bref icon indicating copy to clipboard operation
bref copied to clipboard
verified publisher icon brefphp

Legacy provider is not working for OpenSSL extension

Open driskell opened this issue 1 year ago • 4 comments

Description:

When deploying PHP 8.3 with FPM it seems to pickup OPENSSL_CONF from the fine but if that configuration requests legacy provider for OpenSSL 3 it will not work.

It looks like upon inspecting the image, that the ossl-modules folder is missing so the legacy.so is missing. But I can't be sure if it is meant to be there (I am comparing to my own macOS installation) and not precompiled in. So there's some issue with the legacy provider. If you need to process PKCS12 files from Apple with rc2-40-cbc then you'll be stuck with error as it's removed from OpenSSL 3 standard cipher list due to security issues. (error:0308010C:digital envelope routines::unsupported)

How to reproduce:

docker run -ti --platform linux/amd64 --entrypoint /bin/bash bref/php-83-fpm
$ cd /root
$ cat <<EOF > openssl.cnf
openssl_conf = openssl_init

[openssl_init]
providers = provider_sect

[provider_sect]
default = default_sect
legacy = legacy_sect

[default_sect]
activate = 1

[legacy_sect]
activate = 1
EOF
$ cat <<EOF > test.php
<?php

print_r(openssl_get_cipher_methods());
EOF
$ OPENSSL_CONF=/root/openssl.cnf php ./test2.php

Expecting output to contain:

rc2-40-cbc

driskell avatar Jan 30 '24 16:01 driskell

I have the same issue. Seems that is still happening :)

Aschab avatar Jul 10 '24 11:07 Aschab

I am experiencing the same issue because I need to use the RC4 algorithm for a third-party integration. I'm getting the error OpenSSL Error: error:0308010C:digital envelope routines::unsupported, even though the OPENSSL_CONF environment variable points to an existing and correct config file with the following content:

openssl_conf = openssl_init

[openssl_init]
providers = provider_sect

[provider_sect]
default = default_sect
legacy = legacy_sect

[default_sect]
activate = 1

[legacy_sect]
activate = 1

However, if the legacy module isn't in the environment, it won't be loaded. I'm now considering building a custom Lambda layer to include the legacy OpenSSL providers.

vitalii-kyktov avatar Aug 01 '24 07:08 vitalii-kyktov

Feel free to send a pull request to the Bref layers if you can find an easy solution. I haven't taken the time myself to dive into it.

mnapoli avatar Aug 01 '24 08:08 mnapoli

Feel free to send a pull request to the Bref layers if you find an easy solution. I haven’t had the time to dive into it myself.

Hello, @mnapoli, here’s the PR in Bref layers repo. I’ve already published the layer to my account and used it in my own setup, and I can confirm that it works. I’m able to successfully use legacy ciphering providers.

vitalii-kyktov avatar Aug 05 '24 03:08 vitalii-kyktov