Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:97940
Return-Path: <alice@librelamp.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 93127 invoked from network); 23 Jan 2017 20:52:51 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 23 Jan 2017 20:52:51 -0000
Authentication-Results: pb1.pair.com smtp.mail=alice@librelamp.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=alice@librelamp.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain librelamp.com designates 45.79.96.192 as permitted sender)
X-PHP-List-Original-Sender: alice@librelamp.com
X-Host-Fingerprint: 45.79.96.192 librelamp.com  
Received: from [45.79.96.192] ([45.79.96.192:60052] helo=librelamp.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id E7/B4-00729-22D66885 for <internals@lists.php.net>; Mon, 23 Jan 2017 15:52:50 -0500
Received: from localhost.localdomain (68-189-44-253.dhcp.rdng.ca.charter.com [68.189.44.253])
	by librelamp.com (Postfix) with ESMTPSA id AE32239C
	for <internals@lists.php.net>; Mon, 23 Jan 2017 20:52:47 +0000 (UTC)
To: PHP internals <internals@lists.php.net>
References: <CACXBjuhUphs7uZwFCn+18_DLC=Dcyg_TTyJRS7dLFfjNmP5f2Q@mail.gmail.com>
 <CAEKnhAHtXJp7UY49moWbJN+0VOeYaxCs_erf4=X4Od4yz4Mh3Q@mail.gmail.com>
 <CACXBjujSC4kwv1otKPkm7eA0yTh+HkQRr3GFPFmXCHdhnyhYsg@mail.gmail.com>
 <acd6985d-9bcf-2468-92a8-090f844bcb70@librelamp.com>
 <CACXBjuj=jEmbmuqvx+jcxU=DFxRWuLRgoqWy=RkmWSUy0tfs2w@mail.gmail.com>
Message-ID: <422ee0db-34f3-e8cd-29b3-e4968af57417@librelamp.com>
Date: Mon, 23 Jan 2017 12:52:46 -0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
 Thunderbird/45.6.0
MIME-Version: 1.0
In-Reply-To: <CACXBjuj=jEmbmuqvx+jcxU=DFxRWuLRgoqWy=RkmWSUy0tfs2w@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Re: PHP 7.0 and openssl 1.1
From: alice@librelamp.com (Alice Wonder)

Actually I found that wasn't the case. To build php against an alternat 
openssl API - I did have to rebuild net-snmp but curl, for example, at 
least on CentOS uses NSS for it's TLS and so didn't need to be rebuild 
to build PHP against a different OpenSSL API.

Building in mock, the only php dependency that had an OpenSSL API 
dependency was net-snmp. And if I kept the same API for net-snmp, I 
didn't have to replace the system net-snmp for php to work properly - 
only the net-snmp used in mock.

That was php 5.6.x and 7.1.x though, 7.0.x may have different results, 
but I doubt it.

