Hi,
I just wanted to send a quick update about my recent work on openssl ext in
case someone else wanted to start something similar so we don't have a
wasted effort on that. :)
- Error queueing
I'm more or less done with a patch for error storing and clearing OpenSSL
error queue:
https://github.com/php/php-src/compare/PHP-7.0...bukka:openssl_error_store
I have been slowly working on a more complete test for openssl_error_string
that will cover most real error cases. There is still quite a lot of work
that I need to do but the incomplete test can be seen here:
https://github.com/bukka/php-util/blob/master/tests/openssl/openssl_error_string_basic.phpt
The idea is that I would like to create a PR against 7.0 after I'm happy
with that test so it can be tested by others and then merged. Then I plan
to merge the AEAD work that is complete but overlaps slightly with this one
so I want to merge it after that...
- OpenSSL 1.1 port
I have got a port of the extension to work on OpenSSL 1.1. There has been
quite a bit of changes mainly due to the fact that most structures are now
opaque (but also some other changes)
https://github.com/bukka/php-src/compare/openssl_aead...bukka:openssl_1_1_port
It compiles fine and most tests pass. At the moment I have got just 3 tests
failing that I need to take a look later. But it's welcomed if anyone wants
to take a look and analyse them before I have got the time to look into
them ;). I have got a list that includes some other changes that I need to
verify later:
https://github.com/bukka/php-util/blob/master/tests/openssl/port_1_1_issues.txt
Cheers
Jakub
Hi,
I just wanted to send a quick update about my recent work on openssl ext in
case someone else wanted to start something similar so we don't have a
wasted effort on that. :)
- Error queueing
I'm more or less done with a patch for error storing and clearing OpenSSL
error queue:https://github.com/php/php-src/compare/PHP-7.0...bukka:openssl_error_store
Good stuff! Just FYI, there has been decent progress on the discussion around how to make libpq behave better with openssl errors (that's what I think prompted this change originally by way of a ticket); looks like that'll land in the next point release(s). But since other extensions' libs may also use openssl, the same issue can arise again anytime, so storing the errors ourselves on the PHP side is a great change that fixes all (well, most of) those potential issues in one sweep.
I have been slowly working on a more complete test for openssl_error_string
that will cover most real error cases. There is still quite a lot of work
that I need to do but the incomplete test can be seen here:https://github.com/bukka/php-util/blob/master/tests/openssl/openssl_error_string_basic.phpt
The idea is that I would like to create a PR against 7.0 after I'm happy
with that test so it can be tested by others and then merged. Then I plan
to merge the AEAD work that is complete but overlaps slightly with this one
so I want to merge it after that...
Any plans to port that back to 5.6 as well? I'd really love to see that, considering how it fixes real issues in the wild, and how long the security fix phase for 5.6 will be.
- OpenSSL 1.1 port
I have got a port of the extension to work on OpenSSL 1.1. There has been
quite a bit of changes mainly due to the fact that most structures are now
opaque (but also some other changes)
I assume 1.0.whatever-is-in-ubuntu will remain usable? Or do we plan on requiring 1.1 in, say, 7.1?
Thanks for all your hard work on this Jakub!
David
I have got a port of the extension to work on OpenSSL 1.1. There has been
quite a bit of changes mainly due to the fact that most structures are
now
opaque (but also some other changes)I assume 1.0.whatever-is-in-ubuntu will remain usable? Or do we plan on
requiring 1.1 in, say, 7.1?
IIRC it's the plan to discontinue support for 0.9.8 and 1.0.1 with 7.1, but
not 1.0.2. OpenSSL 1.1 is not even released yet, just the first beta a few
days ago.
Hi David
Hi,
I just wanted to send a quick update about my recent work on openssl ext
in
case someone else wanted to start something similar so we don't have a
wasted effort on that. :)
- Error queueing
I'm more or less done with a patch for error storing and clearing OpenSSL
error queue:https://github.com/php/php-src/compare/PHP-7.0...bukka:openssl_error_store
Good stuff! Just FYI, there has been decent progress on the discussion
around how to make libpq behave better with openssl errors (that's what I
think prompted this change originally by way of a ticket); looks like
that'll land in the next point release(s). But since other extensions' libs
may also use openssl, the same issue can arise again anytime, so storing
the errors ourselves on the PHP side is a great change that fixes all
(well, most of) those potential issues in one sweep.
Nice to know that libpq got fixed as I think that the main issue (segfault)
was there. But as you say it will be useful to have a queueing for other
possible issues in the future.
