ext/openssl: Bump minimum required OpenSSL version to 1.1.1 #13498
Conversation
github-actions
bot
added
Category: Build System
Extension: openssl
Extension: ftp
labels
|
Sounds like a good idea from the security point of view, yes. In php.m4 the minimum version can be locked based on the version by pkgconf: diff --git a/build/php.m4 b/build/php.m4
--- a/build/php.m4
+++ b/build/php.m4
@@ -1821,7 +1821,7 @@ dnl
AC_DEFUN([PHP_SETUP_OPENSSL],[
found_openssl=no
- PKG_CHECK_MODULES([OPENSSL], [openssl >= 1.0.2], [found_openssl=yes])
+ PKG_CHECK_MODULES([OPENSSL], [openssl >= 1.1.1], [found_openssl=yes])
if test "$found_openssl" = "yes"; then
PHP_EVAL_LIBLINE($OPENSSL_LIBS, $1)And probably the php.ini comments can be removed with the OpenSSL version increase (but I'm not sure): |
|
Thank you @petk - I added the change to the Re INI files: I came across this comment too, but wasn't sure if we should remove it or not. Hopefully @bukka will give an experienced opinion. I pushed a separate commit with the ini files adjusted, but I doubt our test suite will effectively test it. |
There was a problem hiding this comment.
Yeah ldap can comment can be removed.
The only distro still using OpenSSL 1.0.2 missing in the list is Amazon Linux 2 which is EOL mid 2025 but I don't think anyone need latest PHP version there - they should just update the distro so I'm fine with this bump.
| @@ -1269,7 +1269,7 @@ PHP_MINIT_FUNCTION(openssl) | |||
| php_openssl_pkey_object_handlers.clone_obj = NULL; | |||
| php_openssl_pkey_object_handlers.compare = zend_objects_not_comparable; | |||
|
|
|||
| #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined (LIBRESSL_VERSION_NUMBER) | |||
| #ifdef LIBRESSL_VERSION_NUMBER | |||
There was a problem hiding this comment.
Could we check LibreSSL if we still need this. It might be worth to bump LibreSSL min version as well so we can get rid of all of the 1.0.2 specific code.
There was a problem hiding this comment.
I don't really know how to check if this works well with LibreSSL I'm afraid. I couldn't get PHP's configure to run without openssl present.
FWIW, LibreSSL seems to declare a OPENSSL_init_ssl compat, so we might not need this manual init part.
There was a problem hiding this comment.
This was for LibreSSL version that did not have any compat. Think it's enough to just change pkgconfig path to point to LibreSSL but don't worry, it might be actually better to leave it for another PR. I haven't used LibreSSL for some time so might need to look into it anyway to do some other testing.
There was a problem hiding this comment.
Perfect, thank you. I'll experiment with libressl later and see if I could be any help too.
|
Thank you Jakub, I merged the INI file changes to the base commit. |
It's pretty easy to build against OpenSSL 1.1.1 or 3.x on AL2. That's how I build PHP on AL2, and so does the likes of Laravel Vapor and Bref.
This I strongly disagree with. There are thousands of users who will want this through the above... but I am very much in the cap of not using the distro's openssl, so it doesn't matter... these thousands of users are also not using the distro's openssl. |
|
FYI, this PR duplicates #10969 (though does more...). |
Think there's even system openssl11 IIRC so people will be already able build against it. It was kept on 1.0.2 mainly for packagers so they don't have to switch it - at least Remi wanted to keep it as it is. But as RHEL 7 is out of official support (there will be extended one though but it's very unlikely anyone would need latest PHP version there), we don't have to worry about it. |
|
Should the linkage with the Kerberos and GSSAPI libraries be then also removed? OpenSSL 1.1.0 has removed Kerberos support and now has Kerberos library bundled: This --with-kerberos has been added in the past to support Kerberos transitive linked library to OpenSSL and IMAP's c-client. So this can be also done:diff --git a/.circleci/config.yml b/.circleci/config.yml
