Welcome to Centmin Mod Community
Become a Member

PHP php recompiles against openssl 1.0.2.k whereas nginx gets latest 1.1.1w

Discussion in 'Nginx and PHP-FPM news & discussions' started by fablab, Oct 30, 2023.

  1. fablab

    fablab New Member

    May 23, 2020
    Local Time:
    5:43 AM
    on my centos7 running 130.00beta01 , when I update my PHP version, it is using the OS's OpenSSL version 1.0.2k and not the 1.1.1w

    Code (Text):
     /usr/local/bin/php --ri openssl
    OpenSSL support => enabled
    OpenSSL Library Version => OpenSSL 1.0.2k-fips  26 Jan 2017
    OpenSSL Header Version => OpenSSL 1.0.2k  26 Jan 2017
    Openssl default config => /etc/pki/tls/openssl.cnf
    Directive => Local Value => Master Value
    openssl.cafile => no value => no value
    openssl.capath => no value => no value

    whereas nginx gets the latest version
    Code (Text):
    nginx -V
    nginx version: nginx/1.25.3 (291023-163256-centos7-kvm-122e3d9-br-6e975bc)
    built by gcc 10.2.1 20210130 (Red Hat 10.2.1-11) (GCC)
    built with OpenSSL 1.1.1w  11 Sep 2023
    TLS SNI support enabled
    configure arguments: --with-ld-opt='-Wl,-E -L/usr/local/zlib-cf/lib -L/usr/local/nginx-dep/lib -ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/zlib-cf/lib:/usr/local/nginx-dep/lib -flto=8 -fuse-ld=gold' --with-cc-opt='-I/usr/local/zlib-cf/include -I/usr/local/nginx-dep/include -m64 -march=x86-64 -mavx -mavx2 -mpclmul -msse4 -msse4.1 -msse4.2 -g -O3 -Wno-strict-aliasing -fstack-protector-strong -flto=8 -fuse-ld=gold --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wno-pointer-sign -Wimplicit-fallthrough=0 -Wno-missing-profile -Wno-implicit-function-declaration -Wno-int-conversion -Wno-unused-result -Wno-unused-result -Wno-stringop-overflow -fcode-hoisting -Wno-cast-function-type -Wno-format-extra-args -Wno-vla-parameter -Wno-stringop-overflow -Wp,-D_FORTIFY_SOURCE=2' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --build=291023-163256-centos7-kvm-122e3d9-br-6e975bc --with-compat --without-pcre2 --with-http_stub_status_module --with-http_secure_link_module --with-libatomic --with-http_gzip_static_module --add-dynamic-module=../ngx_brotli --with-http_sub_module --with-http_addition_module --with-http_image_filter_module=dynamic --with-http_geoip_module --with-stream_geoip_module --with-stream_realip_module --with-stream_ssl_preread_module --with-threads --with-stream --with-stream_ssl_module --with-http_realip_module --add-dynamic-module=../ngx-fancyindex-0.4.2 --add-module=../ngx_cache_purge-2.5.1 --add-dynamic-module=../ngx_devel_kit-0.3.2 --add-dynamic-module=../set-misc-nginx-module-0.33 --add-dynamic-module=../echo-nginx-module-0.63 --add-module=../redis2-nginx-module-0.15 --add-module=../ngx_http_redis-0.4.0-cmm --add-module=../memc-nginx-module-0.19 --add-module=../srcache-nginx-module-0.33 --add-dynamic-module=../headers-more-nginx-module-0.34 --with-pcre-jit --with-zlib=../zlib-cloudflare-1.3.3 --with-http_ssl_module --with-http_v2_module --with-openssl=../openssl-1.1.1w --with-openssl-opt='enable-ec_nistp_64_gcc_128 enable-tls1_3 -fuse-ld=gold'

    I see there is a PHP_CUSTOMSSL option.
    Not sure what I should do to bring PHP to use the latest 1.1.1w as well?

    Actually, maybe the real question is what version of openssl is known to work well with centminmod now ? 3.0.x ?
    and what is the recommended way to upgrade both nginx and PHP to that :)
  2. eva2000

    eva2000 Administrator Staff Member

    May 24, 2014
    Brisbane, Australia
    Local Time:
    12:43 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Yes that's expected outcome, by default Nginx uses custom OpenSSL 1.1.1w on CentOS 7 as CentOS 7's system OpenSSL is on 1.0.2k and lacks TLSv1.3 protocol support.

    PHP-FPM is left to use CentOS 7 system OpenSSL 1.0.2k as it really hasn't needed OpenSSL 1.1.1 and find as is. Nginx on the other hand needed TLSv1.3.

    In the past had some difficulties building PHP-FPM with OpenSSL beyond CentOS 7's system OpenSSL 1.0.2k, so left it as is. Though I've recently solved that in testing at least.

    You can try it using the variable PHP_CUSTOMSSL_FORCE='y' in persistent config file /etc/centminmod/custom_config.inc prior to running centmin.sh menu option 5 for PHP recompiles/upgrades etc. This PHP_CUSTOMSSL_FORCE='y' will auto set PHP_CUSTOMSSL='y'. But I haven't found any practical benefits of using PHP-FPM with OpenSSL 1.1.1w or going beyond CentOS 7's system OpenSSL 1.0.2k in all these years.

    However, OpenSSL 1.1.1 is EOL now, so OpenSSL 3+ will be the eventual option unless you switch to system OpenSSL which has extended support until 2029 for EL8 OpenSSL 1.1.1 or 2024 for EL7 CentOS 7 OpenSSL 1.0.2k https://community.centminmod.com/th...tem-openssl-in-130-00beta01.24213/#post-97580

    Centmin Mod Nginx supports variable crypto libraries via various flags for testing etc.
    • OpenSSL 1.1.1 (default) source compiled OpenSSL 1.1.1w is last release now EOL
    • OpenSSL 3.0 source compiled latest OpenSSL 3.0.12
    • OpenSSL 3.1 source compiled latest OpenSSL 3.1.4
    • OpenSSL 3.2 beta source compiled
    • System OpenSSL - EL7 OpenSSL 1.0.2k/1.1.1k, EL8 OpenSSL 1.1.1k, EL9 OpenSSL 3.0.7
    • BoringSSL
    • LibreSSL 3.5+
    • QuicTLS OpenSSL 1.1.1/3.0/3.1 for official Nginx 1.25 HTTP/3 QUIC
    • Cloudflare Quiche/BoringSSL For Cloudflare's HTTP/3 QUIC implementation
    But with PHP_CUSTOMSSL_FORCE='y, you also have PHP version limitations:
    • PHP 5.6 to 8.0 do not support OpenSSL 3.x only OpenSSL 1.1.1. For OpenSSL 3, minimum PHP version generally is PHP 8.1.x. Luckily, Centmin Mod 130.00beta01 patched PHP 7.4 and 8.0 to support OpenSSL 3.x though automatically. However, PHP 5.6 to 7.3 still do not support OpenSSL 3.x with PHP_CUSTOMSSL_FORCE='y.