd64 --entrypoint /bin/bash bref/php-83-fpm
$ cd /root
$ cat <<EOF > openssl.cnf
openssl_conf = openssl_init

[openssl_init]
providers = provider_sect

[provider_sect]
default = default_sect
legacy = legacy_sect

[default_sect]
activate = 1

[legacy_sect]
activate = 1
EOF
$ cat <<EOF > test.php
<?php

print_r(openssl_get_cipher_methods());
EOF
$ OPENSSL_CONF=/root/openssl.cnf php ./test2.php

Expecting output to contain:

rc2-40-cbc
@driskell driskell added the bug label Jan 30, 2024
@driskell driskell changed the title Legacy provider module is missing from OpenSSL extension libraries Legacy provider is not working for OpenSSL extension Jan 30, 2024
@Aschab
Copy link

Aschab commented Jul 10, 2024

I have the same issue. Seems that is still happening :)

@vitalii-kyktov
Copy link

I am experiencing the same issue because I need to use the RC4 algorithm for a third-party integration. I'm getting the error OpenSSL Error: error:0308010C:digital envelope routines::unsupported, even though the OPENSSL_CONF environment variable points to an existing and correct config file with the following content:

openssl_conf = openssl_init

[openssl_init]
providers = provider_sect

[provider_sect]
default = default_sect
legacy = legacy_sect

[default_sect]
activate = 1

[legacy_sect]
activate = 1

However, if the legacy module isn't in the environment, it won't be loaded. I'm now considering building a custom Lambda layer to include the legacy OpenSSL providers.

@mnapoli
Copy link
Member

mnapoli commented Aug 1, 2024

Feel free to send a pull request to the Bref layers if you can find an easy solution. I haven't taken the time myself to dive into it.

@vitalii-kyktov
Copy link

Feel free to send a pull request to the Bref layers if you find an easy solution. I haven’t had the time to dive into it myself.

Hello, @mnapoli, here’s the PR in Bref layers repo. I’ve already published the layer to my account and used it in my own setup, and I can confirm that it works. I’m able to successfully use legacy ciphering providers.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@mnapoli @driskell @Aschab @vitalii-kyktov