On 01/23/2017 02:05 AM, Rasmus Lerdorf wrote:
> On Mon, Jan 23, 2017 at 12:31 AM, Alice Wonder <alice@librelamp.com
> <mailto:alice@librelamp.com>> wrote:
>
>     If someone on such a distro really can't use PHP 7.1.x, LibreSSL can
>     be installed in parallel to OpenSSL (I do on CentOS) and I suspect
>     php 7.0 will build against it (5.6.x does and 7.1.x does)
>
>     Also, I suspect older OpenSSL shared libraries could probably be
>     installed in parallel.
>
>     So it can be done if really needed.
>
>
> Yes, of course it can be done with a bit (or a lot depending on the
> distro) fiddling.
> And it is also rather tricky to build against libressl or a different
> version of openssl
> because we have things like libcurl, libpq, libc-client and probably a
> few others as
> well that are linked against the system openssl library. You will need
> to built alternative
> versions of those too.
> And for libressl, even if you get it built, you are going to see quite a
> few test failures.
> This is the current state of make test TESTS=ext/openssl when PHP-7.0 is
> built against
> the latest version of libressl:
>
> Number of tests :  105                98
> Tests skipped   :    7 (  6.7%) --------
> Tests warned    :    0 (  0.0%) (  0.0%)
> Tests failed    :   32 ( 30.5%) ( 32.7%)
> Expected fail   :    0 (  0.0%) (  0.0%)
> Tests passed    :   66 ( 62.9%) ( 67.3%)
> ---------------------------------------------------------------------
> Time taken      :  446 seconds
> =====================================================================
>
> =====================================================================
> FAILED TEST SUMMARY
> ---------------------------------------------------------------------
> #46127, openssl_sign/verify: accept different algos
> [ext/openssl/tests/bug46127.phpt]
> Bug #48182: ssl handshake fails during asynchronous socket connection
> [ext/openssl/tests/bug48182.phpt]
> Bug #54992: Stream not closed and error not returned when SSL CN_match
> fails [ext/openssl/tests/bug54992.phpt]
> Bug #65538: SSL context "cafile" supports stream wrappers
> [ext/openssl/tests/bug65538_001.phpt]
> Bug #65538: SSL context "cafile" disallows URL stream wrappers
> [ext/openssl/tests/bug65538_002.phpt]
> Bug #65538: SSL context "cafile" supports phar wrapper
> [ext/openssl/tests/bug65538_003.phpt]
> Bug #65729: CN_match gives false positive when wildcard is used
> [ext/openssl/tests/bug65729.phpt]
> Bug #68265: SAN match fails with trailing DNS dot
> [ext/openssl/tests/bug68265.phpt]
> Bug #68879: Match IP address fields in subjectAltName checks
> [ext/openssl/tests/bug68879.phpt]
> Bug #68920: peer_fingerprint input checks should be strict
> [ext/openssl/tests/bug68920.phpt]
> Bug #69215: Crypto servers should send client CA list
> [ext/openssl/tests/bug69215.phpt]
> Bug #72165 Null pointer dereference - openssl_csr_new
> [ext/openssl/tests/bug72165.phpt]
> Bug #73072: Invalid path SNI_server_certs causes segfault
> [ext/openssl/tests/bug73072.phpt]
> capture_peer_cert context captures on verify failure
> [ext/openssl/tests/capture_peer_cert_001.phpt]
> openssl_error_string() tests
> [ext/openssl/tests/openssl_error_string_basic.phpt]
> Testing peer fingerprint on connection
> [ext/openssl/tests/openssl_peer_fingerprint_basic.phpt]
> Peer verification enabled for client streams
> [ext/openssl/tests/peer_verification.phpt]
> Peer verification matches SAN names
> [ext/openssl/tests/san_peer_matching.phpt]
> Capture SSL session meta array in stream context
> [ext/openssl/tests/session_meta_capture.phpt]
> sni_server [ext/openssl/tests/sni_server.phpt]
> Basic bitwise stream crypto context flag assignment
> [ext/openssl/tests/stream_crypto_flags_001.phpt]
> TLSv1.1 and TLSv1.2 bitwise stream crypto flag assignment
> [ext/openssl/tests/stream_crypto_flags_002.phpt]
> Server bitwise stream crypto flag assignment
> [ext/openssl/tests/stream_crypto_flags_003.phpt]
> Specific protocol method specification
> [ext/openssl/tests/stream_crypto_flags_004.phpt]
> TLS server rate-limits client-initiated renegotiation
> [ext/openssl/tests/stream_server_reneg_limit.phpt]
> Verify host name by default in client transfers
> [ext/openssl/tests/stream_verify_peer_name_001.phpt]
> Allow host name mismatch when "verify_host" disabled
> [ext/openssl/tests/stream_verify_peer_name_002.phpt]
> Host name mismatch triggers error
> [ext/openssl/tests/stream_verify_peer_name_003.phpt]
> Specific crypto method for ssl:// transports.
> [ext/openssl/tests/streams_crypto_method.phpt]
> tlsv1.0 stream wrapper [ext/openssl/tests/tlsv1.0_wrapper.phpt]
> tlsv1.1 stream wrapper [ext/openssl/tests/tlsv1.1_wrapper.phpt]
> tlsv1.2 stream wrapper [ext/openssl/tests/tlsv1.2_wrapper.phpt]
> =====================================================================
>
> -Rasmus