index a315f3342d..16ae9ac39b 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -53,8 +53,6 @@ jobs:
libsqlite3-dev \
libwebp-dev \
libonig-dev \
- libkrb5-dev \
- libgssapi-krb5-2 \
libcurl4-openssl-dev \
libxml2-dev \
libxslt1-dev \
@@ -128,7 +126,6 @@ jobs:
--enable-calendar \
--enable-ftp \
--with-enchant=/usr \
- --with-kerberos \
--enable-sysvmsg \
--with-ffi \
--enable-zend-test \
diff --git a/.cirrus.yml b/.cirrus.yml
index 55632482a7..795f9855c7 100644
--- a/.cirrus.yml
+++ b/.cirrus.yml
@@ -11,10 +11,10 @@ freebsd_task:
#- sed -i -e 's/quarterly/latest/g' /etc/pkg/FreeBSD.conf
#- pkg upgrade -y
- kldload accf_http
- - pkg install -y autoconf bison gmake re2c icu libiconv png freetype2 enchant2 bzip2 krb5 t1lib gmp tidyp libsodium libzip libxml2 libxslt openssl oniguruma pkgconf webp libavif
+ - pkg install -y autoconf bison gmake re2c icu libiconv png freetype2 enchant2 bzip2 t1lib gmp tidyp libsodium libzip libxml2 libxslt openssl oniguruma pkgconf webp libavif
script:
- ./buildconf -f
- - ./configure --prefix=/usr/local --enable-debug --enable-option-checking=fatal --enable-fpm --with-pdo-sqlite --without-pear --with-bz2 --with-avif --with-jpeg --with-webp --with-freetype --enable-gd --enable-exif --with-zip --with-zlib --enable-soap --enable-xmlreader --with-xsl --with-libxml --enable-shmop --enable-pcntl --enable-mbstring --with-curl --enable-sockets --with-openssl --with-iconv=/usr/local --enable-bcmath --enable-calendar --enable-ftp --with-kerberos --with-ffi --enable-zend-test --enable-dl-test=shared --enable-intl --with-mhash --with-sodium --enable-werror --with-config-file-path=/etc --with-config-file-scan-dir=/etc/php.d
+ - ./configure --prefix=/usr/local --enable-debug --enable-option-checking=fatal --enable-fpm --with-pdo-sqlite --without-pear --with-bz2 --with-avif --with-jpeg --with-webp --with-freetype --enable-gd --enable-exif --with-zip --with-zlib --enable-soap --enable-xmlreader --with-xsl --with-libxml --enable-shmop --enable-pcntl --enable-mbstring --with-curl --enable-sockets --with-openssl --with-iconv=/usr/local --enable-bcmath --enable-calendar --enable-ftp --with-ffi --enable-zend-test --enable-dl-test=shared --enable-intl --with-mhash --with-sodium --enable-werror --with-config-file-path=/etc --with-config-file-scan-dir=/etc/php.d
- gmake -j2
- mkdir /etc/php.d
- gmake install
diff --git a/.github/actions/apt-x32/action.yml b/.github/actions/apt-x32/action.yml
index dbb50d425e..0638881d1e 100644
--- a/.github/actions/apt-x32/action.yml
+++ b/.github/actions/apt-x32/action.yml
@@ -23,10 +23,8 @@ runs:
libffi-dev:i386 \
libfreetype6-dev:i386 \
libgmp-dev:i386 \
- libgssapi-krb5-2:i386 \
libicu-dev:i386 \
libjpeg-dev:i386 \
- libkrb5-dev:i386 \
libonig-dev:i386 \
libpng-dev:i386 \
libpq-dev:i386 \
diff --git a/.github/actions/apt-x64/action.yml b/.github/actions/apt-x64/action.yml
index 1a45bcc39d..7cb5dd86f5 100644
--- a/.github/actions/apt-x64/action.yml
+++ b/.github/actions/apt-x64/action.yml
@@ -39,8 +39,6 @@ runs:
libsqlite3-dev \
libwebp-dev \
libonig-dev \
- libkrb5-dev \
- libgssapi-krb5-2 \
libcurl4-openssl-dev \
libxml2-dev \
libxslt1-dev \
diff --git a/.github/actions/brew/action.yml b/.github/actions/brew/action.yml
index 567929d030..e481a8e0ff 100644
--- a/.github/actions/brew/action.yml
+++ b/.github/actions/brew/action.yml
@@ -13,7 +13,6 @@ runs:
brew install \
openssl@1.1 \
curl \
- krb5 \
bzip2 \
enchant \
libffi \
diff --git a/.github/actions/configure-macos/action.yml b/.github/actions/configure-macos/action.yml
index cda8e7fbac..ab92dfb2d7 100644
--- a/.github/actions/configure-macos/action.yml
+++ b/.github/actions/configure-macos/action.yml
@@ -13,7 +13,6 @@ runs:
export PATH="$BREW_OPT/bison/bin:$PATH"
export PKG_CONFIG_PATH="$PKG_CONFIG_PATH:$BREW_OPT/openssl@1.1/lib/pkgconfig"
export PKG_CONFIG_PATH="$PKG_CONFIG_PATH:$BREW_OPT/curl/lib/pkgconfig"
- export PKG_CONFIG_PATH="$PKG_CONFIG_PATH:$BREW_OPT/krb5/lib/pkgconfig"
