php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #55470 Crash when calling openssl_sign under mod_php
Submitted: 2011-08-21 00:26 UTC Modified: 2011-10-03 15:15 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: douglas dot wright at pre-school dot org dot uk Assigned: pajoye (profile)
Status: Not a bug Package: Apache2 related
PHP Version: 5.3.7 OS: Windows Server 2008/Windows 7
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: douglas dot wright at pre-school dot org dot uk
New email:
PHP Version: OS:

 

 [2011-08-21 00:26 UTC] douglas dot wright at pre-school dot org dot uk
Description:
------------
Attempting to use openssl_sign() when running under mod_php causes a crash.

The test script works without problem when run from the command line.

Tested with the Apache Lounge build of Apache 2.2.19 (latest)

Test script:
---------------
<?php
//non-confidential test key
$key = <<<ENDKEY
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAxAa4FfgtluQBKZvSx5syCvM0i9AKyWk++zCPjK8dInGxd2SE
jn6p+OKLzhu0rZfIKolsy8oIbyrCD+6Itc2jT7pFdrErlPhm4KzMhcqoPxuPiLTe
fz9KfCYdzw/AR9Me685Iw2ehFzpPJ80n+YqeESttzyCEmT2usRz1jzECv6XrRDSj
bpJ5rYo+nxLCC40M1Bv5dulKaHixvmF5LuUhLGr9TQcNmJl4WMdLKBt8ytu+HxoU
k72c1mqwhga6K0gR4u3ZJ2qCf0CvhZHpv/3NPnHrxE729kV3UADun/ZlvHL0eSro
vjXsdGyHzs6cKlWEBVpttBpYusvbCq2Kga/ADQIDAQABAoIBABzHt8NR+q+KrjkD
rcCson5FEtPsKYlEsICEsq6/DxH9i0ayNVwOcLof2NLb8n0CKdtE7fpFoVNg/bkF
FoFKvc141bYFcRagGcqm1ChYhrctPredhoU8L51moz3BXEOvVXzdfoVh857Las+3
KUVT+r0emTKt3Yn6KmnKjKsHURX97mqv8RWgXi0EERw1PoJtk57CIW/hRF9nYHow
X1wwiqyxDKUmQ/xSjwSqebydnn19i1oYpc3CzbYEkbvGRmAFKNu58IQg+s8NtKhi
YT5F62WXSVIj8TuLal6DZzLAGJVynBm49cV6cygqx94LKRA7N+LFFufL1oD2xsSA
UioN+GkCgYEA5zsQWSYeUsGYGDSsfjV6/szB0ai0pRlrpM5UUhxAXlETw0niY3FP
bh0Gh7aitOTlSEEfgpZFr0MgnZR/wXjcongvl5kD9uXjjARLSgQbjWryI4kelIdF
v7cA+QXCSLd79erLkYAyTtzEMXbP3/IO6wQ3Vp3uu8z4LGyyu8apunMCgYEA2QZC
QRbE02VrybbNNb5xP6qBQrrspN2BKTRaKViQ4+vllbCxzeVYh/B46tgG/EgwprmH
bGl4r+GpiraRnBntnsBkbcXp2JhW0HCKNluliz1fI6njZ4CYOStWVELnBxvCwLc1
5w+bn6a30iULXr5caUYt9DWm17TNrSV67EC9e38CgYEAz416rSrECTBwnzmYo2jJ
0DBmwRSXoaJhtvrlQRbOyFoqTR7isLQiwgoXtHXBMnJLREIAUK0mO50bh5al3jno
gYUz4vWcU2AikanBEt0BBj06v57y7gtGFkHkA6Khs7fO8vwgYagagCM1j9i/2pph
vZ55Naxpf/UJxoaDIH3AF/UCgYBVmuVpfUy4QipJT+UUTQGo5l3Eb61GvuTi1va1
lmzYqsVNzXvlRpEsVgusPvhKbUNbkJU9i0ECx5Wz1J4NICEd3LAAqO+78yNTZwDt
virHiLbNf4bm3c+txU1xQU6V/DpPADWv5fUx/XZG2zvn7FjRYdBgowUj0vrKUJ1z
MXpMiwKBgHVeGMRFC/gJiehYYuCZgPC5/OuysDdstrQ6pExVEEpx3vb400St9JMN
ZtFwwmOpcuYN6F2hmdr9EaxBBqCvbF+eBucj3MWYtaaI1bT4WtfveJYzz28CpNp3
/HvIuBnyZHHkGiXGcYKR06oxHsLOSzbeztTNw+NMuAowlBLdENjX
-----END RSA PRIVATE KEY-----
ENDKEY;

openssl_sign('foo', $signature, $key);
echo base64_encode($signature);

Expected result:
----------------
Running the test script should output 1-2 lines of base64. 

