php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #65157 openssl module doesn't see all available ciphers
Submitted: 2013-06-28 10:15 UTC Modified: 2013-07-05 08:58 UTC
From: eugene at zhegan dot in Assigned:
Status: No Feedback Package: OpenSSL related
PHP Version: 5.3.26 OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: eugene at zhegan dot in
New email:
PHP Version: OS:

 

 [2013-06-28 10:15 UTC] eugene at zhegan dot in
Description:
------------
Openssl doesn't see al available ciphers.
In order to not get bored, please read the last part, and then, if you are still 
not bored, you can read following part, in order to understand how to get GOST 
ciphers in PHP.

Missing cipher is GOST R 34.10-2001.

BORING PART:
I have an fresh upstream OpenSLL, which now is by default built with GOST 
encryption. I want to use GOST encryption (actually, I have to use it, because 
I'm from Russia, and FSB/KGB/God knows who is forcing to use it). OpenSSL > 
1.0.0 is built with GOST encryption, but in order to actually enable it, you 
have to use a configuration file which mentions it. This is the first problem, 
still unresolved in the PHP, howevere there are several workarounds (all of the 
contail OPENSSL_config() call added somewhere).

I have a curl from upstream built with OPENSSL_config() call, and a curl PHP 
module loaded before openssl module (so, no openssl modifuication is needed).

NOT SO BORING PART:

Why I think it's missing:

Because openssl has it:

/usr/local/openssl/bin/openssl ciphers aGOST01
GOST2001-GOST89-GOST89:GOST2001-NULL-GOST94

(according to its manual - "aGOST01 - cipher suites
using GOST R 34.10-2001 authentication.")

Curl also has it:

/usr/local/curl/bin/curl --engine gost --ciphers GOST2001-GOST89-GOST89
https://google.com
curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3
alert handshake failure

I got a failure, but when the non-existent cipher suite is used, the
error is different:

/usr/local/curl/bin/curl --engine gost --ciphers GOST2001-GOST89-GOST666
https://google.com
curl: (59) failed setting cipher list

So, openssl has it, curl has it, but for some reason php doesn't.
openssl_get_md_methods() shows a couple of GOST digest but not GOST R
34.11-94:

array(30) {
  [0]=>
  string(3) "DSA"
  [1]=>
  string(7) "DSA-SHA"
  [2]=>
  string(17) "GOST 28147-89 MAC"
  [3]=>
  string(15) "GOST R 34.11-94"
  [4]=>
  string(3) "MD4"
  [5]=>
  string(3) "MD5"
  [6]=>
  string(4) "MDC2"
  [7]=>
  string(9) "RIPEMD160"
  [8]=>
  string(3) "SHA"
  [9]=>
  string(4) "SHA1"
  [10]=>
  string(6) "SHA224"
  [11]=>
  string(6) "SHA256"
  [12]=>
  string(6) "SHA384"
  [13]=>
  string(6) "SHA512"
  [14]=>
  string(13) "dsaEncryption"
  [15]=>
  string(10) "dsaWithSHA"
  [16]=>
  string(15) "ecdsa-with-SHA1"
  [17]=>
  string(8) "gost-mac"
  [18]=>
  string(3) "md4"
  [19]=>
  string(3) "md5"
  [20]=>
  string(9) "md_gost94"
  [21]=>
  string(4) "mdc2"
  [22]=>
  string(9) "ripemd160"
  [23]=>
  string(3) "sha"
  [24]=>
  string(4) "sha1"
  [25]=>
  string(6) "sha224"
  [26]=>
  string(6) "sha256"
  [27]=>
  string(6) "sha384"
  [28]=>
  string(6) "sha512"
  [29]=>
  string(9) "whirlpool"

The code 

$encres = openssl_digest("123", "GOST R 34.11-94");
echo $encres;

gives this:

