Greetings, on my centos7 running 130.00beta01 , when I update my PHP version, it is using the OS's OpenSSL version 1.0.2k and not the 1.1.1w Code (Text): /usr/local/bin/php --ri openssl openssl OpenSSL support => enabled OpenSSL Library Version => OpenSSL 1.0.2k-fips 26 Jan 2017 OpenSSL Header Version => OpenSSL 1.0.2k 26 Jan 2017 Openssl default config => /etc/pki/tls/openssl.cnf Directive => Local Value => Master Value openssl.cafile => no value => no value openssl.capath => no value => no value whereas nginx gets the latest version Code (Text): nginx -V nginx version: nginx/1.25.3 (291023-163256-centos7-kvm-122e3d9-br-6e975bc) built by gcc 10.2.1 20210130 (Red Hat 10.2.1-11) (GCC) built with OpenSSL 1.1.1w 11 Sep 2023 TLS SNI support enabled configure arguments: --with-ld-opt='-Wl,-E -L/usr/local/zlib-cf/lib -L/usr/local/nginx-dep/lib -ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/zlib-cf/lib:/usr/local/nginx-dep/lib -flto=8 -fuse-ld=gold' --with-cc-opt='-I/usr/local/zlib-cf/include -I/usr/local/nginx-dep/include -m64 -march=x86-64 -mavx -mavx2 -mpclmul -msse4 -msse4.1 -msse4.2 -g -O3 -Wno-strict-aliasing -fstack-protector-strong -flto=8 -fuse-ld=gold --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wno-pointer-sign -Wimplicit-fallthrough=0 -Wno-missing-profile -Wno-implicit-function-declaration -Wno-int-conversion -Wno-unused-result -Wno-unused-result -Wno-stringop-overflow -fcode-hoisting -Wno-cast-function-type -Wno-format-extra-args -Wno-vla-parameter -Wno-stringop-overflow -Wp,-D_FORTIFY_SOURCE=2' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --build=291023-163256-centos7-kvm-122e3d9-br-6e975bc --with-compat --without-pcre2 --with-http_stub_status_module --with-http_secure_link_module --with-libatomic --with-http_gzip_static_module --add-dynamic-module=../ngx_brotli --with-http_sub_module --with-http_addition_module --with-http_image_filter_module=dynamic --with-http_geoip_module --with-stream_geoip_module --with-stream_realip_module --with-stream_ssl_preread_module --with-threads --with-stream --with-stream_ssl_module --with-http_realip_module --add-dynamic-module=../ngx-fancyindex-0.4.2 --add-module=../ngx_cache_purge-2.5.1 --add-dynamic-module=../ngx_devel_kit-0.3.2 --add-dynamic-module=../set-misc-nginx-module-0.33 --add-dynamic-module=../echo-nginx-module-0.63 --add-module=../redis2-nginx-module-0.15 --add-module=../ngx_http_redis-0.4.0-cmm --add-module=../memc-nginx-module-0.19 --add-module=../srcache-nginx-module-0.33 --add-dynamic-module=../headers-more-nginx-module-0.34 --with-pcre-jit --with-zlib=../zlib-cloudflare-1.3.3 --with-http_ssl_module --with-http_v2_module --with-openssl=../openssl-1.1.1w --with-openssl-opt='enable-ec_nistp_64_gcc_128 enable-tls1_3 -fuse-ld=gold' I see there is a PHP_CUSTOMSSL option. Not sure what I should do to bring PHP to use the latest 1.1.1w as well? Actually, maybe the real question is what version of openssl is known to work well with centminmod now ? 3.0.x ? and what is the recommended way to upgrade both nginx and PHP to that thanks.
Yes that's expected outcome, by default Nginx uses custom OpenSSL 1.1.1w on CentOS 7 as CentOS 7's system OpenSSL is on 1.0.2k and lacks TLSv1.3 protocol support. PHP-FPM is left to use CentOS 7 system OpenSSL 1.0.2k as it really hasn't needed OpenSSL 1.1.1 and find as is. Nginx on the other hand needed TLSv1.3. In the past had some difficulties building PHP-FPM with OpenSSL beyond CentOS 7's system OpenSSL 1.0.2k, so left it as is. Though I've recently solved that in testing at least. You can try it using the variable PHP_CUSTOMSSL_FORCE='y' in persistent config file /etc/centminmod/custom_config.inc prior to running centmin.sh menu option 5 for PHP recompiles/upgrades etc. This PHP_CUSTOMSSL_FORCE='y' will auto set PHP_CUSTOMSSL='y'. But I haven't found any practical benefits of using PHP-FPM with OpenSSL 1.1.1w or going beyond CentOS 7's system OpenSSL 1.0.2k in all these years. However, OpenSSL 1.1.1 is EOL now, so OpenSSL 3+ will be the eventual option unless you switch to system OpenSSL which has extended support until 2029 for EL8 OpenSSL 1.1.1 or 2024 for EL7 CentOS 7 OpenSSL 1.0.2k https://community.centminmod.com/th...tem-openssl-in-130-00beta01.24213/#post-97580 Centmin Mod Nginx supports variable crypto libraries via various flags for testing etc. OpenSSL 1.1.1 (default) source compiled OpenSSL 1.1.1w is last release now EOL OpenSSL 3.0 source compiled latest OpenSSL 3.0.12 OpenSSL 3.1 source compiled latest OpenSSL 3.1.4 OpenSSL 3.2 beta source compiled System OpenSSL - EL7 OpenSSL 1.0.2k/1.1.1k, EL8 OpenSSL 1.1.1k, EL9 OpenSSL 3.0.7 BoringSSL LibreSSL 3.5+ QuicTLS OpenSSL 1.1.1/3.0/3.1 for official Nginx 1.25 HTTP/3 QUIC Cloudflare Quiche/BoringSSL For Cloudflare's HTTP/3 QUIC implementation But with PHP_CUSTOMSSL_FORCE='y, you also have PHP version limitations: PHP 5.6 to 8.0 do not support OpenSSL 3.x only OpenSSL 1.1.1. For OpenSSL 3, minimum PHP version generally is PHP 8.1.x. Luckily, Centmin Mod 130.00beta01 patched PHP 7.4 and 8.0 to support OpenSSL 3.x though automatically. However, PHP 5.6 to 7.3 still do not support OpenSSL 3.x with PHP_CUSTOMSSL_FORCE='y.