export PKG_CONFIG_PATH="$PKG_CONFIG_PATH:$BREW_OPT/libffi/lib/pkgconfig"
export PKG_CONFIG_PATH="$PKG_CONFIG_PATH:$BREW_OPT/libxml2/lib/pkgconfig"
export PKG_CONFIG_PATH="$PKG_CONFIG_PATH:$BREW_OPT/libxslt/lib/pkgconfig"
@@ -58,7 +57,6 @@ runs:
--enable-bcmath \
--enable-calendar \
--enable-ftp \
- --with-kerberos \
--enable-sysvmsg \
--with-ffi \
--enable-zend-test \
diff --git a/.github/actions/configure-x32/action.yml b/.github/actions/configure-x32/action.yml
index 0d4cd30e66..c07c49bb2c 100644
--- a/.github/actions/configure-x32/action.yml
+++ b/.github/actions/configure-x32/action.yml
@@ -54,7 +54,6 @@ runs:
--enable-bcmath \
--enable-calendar \
--enable-ftp \
- --with-kerberos \
--enable-sysvmsg \
--with-ffi \
--enable-zend-test \
diff --git a/.github/actions/configure-x64/action.yml b/.github/actions/configure-x64/action.yml
index 95cf656fa7..38dce5ef8f 100644
--- a/.github/actions/configure-x64/action.yml
+++ b/.github/actions/configure-x64/action.yml
@@ -53,7 +53,6 @@ runs:
--enable-calendar \
--enable-ftp \
${{ inputs.skipSlow == 'false' && '--with-enchant=/usr' || '' }} \
- --with-kerberos \
--enable-sysvmsg \
--with-ffi \
--enable-zend-test \
diff --git a/.travis.yml b/.travis.yml
index a94afb4e9e..fd18307662 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -19,7 +19,6 @@ addons:
- libgmp-dev
- libicu-dev
- libjpeg-dev
- - libkrb5-dev
- libonig-dev
- libpng-dev
- libpq-dev
diff --git a/UPGRADING.INTERNALS b/UPGRADING.INTERNALS
index 217d86809a..a24dc97c48 100644
--- a/UPGRADING.INTERNALS
+++ b/UPGRADING.INTERNALS
@@ -96,6 +96,7 @@ PHP 8.4 INTERNALS UPGRADE NOTES
- The configure option --with-imap-ssl has been removed.
- The configure option --with-oci8 has been removed.
- The configure option --with-zlib-dir has been removed.
+ - The configure option --with-kerberos has been removed.
- COOKIE_IO_FUNCTIONS_T symbol has been removed (use cookie_io_functions_t).
- HAVE_SOCKADDR_UN_SUN_LEN symbol renamed to HAVE_STRUCT_SOCKADDR_UN_SUN_LEN.
- HAVE_UTSNAME_DOMAINNAME symbol renamed to HAVE_STRUCT_UTSNAME_DOMAINNAME.
diff --git a/ext/openssl/config0.m4 b/ext/openssl/config0.m4
index f449a19d55..71f50bebf2 100644
--- a/ext/openssl/config0.m4
+++ b/ext/openssl/config0.m4
@@ -3,13 +3,6 @@ PHP_ARG_WITH([openssl],
[AS_HELP_STRING([--with-openssl],
[Include OpenSSL support (requires OpenSSL >= 1.1.1)])])
-PHP_ARG_WITH([kerberos],
- [for Kerberos support],
- [AS_HELP_STRING([--with-kerberos],
- [OPENSSL: Include Kerberos support])],
- [no],
- [no])
-
PHP_ARG_WITH([system-ciphers],
[whether to use system default cipher list instead of hardcoded value],
[AS_HELP_STRING([--with-system-ciphers],
@@ -21,13 +14,6 @@ if test "$PHP_OPENSSL" != "no"; then
PHP_NEW_EXTENSION(openssl, openssl.c xp_ssl.c, $ext_shared)
PHP_SUBST(OPENSSL_SHARED_LIBADD)
- if test "$PHP_KERBEROS" != "no"; then
- PKG_CHECK_MODULES([KERBEROS], [krb5-gssapi krb5])
-
- PHP_EVAL_INCLINE($KERBEROS_CFLAGS)
- PHP_EVAL_LIBLINE($KERBEROS_LIBS, OPENSSL_SHARED_LIBADD)
- fi
-
PHP_SETUP_OPENSSL(OPENSSL_SHARED_LIBADD,
[
AC_DEFINE(HAVE_OPENSSL_EXT,1,[ ])
diff --git a/travis/compile.sh b/travis/compile.sh
index be1483f152..bab44d30ad 100755
--- a/travis/compile.sh
+++ b/travis/compile.sh
@@ -61,7 +61,6 @@ $S390X_CONFIG \
--enable-calendar \
--enable-ftp \
--with-enchant=/usr \
---with-kerberos \
--enable-sysvmsg \
--with-ffi \
--with-sodium \ |
Ayesh
force-pushed
the
openssl-bump
branch
2 times, most recently
from
1b638a4 to
d5e2675
Compare
Ayesh
force-pushed
the
openssl-bump
branch
2 times, most recently
from
602b5f3 to
cc4ccf4
Compare