5ef18489617ba2d8d2d7e0da389aaa4ff022ad01a39512a4fea1a8c45e439148

And the code:

encres = openssl_digest("123", "GOST R 34.10-2001");
echo $encres;

gives this:

PHP Warning:  openssl_digest(): Unknown signature algorithm in 
/home/emz/ciphers.php on line 6

Test script:
---------------
<?php
        var_dump(openssl_get_md_methods());
        var_dump(hash_algos());
        $encres = openssl_digest("123", "GOST R 34.10-2001");
        echo $encres;
?>

Expected result:
----------------
I expect GOST R 34.10-2001 to be shown in the cipher list and openssl_digest() 
gives me encrypted string.


Actual result:
--------------
In fact, GOST R 34.10-2001 is not shown in the output of the 
openssl_get_md_methods(), and openssl_digest() is giving me the error:

PHP Warning:  openssl_digest(): Unknown signature algorithm in 
/home/emz/ciphers.php on line 6

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-06-28 15:45 UTC] ab@php.net
-Status: Open +Status: Feedback
 [2013-06-28 15:45 UTC] ab@php.net
I really doubt the reported issue has something to do with PHP. Looking at the 
code behind openssl_digest - PHP is just a wrapper, the lookup for a digest 
method is done by the openssl library. See 
http://lxr.php.net/xref/PHP_5_3/ext/openssl/openssl.c#4594  

Could you please check whether PHP is linked with the openssl instance you 
expect? Also whether the correct .so is used on runtime. Please be aware also - 
some engines can require to be loaded and configured through openssl.cnf, be 
sure the right config file is used.
 [2013-07-05 08:58 UTC] ab@php.net
-Status: Feedback +Status: No Feedback
 [2013-07-05 08:58 UTC] ab@php.net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.


 [2013-07-25 12:32 UTC] eugene at zhegan dot in
Here's the test you requested (same machine as above):

# ldd `which php`
        linux-vdso.so.1 (0x00007fff5ddff000)
        libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1 
(0x00007fe2da09e000)
        libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 
(0x00007fe2d9e87000)
        librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007fe2d9c7e000)
        libmcrypt.so.4 => /usr/lib/libmcrypt.so.4 (0x00007fe2d9a4c000)
        libltdl.so.7 => /usr/lib/x86_64-linux-gnu/libltdl.so.7 
(0x00007fe2d9843000)
        libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fe2d963e000)
        libfreetype.so.6 => /usr/lib/libfreetype.so.6 (0x00007fe2d93b6000)
        libz.so.1 => /usr/lib/libz.so.1 (0x00007fe2d919f000)
        libpng12.so.0 => /lib/libpng12.so.0 (0x00007fe2d8f78000)
        libjpeg.so.62 => /usr/lib/libjpeg.so.62 (0x00007fe2d8d55000)
        libcrypto.so.1.0.0 => /usr/local/openssl/lib/libcrypto.so.1.0.0 
(0x00007fe2d897b000)
        libssl.so.1.0.0 => /usr/local/openssl/lib/libssl.so.1.0.0 
(0x00007fe2d8711000)
        libmysqlclient.so.16 => /usr/lib/libmysqlclient.so.16 
(0x00007fe2d82f4000)
        libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 
(0x00007fe2d80d8000)
        libnsl.so.1 => /lib/x86_64-linux-gnu/libnsl.so.1 (0x00007fe2d7ebf000)
        libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007fe2d7bc1000)
        libxml2.so.2 => /usr/lib/x86_64-linux-gnu/libxml2.so.2 
(0x00007fe2d7a5f000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fe2d76b1000)
        /lib64/ld-linux-x86-64.so.2 (0x00007fe2da2de000)
        liblzma.so.5 => /lib/x86_64-linux-gnu/liblzma.so.5 (0x00007fe2d748e000)

I can not agree (thoough I understand I can be wrong) - openssl clearly shows it 
has the cipher, curl agrees.
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Tue Aug 03 14:01:30 2021 UTC