Re: [PHP-DEV] configure bug with static openssl 1.1.1? - bugid 77288

  107529
October 13, 2019 20:50 phpdev@ehrhardt.nl (Jan Ehrhardt)
"Helmut K. C. Tessarek" in php.internals (Thu, 7 Feb 2019 13:39:11
+0100):
>On 2018-12-13 17:52, Rainer Jung wrote: >> I might be wrong, but I vaguely remember that PHp does not call >> "pkg-config --static --libs openssl" with a correctly setup >> PKG_CONFIG_PAATZ to get the libs needed for static compilation. >> Typically OpenSSL installs correct pc files that contain pthread as such >> a dependency. Without asking pkg-config some fixed decisin logic would >> need to find all the needed libs. > >I'd like to follow up on bug https://bugs.php.net/bug.php?id=77288 > >It's not stated in the documentation anywhere that a static openssl is >not supported. >It's ok, if devs don't have the time to look into it right away, but >I've opened this bug 2 months ago, and it would be nice, if someone >could at least acknowledge the bug and/or give some sort of a feedback. > >If PHP does not support static openssl, please change the documentation >accordingly. > >However, it's wotking with openssl 1.0.2, so I must assume that there's >a bug somewhere otherwise it would work with openssl 1.1.1 as well.
Did you ever find a solution to compile PHP with a static OpenSSL 1.1.1? -- Jan
  107530
October 13, 2019 20:59 "Helmut K. C. Tessarek" <tessarek@evermeet.cx>
--gn61NuWoWWN0OObKkApckuvxiMzDXQ4CU
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

On 2019-10-13 16:50, Jan Ehrhardt wrote:
> Did you ever find a solution to compile PHP with a static OpenSSL 1.1.1= ?
Unfortunately not. I really hoped that someone would look into it, but I = guess security is not that important. --=20 regards Helmut K. C. Tessarek KeyID 0x172380A011EF4944 Key fingerprint =3D 8A55 70C1 BD85 D34E ADBC 386C 1723 80A0 11EF 4944 /* Thou shalt not follow the NULL pointer for chaos and madness await thee at its end. */ --gn61NuWoWWN0OObKkApckuvxiMzDXQ4CU--
  107531
October 13, 2019 21:00 nikita.ppv@gmail.com (Nikita Popov)
On Sun, Oct 13, 2019 at 10:51 PM Jan Ehrhardt <phpdev@ehrhardt.nl> wrote:

> "Helmut K. C. Tessarek" in php.internals (Thu, 7 Feb 2019 13:39:11 > +0100): > >On 2018-12-13 17:52, Rainer Jung wrote: > >> I might be wrong, but I vaguely remember that PHp does not call > >> "pkg-config --static --libs openssl" with a correctly setup > >> PKG_CONFIG_PAATZ to get the libs needed for static compilation. > >> Typically OpenSSL installs correct pc files that contain pthread as such > >> a dependency. Without asking pkg-config some fixed decisin logic would > >> need to find all the needed libs. > > > >I'd like to follow up on bug https://bugs.php.net/bug.php?id=77288 > > > >It's not stated in the documentation anywhere that a static openssl is > >not supported. > >It's ok, if devs don't have the time to look into it right away, but > >I've opened this bug 2 months ago, and it would be nice, if someone > >could at least acknowledge the bug and/or give some sort of a feedback. > > > >If PHP does not support static openssl, please change the documentation > >accordingly. > > > >However, it's wotking with openssl 1.0.2, so I must assume that there's > >a bug somewhere otherwise it would work with openssl 1.1.1 as well. > > Did you ever find a solution to compile PHP with a static OpenSSL 1.1.1? > -- > Jan >
Don't know about previous versions, but at least on 7.4 setting OPENSSL_CFLAGS and OPENSSL_LIBS appropriately (e.g. using pkg-config --static --cflags/--libs return values) should work. These environment variables allow you to bypass normal pkg-config checks, which are generally going to be non-static. Nikita
  107532
October 13, 2019 21:04 "Helmut K. C. Tessarek" <tessarek@evermeet.cx>
--R9R0syASEvtgtikbNGkeAQDqbT7Yv8qVt
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