Actual result:
--------------
Apache process terminates, no output is sent to browser.

The Apache error log contains the message: "Parent: child process exited with status 255 -- Restarting."

PHP's error log says nothing.


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-08-30 08:10 UTC] ska-pig at gmx dot net
The problem is probably a wrong opensll library version. When PHP runs as an apache module it will use libeay32.dll and ssleay32.dll from the apache\bin directory rather than the ones in your php installation folder. Apache from apachelounge is built with openssl 1.0.0d but PHP with openssl 0.9.8r. Copying libeay32.dll and ssleay32.dll from the PHP folder to your apache bin directory will likely solve the problem, although this might cause problems with apache if you use SSL with apache as well.
 [2011-08-30 10:13 UTC] douglas dot wright at pre-school dot org dot uk
Having tested, I confirm that overwriting the Apache version of those two SSL files with PHP's stops the crash.

However as I do use HTTPS, it's not a fix I can put into production.

Surely PHP should be using it's own copy of openssl?
 [2011-08-30 10:37 UTC] johannes@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: pajoye
 [2011-08-30 10:37 UTC] johannes@php.net
I think Windows' openssl lib should be updated.
 [2011-08-30 11:53 UTC] pajoye@php.net
-Status: Assigned +Status: Feedback
 [2011-08-30 11:53 UTC] pajoye@php.net
it is already 0.9.8r, which version do you need then?
 [2011-08-30 18:26 UTC] pajoye@php.net
See http://www.apachelounge.com/viewtopic.php?p=19040#19040

So it is most likely due to this change and we can't update to 1.0.0 yet (for this 
exact reason). I will see if they can rollback this change.
 [2011-09-01 09:36 UTC] pajoye@php.net
-Status: Feedback +Status: Bogus
 [2011-09-01 09:36 UTC] pajoye@php.net
Actually not a php issue but yet another break in ABI between openssl versions. 
Apachelounge will restore 0.9.8r support. We will try to sync us to move to 1.x or 
provide two builds.
 [2011-10-03 14:57 UTC] paresy at gmx dot net
Has there been any progress on this one? ApacheLounge forums mentioned beta1 as a 
possible target for a move to 1.0, but that didn't happen. I would really 
appreciate if you could provide a second build with OpenSSL 1.0.
 [2011-10-03 15:02 UTC] pajoye@php.net
Yes, apachelounge is rolling openssl back to 0.9.x serie.
 [2011-10-03 15:06 UTC] paresy at gmx dot net
Does this mean, that you won't switch to OpenSSL 1.0 for the PHP 5.4 release? 
Can i build PHP by myself with OpenSSL 1.0 support?
 [2011-10-03 15:15 UTC] pajoye@php.net
Question: Why do you need openssl 1.0 in the 1st place?

And this bug is about 5.3.x which won't have 1.x ever, for compatibility reasons. 
This is not due to PHP but OpenSsl having versions incompatible with each other 
(happened even between patch releases).
 [2011-10-03 15:38 UTC] paresy at gmx dot net
My custom build webserver is using OpenSSL 1.0 with its new features. Therefore i 
can't go back to 0.9.8 and at the moment i am missing SSL support in PHP.

If there is any workaround available, or i can build PHP 5.4 for OpenSSL 1.0, i 
would give it a shot, if you say that OpenSSL 1.0 support is not coming for the 
PHP 5.4 release. (At least building PHP on Windows looked like a lot of work)

I will be glad to open a feature request for 5.4 if that fits in your workflow. I 
don't need it in 5.3.x.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Nov 22 03:01:27 2024 UTC