php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79063 curl openssl does not respect PKG_CONFIG_PATH nor --with-openssl-dir
Submitted: 2020-01-04 14:50 UTC Modified: 2020-01-06 19:36 UTC
From: naox at yum dot pl Assigned: nikic (profile)
Status: Closed Package: *Compile Issues
PHP Version: 7.4.1 OS:
Private report: No CVE-ID: None
 [2020-01-04 14:50 UTC] naox at yum dot pl
Description:
------------
openssl compiled into curl extension does not respect PKG_CONFIG_PATH nor --with-openssl-dir during compilation. Bug was not present before php 7.4. Now you can't have curl with openssl diffrent than one on your OS.

openssl extension respects PKG_CONFIG_PATH and --with-openssl-dir during compilation, but openssl compiled into curl extension does not. That means you can end up with diffrent openssl in those two extensions.

you can check openssl version in both those extensions in phpinfo()

You might think that curl extension would have openssl version that is compiled into curl but strangely no.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-01-06 09:31 UTC] nikic@php.net
Automatic comment on behalf of nikita.ppv@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b59f760472787bef78f9fc71eaa02f3cf056dff8
Log: Fix bug #79063: Curl openssl does not respect PKG_CONFIG_PATH
 [2020-01-06 09:31 UTC] nikic@php.net
-Status: Open +Status: Closed
 [2020-01-06 09:44 UTC] nikic@php.net
-Assigned To: +Assigned To: nikic
 [2020-01-06 09:44 UTC] nikic@php.net
I've applied an additional change in https://github.com/php/php-src/commit/68f6ab711323678382d2746e57358d3f57a3446b to avoid dealing with openssl in the first place if curl is linked against openssl 1.1.
 [2020-01-06 18:40 UTC] naox at yum dot pl
-Status: Closed +Status: Assigned
 [2020-01-06 18:40 UTC] naox at yum dot pl
I've aplied your patch. I don't know what it does but it did not help. Everything I've previously described remains valid. curl extension gets openssl from default openssl in OS and not from version compiled into php openssl extension or version of openssl compiled into libcurl.
 [2020-01-06 19:22 UTC] naox at yum dot pl
Correction. Now bug is present when compiling php with openssl newer than openssl present in libcurl. In that case somehow OS default openssl version will get compiled into php curl extension. Warning or error on configure script might be in order for such situation but I guess bug is resolved.
 [2020-01-06 19:26 UTC] naox at yum dot pl
-Status: Assigned +Status: Closed
 [2020-01-06 19:26 UTC] naox at yum dot pl
----
 [2020-01-06 19:36 UTC] nikic@php.net
To clarity, there are three commits here, I assuming you applied all of them: https://github.com/php/php-src/commit/2d29904f252c7e7bb7c7cdfe9b6f095e3fb8f5d9, https://github.com/php/php-src/commit/b59f760472787bef78f9fc71eaa02f3cf056dff8, https://github.com/php/php-src/commit/68f6ab711323678382d2746e57358d3f57a3446b

Could you please clarify which openssl your libcurl is linked against, which version is provided by the system, which you are trying to link against with PKG_CONFIG_PATH, and which actually ends up being used?

Generally speaking, the version that is linked into libcurl should match the version against which you link PHP, or least they need to have compatible ABI.
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Mon Oct 19 22:01:23 2020 UTC