On 2019-10-13 17:00, Nikita Popov wrote:
> Don't know about previous versions, but at least on 7.4 setting > OPENSSL_CFLAGS and OPENSSL_LIBS appropriately (e.g. using pkg-config > --static --cflags/--libs return values) should work. These environment > variables allow you to bypass normal pkg-config checks, which are gener= ally
> going to be non-static.
I've tried pretty much anything, so if you have flags and env vars that w= ork, please post them here. --=20 regards Helmut K. C. Tessarek KeyID 0x172380A011EF4944 Key fingerprint =3D 8A55 70C1 BD85 D34E ADBC 386C 1723 80A0 11EF 4944 /* Thou shalt not follow the NULL pointer for chaos and madness await thee at its end. */ --R9R0syASEvtgtikbNGkeAQDqbT7Yv8qVt--
  107537
October 14, 2019 08:12 rainer.jung@kippdata.de (Rainer Jung)
Am 13.10.2019 um 23:04 schrieb Helmut K. C. Tessarek:
> On 2019-10-13 17:00, Nikita Popov wrote: >> Don't know about previous versions, but at least on 7.4 setting >> OPENSSL_CFLAGS and OPENSSL_LIBS appropriately (e.g. using pkg-config >> --static --cflags/--libs return values) should work. These environment >> variables allow you to bypass normal pkg-config checks, which are generally >> going to be non-static. > > I've tried pretty much anything, so if you have flags and env vars that work, > please post them here.
I think what he means is doing: % export PKG_CONFIG_PATH=/path/to/my/openssl111/pkgconfig where that directory should contain the pc files from your OpenSSL 1.1.1 installation. Then (example, you results may vary): % pkg-config --cflags openssl -I/path/to/my/openssl111/include So you would set export OPENSSL_CFLAGS=/path/to/my/openssl111/include and then % pkg-config --libs --static openssl -L/path/to/my/openssl111/lib -lssl -lcrypto -ldl -pthread so you would set export OPENSSL_LIBS="-L/path/to/my/openssl111/lib -lssl -lcrypto -ldl -pthread" You might try with the values you get back from the above pkg-config command on your system. If it doesn't work, it would be helpful, if you could then post again your config.log so we can understand the remaining problems. Regards, Rainer
  107538
October 14, 2019 08:14 rainer.jung@kippdata.de (Rainer Jung)
Am 14.10.2019 um 10:12 schrieb Rainer Jung:
> Am 13.10.2019 um 23:04 schrieb Helmut K. C. Tessarek: >> On 2019-10-13 17:00, Nikita Popov wrote: >>> Don't know about previous versions, but at least on 7.4 setting >>> OPENSSL_CFLAGS and OPENSSL_LIBS appropriately (e.g. using pkg-config >>> --static --cflags/--libs return values) should work. These environment >>> variables allow you to bypass normal pkg-config checks, which are >>> generally >>> going to be non-static. >> >> I've tried pretty much anything, so if you have flags and env vars >> that work, >> please post them here. > > I think what he means is doing: > > % export PKG_CONFIG_PATH=/path/to/my/openssl111/pkgconfig > > where that directory should contain the pc files from your OpenSSL 1.1.1 > installation. > > Then (example, you results may vary): > > % pkg-config --cflags openssl > > -I/path/to/my/openssl111/include > > So you would set > > export OPENSSL_CFLAGS=/path/to/my/openssl111/include > > and then > > % pkg-config --libs --static openssl > > -L/path/to/my/openssl111/lib -lssl -lcrypto -ldl -pthread > > so you would set > > export OPENSSL_LIBS="-L/path/to/my/openssl111/lib -lssl -lcrypto -ldl > -pthread" > > You might try with the values you get back from the above pkg-config > command on your system. > > If it doesn't work, it would be helpful, if you could then post again > your config.log so we can understand the remaining problems.
Addition to self: plus temporarily rename libssl.so and libcrypto.so during the PHP build, e.g. adding a trailing underscore. The versioned *.so.* files can stay in place, just not *.so. Regards, Rainer
  107540
October 14, 2019 09:06 "Helmut K. C. Tessarek" <tessarek@evermeet.cx>
--qM0Q9mtsiU54ebKh1ZZVpHQcl4FnLE8VC
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