Bumps the minimum required OpenSSL version from 1.0.2 to 1.1.1. OpenSSL 1.1.1 is an LTS release, but has reached[^1] EOL from upstream. However, Linux distro/OS vendors continue to ship OpenSSL 1.1.1, so 1.1.1 was picked as the minimum. The current minimum 1.0.2 reached EOL in 2018. Bumping the minimum required OpenSSL version makes it possible for ext-openssl to remove a bunch of conditional code, and assume that TLS 1.3 (shipped with OpenSSL 1.1.1) will be supported everywhere. - Debian buster: 1.1.1[^2] - Ubuntu 20.04: 1.1.1[^3] - CentOS/RHEL 7: 1.0.2 - RHEL 8/Rocky 8/EL 8: 1.1.1 - Fedora 38: 3.0.9 (`openssl11` provides OpenSSL 1.1 as well) RHEL/CentOS 7 reaches EOL mid 2024, so for PHP 8.4 scheduled towards the end of this year, we can safely bump the minimum OpenSSL version. [^1]: https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/index.html [^2]: https://packages.debian.org/buster/libssl-dev [^3]: https://packages.ubuntu.com/focal/libssl-dev
Co-authored-by: Peter Kokot <peterkokot@gmail.com>
| @@ -99,15 +99,13 @@ static void ftp_object_destroy(zend_object *zobj) { | |||
|
|
|||
| PHP_MINIT_FUNCTION(ftp) | |||
| { | |||
| #ifdef HAVE_FTP_SSL | |||
| #if OPENSSL_VERSION_NUMBER < 0x10101000 && !defined(LIBRESSL_VERSION_NUMBER) | |||
| #if defined(HAVE_FTP_SSL) && !defined(LIBRESSL_VERSION_NUMBER) | |||
| SSL_library_init(); | |||
There was a problem hiding this comment.
These functions inside this #if block are either deprecated or do nothing anymore on OpenSSL versions >= 1.1.0.
So I think this should've been removed, i.e. OPENSSL_VERSION_NUMBER < 0x10101000 is always false now.
There was a problem hiding this comment.
This PR does not contain LibreSSL bump: See #13498 (comment)
There was a problem hiding this comment.
Ah sorry this part could actually be removed - it's not defined - missed that.
There was a problem hiding this comment.
just went through it again and looks really like the only incorrect thing. Next step will be to bump LibreSSL and drop the code that is not needed.
Follow-up on phpGH-13498. These functions inside this #if block are either deprecated or do nothing anymore on OpenSSL versions >= 1.1.0.
Follow-up on GH-13498. These functions inside this #if block are either deprecated or do nothing anymore on OpenSSL versions >= 1.1.0.
@GrahamCampbell, I'll suggest to refresh GitHub milestones so this annoyance might be prevented in the future. Some pull requests might target versions very far in the future. |
PR php#13498 bumped the required OpenSSL version to 1.1.1, but apparently only for non Windows system. We catch up somewhat by dropping support for OpenSSL < 1.1.0 on Windows; besides completely removing detection of old OpenSSL versions in `SETUP_OPENSSL`, we also ensure that all bundled extension using this function do no longer accept OpenSSL < 1.1.0, to avoid to still be able to build these extensions with older `phpize` scripts. We do not cater to `--phar-native-ssl` yet; that might better be addressed by php#14578.
PR #13498 bumped the required OpenSSL version to 1.1.1, but apparently only for non Windows system. We catch up somewhat by dropping support for OpenSSL < 1.1.0 on Windows; besides completely removing detection of old OpenSSL versions in `SETUP_OPENSSL`, we also ensure that all bundled extension using this function do no longer accept OpenSSL < 1.1.0, to avoid to still be able to build these extensions with older `phpize` scripts. We do not cater to `--phar-native-ssl` yet; that might better be addressed by #14578. Closes GH-14973.
Bumps the minimum required OpenSSL version from 1.0.2 to 1.1.1.
OpenSSL 1.1.1 is an LTS release, but has reached1 EOL from upstream. However, Linux distro/OS vendors continue to ship OpenSSL 1.1.1, so 1.1.1 was picked as the minimum.
Bumping the minimum required OpenSSL version makes it possible for ext-openssl to remove a bunch of conditional code, and assume that TLS 1.3 (shipped with OpenSSL 1.1.1) will be supported everywhere.
openssl11provides OpenSSL 1.1 as well)RHEL/CentOS 7 reaches EOL mid 2024, so for PHP 8.4 scheduled towards the end of this year, we can safely bump the minimum OpenSSL version.
Footnotes
https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/index.html ↩
https://packages.debian.org/buster/libssl-dev ↩
https://packages.ubuntu.com/focal/libssl-dev ↩