I have been slowly working on a more complete test for
openssl_error_string
that will cover most real error cases. There is still quite a lot of work
that I need to do but the incomplete test can be seen here:https://github.com/bukka/php-util/blob/master/tests/openssl/openssl_error_string_basic.phpt
The idea is that I would like to create a PR against 7.0 after I'm happy
with that test so it can be tested by others and then merged. Then I plan
to merge the AEAD work that is complete but overlaps slightly with this
one
so I want to merge it after that...Any plans to port that back to 5.6 as well? I'd really love to see that,
considering how it fixes real issues in the wild, and how long the security
fix phase for 5.6 will be.
I think that the changes are too big for 5.6. There are some additional
changes in it to get error codes from functions which would need further
checking as technically we still support 0.9.7 and 0.9.6 for 5.6 (some
functions return void on these versions). Also it would be quite a bit of
work to port it as the openssl.c is a bit different in 7.0. I think that
after libpq is fixed the motivation for that is much smaller and the fact
is that it's not really a bug in openssl ext. It's more improvement that
helps fix some possible issue and that's why I think that 7.0 is a perfect
version for it. And if someone has really an issue with that, they can
always clear the error queue with openssl_error_string...
- OpenSSL 1.1 port
I have got a port of the extension to work on OpenSSL 1.1. There has been
quite a bit of changes mainly due to the fact that most structures are
now
opaque (but also some other changes)I assume 1.0.whatever-is-in-ubuntu will remain usable? Or do we plan on
requiring 1.1 in, say, 7.1?
So the plan is that 7.1 will support version 1.0.1, 1.0.2 and 1.1.0 . So no
requiring 1.1 - it will work for older versions as well. ;)
Cheers
Jakub
Le 20/03/2016 à 20:50, Jakub Zelenka a écrit :
Hi,
I just wanted to send a quick update about my recent work on openssl ext in
Can you please update the state of openssl 1.1.0 compatibility ?
I see most work done in master ?
Not in 7.0 or 7.1 ?
Remi.
P.S. openssl 1.1.0b just hit Fedora rawhide repository (will be F26)
and of course, 7.0.x doens't build anymore.
Le 11/10/2016 à 12:56, Remi Collet a écrit :
Le 20/03/2016 à 20:50, Jakub Zelenka a écrit :
Hi,
I just wanted to send a quick update about my recent work on openssl ext in
Can you please update the state of openssl 1.1.0 compatibility ?
I see most work done in master ?
Not in 7.0 or 7.1 ?
In fact, 7.1 is OK, so I will update Fedora repo to 7.1.0RC4 very soon.
Remi.
Remi,
I'm glad this was followed up on, it is likely the source of a reported
issue!
7.1 no longer supports LibreSSL due to the usage of some new openssl
changes, you can find the errors http://awel.domblogger.
net/7/php7/ssl_error.txt and a patch by the reporter here:
http://awel.domblogger.net/7/php7/php-7.1.0RC3-libressl.patch.txt
Can you review the patch and apply it for RC4? It should just use the older
library (compatible) behavior.
Thanks,
- Davey
Le 11/10/2016 à 12:56, Remi Collet a écrit :
Le 20/03/2016 à 20:50, Jakub Zelenka a écrit :
Hi,
I just wanted to send a quick update about my recent work on openssl
ext inCan you please update the state of openssl 1.1.0 compatibility ?
I see most work done in master ?
Not in 7.0 or 7.1 ?In fact, 7.1 is OK, so I will update Fedora repo to 7.1.0RC4 very soon.
Remi.
Hey
7.1 no longer supports LibreSSL due to the usage of some new openssl
changes, you can find the errors http://awel.domblogger.
net/7/php7/ssl_error.txt and a patch by the reporter here:
http://awel.domblogger.net/7/php7/php-7.1.0RC3-libressl.patch.txtCan you review the patch and apply it for RC4? It should just use the older
library (compatible) behavior.
I just committed a clean up of some defines and added the LibreSSL checks
so it should be hopefully fine.
Cheers
Jakub
Le 20/03/2016 à 20:50, Jakub Zelenka a écrit :
Hi,
I just wanted to send a quick update about my recent work on openssl
ext inCan you please update the state of openssl 1.1.0 compatibility ?
I see most work done in master ?
Not in 7.0 or 7.1 ?
7.1 is the same as master. All has been merged but there are still 2
failing tests when used with 1.1. I have some solutions for them that I
will add at some point. I noticed couple of other things that are also with
1.0 so plan to look into them too. Mostly old bugs already there...
Remi.
P.S. openssl 1.1.0b just hit Fedora rawhide repository (will be F26)
and of course, 7.0.x doens't build anymore.
7.0 will not work with OpenSSL 1.1 as the changes required were too big for
back port.
Cheers
Jakub