|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #64501 openssl cannot work with non-default engines/algos
Submitted: 2013-03-24 10:44 UTC Modified: 2021-01-12 17:57 UTC
Avg. Score:4.4 ± 0.9
Reproduced:6 of 6 (100.0%)
Same Version:1 (16.7%)
Same OS:0 (0.0%)
From: eugene at zhegan dot in Assigned: cmb (profile)
Status: Closed Package: OpenSSL related
PHP Version: Irrelevant OS: irrelevant
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: eugene at zhegan dot in
New email:
PHP Version: OS:


 [2013-03-24 10:44 UTC] eugene at zhegan dot in
openssl extension cannot work with non-default engines/algos, for example GOST.

I have a set of openssl 1.0.1x binaries on various OSes, including Linux Debian Wheezy, Solaris 10 x86, Solaris 11 x86, Solaris 11.1. x86. I have a GOST-enabled configuration file, containing a set of parameters:

openssl_conf = openssl_def

oid_section             = new_oids
engines                 = engine_section

gost = gost_section

engine_id = gost
dynamic_path = /usr/local/openssl/lib/engines/
default_algorithms = ALL

All of my openssl console utilities are able to create certificates and private keys using GOST engine/algos and sign/verify S/MIME with it:


/usr/local/openssl/bin/openssl req -x509 -engine gost -newkey GOST2001:gost2001.parfile -keyout key.pem -out cert.pem -nodes
(file is created)

/usr/local/openssl/bin/openssl req -x509 -engine gost -newkey GOST2001:gost2001.parfile -keyout key.pem -out cert.pem -nodes
(certificate is created)

/usr/local/openssl/bin/openssl cms -sign -signer cert.pem -inkey key.pem -in msg.txt -out signed.txt
(S/MIME is signed)

None of my PHP binaries, built with same openssl libraries are capable of using such engine/algo. They all complain about non-supported algorithm.

Not only one openssl_pkcs7_sign() is affected, but the whole set of openssl_* calls. The same thing applies to loading and testing private keys using PHP and openssl_pkey_get_private() call and so on.

This is reproducible on various PHP versions, including 5.3.23, 5.4.11, 5.4.12 and so on.

This is related to bugs:

Further investigation using truss/strace/ktrace OS-specific utilities shows that OPENSSL_CONF environment variable is totally ignored, at least I don't see any open() on a file pointed with OPENSSL_CONF variable. Furthermore, if being used inside a default configuration file, this does nothing, because it's totally ignored by the PHP, thus only defaults are used.

Test script:

if (openssl_pkcs7_sign("./msg.txt", "phpsigned.txt", 'file://'.realpath('./cert.pem'),
    array('file://'.realpath('./key.pem'), ""),
    array("To" => "", // keyed syntax
          "From: HQ <>", // indexed syntax
          "Subject" => "Eyes only")
    )) {
} else {
    echo openssl_error_string(), "\n";

Expected result:
This code should produce a valid S/MIME file.

Actual result:
This code now produces a set of errors and warnings:

# php sign.php
PHP Warning:  openssl_pkcs7_sign(): error getting private key in /home/emz/openssl/sign.php on line 8
error:0606F076:digital envelope routines:EVP_PKCS82PKEY:unsupported private key algorithm


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2016-12-03 16:11 UTC] dab1818 at gmail dot com
i have same problem on different systems.
on some systems openssl configuration loaded and works with GOST, on others - not.

simple test to check is:
strace php -m 2>&1 |grep openssl.cnf
open("/etc/ssl/openssl.cnf", O_RDONLY|O_LARGEFILE) = 3
      ^^^^^^^^^^^^^^^^^^^^ if it opened - all works fine.

also tested with patches from related bugs, which forces loading openssl configuration (OPENSSL_config & etc...) :
on some systems php throws "GOST engine already loaded" and
'open("/etc/ssl/openssl.cnf", O_RDONLY|O_LARGEFILE) = 3' appears twice.

php curl extension.
depending on the version of curl library it loads openssl configuration itself (7.5x - loads, 7.3x - not).
"curl" initialized before "openssl" extension (alphabetically?) and all works fine.

another workaround for this bug?
upgrade curl to 7.5x and enable php curl extension?
 [2021-01-12 17:57 UTC]
-Status: Open +Status: Closed -Assigned To: +Assigned To: cmb
 [2021-01-12 17:57 UTC]
This is fixed[1] as of PHP 7.2.0.

[1] <>
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Tue Mar 09 11:01:23 2021 UTC