Update tests to support RHEL legacy crypto policy #14201
Comments
|
On RHEL/CentOS you need to allow legacy crypto algo Try using |
|
I'm experiencing this issue compiling PHP on origin/PHP-8.4 branch, AlmaLinux 9.5, gcc 11, OpenSSL 3.2.2-4. Not sure whether to open a new issue or not. Is enabling legacy ciphers just a temporary workaround or does the OpenSSL PHP extension only support legacy ciphers by design? Let me know if my issue is different please and I'll create a new issue. My openssl-related errors (my error log includes my full error list, which relate to phar and ipv6 multicast:
|
This one is expected to fail. Distro packages (8.3 is in CentOS Stream 9 and 10) even include a patch to warn about this
This is a workaround, the problem is not in the extension but in tests using legacy ciphers.
I strongly recommend that you not do this, except if you want to rebuild the whole distro. |
|
For my curiosity, what benefit do you expect building from sources instead of using the distribution packages used by thousands. My repo is also an alternative if you are not enough patient for new versions or need more SAPI/extensions. |
|
As noted, this is not a PHP core issue so closing. |
|
But I would be open to accept patch to checks the custom curve support and disable it if not supported. It would be even nicer if there was such option (macro) in OpenSSL so it can be easily identified. |
|
Actually there's still one: So might be better to keep it open or a bit longer. What's the actual output of that one? |
|
We should probably keep it open for the legacy tests that might need updating or at least there should be some better skipping done. |
bukka
changed the title
|
As I mentioned in my last comment, we should keep this open as some test improvements should be done. |
|
I have been looking into this and openssl_x509_verify one is most likely because of the cert with sha1WithRSAEncryption signature, we should use generated cert for this so this should be easy. phar ones are using also SHA1 and even MD5 so they are failing because of that. The EC one could be identified during the configuration so we could just disable the function and maybe expose some constant for user space so it can skip it. It would be nice to have upstream support to disable it in OpenSSL so it can be just taken from OpenSSL but that wouldn't be available immediately anyway. The TLS one are related to the used system_default section in openssl.cnf selected by the policy. It adds some limitations. I need to look into this more to see if we can somehow retrieve the needed info from the SSL_CTX (there are accessors for levels but we would need probably some extra API for that. Alternatively it might be enough to get it from errors and then skip accordingly. And lastly the failure in mcast_ipv6_recv.phpt is a bit mistery. It should not be related OpenSSL though. I will see if I can recreate it. I tried to update my old laptop to Fedora 41 but it somehow crashed so need to reformat it and see if I can get the fresh install or the laptop is gone. If it's gone, I will get the compilation option for OpenSSL and try it locally on my main machine and see if I can recreate everything. I will then create issues for each of the above. |
|
Just FYI, the openssl_x509_verify part should be now fixed. |
No description provided.
The text was updated successfully, but these errors were encountered: