Join the community today
Register Now

Beta Branch update PHP_CUSTOMSSL routine for el7 in 130.00beta01

Discussion in 'Centmin Mod Github Commits' started by eva2000, Sep 9, 2022.

  1. eva2000

    eva2000 Administrator Staff Member

    49,300
    11,296
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,575
    Local Time:
    11:57 AM
    Nginx 1.21.x
    MariaDB 10.x
    update PHP_CUSTOMSSL routine for el7 in 130.00beta01


    - for CentOS 7 disable PHP_CUSTOMSSL='n' due to additional work needed to make it 100% work properly. Only time PHP_CUSTOMSSL='y' will work is if you also enable PHP_CUSTOMSSL_FORCE='y' in persistent config file /etc/centminmod/custom_config.inc prior to centmin.sh menu option 5 runs. This setting allows to continually test the suitability of PHP_CUSTOMSSL='y' on CentOS 7 systems

    Continue reading...

    130.00beta01 branch

    Support Centmin Mod


    If you find Centmin Mod useful, please help support Centmin Mod
     
  2. eva2000

    eva2000 Administrator Staff Member

    49,300
    11,296
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,575
    Local Time:
    11:57 AM
    Nginx 1.21.x
    MariaDB 10.x
    FYI, making PHP_CUSTOMSSL work properly involves going down a rabbit hole for dependencies while building custom Centmin Mod el7 RPMs. To do PHP custom OpenSSL 1.1.1 on CentOS 7, which system has OpenSSL 1.0.2, mean that OpenSSL 1.1.1 wasn't the only RPM build I needed.

    I would need
    • custom curl built against OpenSSL 1.1.1
    • custom libssh2 build against OpenSSL 1.1.1 for curl
    • custom libpsl and libicu dependencies for curl
    • custom libbrolti, pcre, zstd for curl
    • custom uw-imap-devel/libc-client 2007f for PHP IMAP support as it has to be built against OpenSSL 1.1.1 and patched for OpenSSL 1.1.1 support
    Then for all the above, I had to do 2x sets of custom RPMs + 2 additional for ngtcp2 and nghttp3. One set was built against plain OpenSSL 1.1.1 and another set against OpenSSL 1.1.1 quictls HTTP/3 over QUIC library forks. The latter allows custom curl with HTTP/3 QUIC support.

    Packages currently built for CentOS 7 (EL7) and would have to do the same for AlmaLinux/RockyLinux 9 (EL9) to enable EL9 to support PHP versions 7.4 and 8.0 as they don't support EL9 default OpenSSL 3.0. Only PHP 8.1 supports EL9's OpenSSL 3.0 system defaults.
    Code (Text):
    rpm -qa centmin-* | sort
    centmin-curl-compat-7.85.0-1.el7.x86_64
    centmin-curl-http3-compat-7.86.0-1.el7.x86_64
    centmin-libbrotli-compat-1.0.9-1.el7.x86_64
    centmin-libbrotli-quic-compat-1.0.9-1.el7.x86_64
    centmin-libicu-compat-71.1-1.el7.x86_64
    centmin-libicu-quic-compat-71.1-1.el7.x86_64
    centmin-libpsl-compat-0.21.1-1.el7.x86_64
    centmin-libpsl-quic-compat-0.21.1-1.el7.x86_64
    centmin-libssh2-compat-1.10.0-1.el7.x86_64
    centmin-libssh2-quic-compat-1.10.0-1.el7.x86_64
    centmin-nghttp3-compat-0.80-1.el7.x86_64
    centmin-ngtcp2-compat-0.9.0-1.el7.x86_64
    centmin-openssl11-compat-1.1.1q-1.el7.x86_64
    centmin-openssl11-quic-compat-1.1.1q-1.el7.x86_64
    centmin-pcre-compat-8.45-1.el7.x86_64
    centmin-pcre-quic-compat-8.45-1.el7.x86_64
    centmin-uw-imap-compat-2007f-1.el7.x86_64
    centmin-uw-imap-quic-compat-2007f-1.el7.x86_64
    centmin-zstd-compat-1.5.2-1.el7.x86_64
    centmin-zstd-quic-compat-1.5.2-1.el7.x86_64
    

    plain curl custom RPM
    Code (Text):
    /opt/el-compat/bin/curl -V
    curl 7.85.0 (x86_64-unknown-linux-gnu) libcurl/7.85.0 OpenSSL/1.1.1q zlib/1.2.7 brotli/1.0.9 zstd/1.5.2 libpsl/0.21.1 (+libicu/71.1) libssh2/1.10.0 nghttp2/1.33.0
    Release-Date: 2022-08-31
    Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
    Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL threadsafe TLS-SRP UnixSockets zstd
    

    curl with HTTP/3 support
    Code (Text):
    /opt/el-compat-quic/bin/curl -V
    curl 7.86.0-DEV (x86_64-unknown-linux-gnu) libcurl/7.86.0-DEV OpenSSL/1.1.1q zlib/1.2.7 brotli/1.0.9 zstd/1.5.2 libpsl/0.21.1 (+libicu/71.1) libssh2/1.10.0 nghttp2/1.33.0 ngtcp2/0.9.0-DEV nghttp3/0.8.0-DEV
    Release-Date: [unreleased]
    Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
    Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTP3 HTTPS-proxy IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL threadsafe TLS-SRP UnixSockets zstd
    

    Example curl HTTP/3 header check against HTTP/3 QUIC over UDP demo site for Nginx's nginx-quic build server
    Code (Text):
    /opt/el-compat-quic/bin/curl -Iv --http3 https://quic.nginx.org
    *   Trying 35.214.218.230:443...
    * Connect socket 5 over QUIC to 35.214.218.230:443
    *  CAfile: /etc/pki/tls/certs/ca-bundle.crt
    *  CApath: none
    *  subjectAltName: host "quic.nginx.org" matched cert's "quic.nginx.org"
    * Verified certificate just fine
    * Connected to quic.nginx.org (35.214.218.230) port 443 (#0)
    * h2h3 [:method: HEAD]
    * h2h3 [:path: /]
    * h2h3 [:scheme: https]
    * h2h3 [:authority: quic.nginx.org]
    * h2h3 [user-agent: curl/7.86.0-DEV]
    * h2h3 [accept: */*]
    * Using HTTP/3 Stream ID: 0 (easy handle 0xa6ee20)
    > HEAD / HTTP/3
    > Host: quic.nginx.org
    > user-agent: curl/7.86.0-DEV
    > accept: */*
    >
    * ngh3_stream_recv returns 0 bytes and EAGAIN
    < HTTP/3 200
    HTTP/3 200
    < server: nginx/1.21.6
    server: nginx/1.21.6
    < date: Fri, 09 Sep 2022 14:26:19 GMT
    date: Fri, 09 Sep 2022 14:26:19 GMT
    < content-type: text/html
    content-type: text/html
    < content-length: 2944
    content-length: 2944
    < last-modified: Fri, 28 May 2021 10:56:05 GMT
    last-modified: Fri, 28 May 2021 10:56:05 GMT
    < etag: "60b0cc45-b80"
    etag: "60b0cc45-b80"
    < alt-svc: h3=":443"; ma=86400
    alt-svc: h3=":443"; ma=86400
    < x-quic: h3
    x-quic: h3
    < accept-ranges: bytes
    accept-ranges: bytes
    
    <
    * Connection #0 to host quic.nginx.org left intact
    

    PHP custom OpenSSL
    Code (Text):
    php --ri openssl
    
    openssl
    
    OpenSSL support => enabled
    OpenSSL Library Version => OpenSSL 1.1.1q  5 Jul 2022
    OpenSSL Header Version => OpenSSL 1.1.1q  5 Jul 2022
    Openssl default config => /opt/el-compat/openssl.cnf
    
    Directive => Local Value => Master Value
    openssl.cafile => no value => no value
    openssl.capath => no value => no value
    

    PHP custom curl built against custom OpenSSL 1.1.1
    Code (Text):
    php --ri curl
    
    curl
    
    cURL support => enabled
    cURL Information => 7.85.0
    Age => 9
    Features
    AsynchDNS => Yes
    CharConv => No
    Debug => No
    GSS-Negotiate => No
    IDN => No
    IPv6 => Yes
    krb4 => No
    Largefile => Yes
    libz => Yes
    NTLM => Yes
    NTLMWB => Yes
    SPNEGO => Yes
    SSL => Yes
    SSPI => No
    TLS-SRP => Yes
    HTTP2 => Yes
    GSSAPI => Yes
    KERBEROS5 => Yes
    UNIX_SOCKETS => Yes
    PSL => Yes
    HTTPS_PROXY => Yes
    MULTI_SSL => No
    BROTLI => Yes
    Protocols => dict, file, ftp, ftps, gopher, gophers, http, https, imap, imaps, ldap, ldaps, mqtt, pop3, pop3s, rtsp, scp, sftp, smb, smbs, smtp, smtps, telnet, tftp
    Host => x86_64-unknown-linux-gnu
    SSL Version => OpenSSL/1.1.1q
    ZLib Version => 1.2.7
    libSSH Version => libssh2/1.10.0
    
    Directive => Local Value => Master Value
    curl.cainfo => /etc/ssl/certs/cacert.pem => /etc/ssl/certs/cacert.pem