Hello,

On 2019-10-14 04:12, Rainer Jung wrote:
> I think what he means is doing:
Yep, I remember I had tried that as well, but I just went through it agai= n to get the info you requested: export PKG_CONFIG_PATH=3D/usr/local/ssl-1.1.1/lib/pkgconfig export OPENSSL_CFLAGS=3D"-I/usr/local/ssl-1.1.1/include" export OPENSSL_LIBS=3D"-L/usr/local/ssl-1.1.1/lib -lssl -lcrypto -ldl -pt= hread"
> If it doesn't work, it would be helpful, if you could then post again y= our
> config.log so we can understand the remaining problems.
https://evermeet.cx/pub/logs/config.php72.log Cheers, K. C. --=20 regards Helmut K. C. Tessarek KeyID 0x172380A011EF4944 Key fingerprint =3D 8A55 70C1 BD85 D34E ADBC 386C 1723 80A0 11EF 4944 /* Thou shalt not follow the NULL pointer for chaos and madness await thee at its end. */ --qM0Q9mtsiU54ebKh1ZZVpHQcl4FnLE8VC--
  107544
October 14, 2019 11:01 rainer.jung@kippdata.de (Rainer Jung)
Am 14.10.2019 um 11:06 schrieb Helmut K. C. Tessarek:
> Hello, > > On 2019-10-14 04:12, Rainer Jung wrote: >> I think what he means is doing: > > Yep, I remember I had tried that as well, but I just went through it again to > get the info you requested: > > export PKG_CONFIG_PATH=/usr/local/ssl-1.1.1/lib/pkgconfig > export OPENSSL_CFLAGS="-I/usr/local/ssl-1.1.1/include" > export OPENSSL_LIBS="-L/usr/local/ssl-1.1.1/lib -lssl -lcrypto -ldl -pthread" > >> If it doesn't work, it would be helpful, if you could then post again your >> config.log so we can understand the remaining problems. > > https://evermeet.cx/pub/logs/config.php72.log
Thanks, the relevant lines are: configure:18782: cc -o conftest -I/usr/local/include -fvisibility=hidden -Wl,-rpath,/usr/local/ssl-1.1.1/lib -L/usr/local/ssl-1.1.1/lib -L/usr/local/lib conftest.c -lcrypto -lrt -lm -ldl -lnsl -lgpg-error -lsystemd-daemon -lxml2 -lz -lm -ldl >&5 configure:18782: $? = 0 configure:18791: result: yes configure:18934: checking for SSL_CTX_set_ssl_version in -lssl configure:18959: cc -o conftest -I/usr/local/include -fvisibility=hidden -Wl,-rpath,/usr/local/ssl-1.1.1/lib -L/usr/local/ssl-1.1.1/lib -L/usr/local/lib conftest.c -lssl -lcrypto -lrt -lm -ldl -lnsl -lgpg-error -lsystemd-daemon -lxml2 -lz -lm -ldl -lcrypto >&5 /bin/ld: /usr/local/ssl-1.1.1/lib/libcrypto.a(threads_pthread.o): undefined reference to symbol 'pthread_rwlock_wrlock@@GLIBC_2.2.5' /bin/ld: note: 'pthread_rwlock_wrlock@@GLIBC_2.2.5' is defined in DSO /lib64/libpthread.so.0 so try adding it to the linker command line /lib64/libpthread.so.0: could not read symbols: Invalid operation collect2: error: ld returned 1 exit status configure:18959: $? = 1 configure: failed program was: So although "-pthread" is part of OPENSSL_LIBS, it doesn't get used during configure (which uses hard-coded 'LIBS=" -lssl -lcrypto `$PKG_CONFIG --libs openssl` $LIBS"' in this check). So a checken or egg problem. Could you do yet another test? First manipulate the configure script with the following two commands: cp -p configure configure.saved # the following is one long line sed -e 's#PKG_CONFIG --libs openssl#PKG_CONFIG --libs --static openssl#g' configure.saved > configure and then redo the whole build including running configure. If that works fine, it might be possible to add a configure flag for static OpenSSL linking. Thanks and regards, Rainer
  107622
October 22, 2019 03:28 "Helmut K. C. Tessarek" <tessarek@evermeet.cx>
--PCk3DoLHLB9k0vBByEJ0j1WkcNO6oOB0g
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

On 2019-10-14 07:01, Rainer Jung wrote:
> Could you do yet another test? First manipulate the configure script wi= th the
> following two commands: >=20 > cp -p configure configure.saved >=20 > # the following is one long line >=20 > sed -e 's#PKG_CONFIG --libs openssl#PKG_CONFIG --libs --static openssl#= g'
> configure.saved > configure >=20 >=20 > and then redo the whole build including running configure. If that work= s fine,
> it might be possible to add a configure flag for static OpenSSL linking= =2E
Sorry that it took so long. Nope, this didn't help either. here's the log: https://evermeet.cx/pub/logs/config.php72.1.log Cheers, K. C. --=20 regards Helmut K. C. Tessarek KeyID 0x172380A011EF4944 Key fingerprint =3D 8A55 70C1 BD85 D34E ADBC 386C 1723 80A0 11EF 4944 /* Thou shalt not follow the NULL pointer for chaos and madness await thee at its end. */ --PCk3DoLHLB9k0vBByEJ0j1WkcNO6oOB0g--
  107624
October 22, 2019 06:32 rainer.jung@kippdata.de (Rainer Jung)
Am 22.10.2019 um 05:28 schrieb Helmut K. C. Tessarek:
> On 2019-10-14 07:01, Rainer Jung wrote: >> Could you do yet another test? First manipulate the configure script with the >> following two commands: >> >> cp -p configure configure.saved >> >> # the following is one long line >> >> sed -e 's#PKG_CONFIG --libs openssl#PKG_CONFIG --libs --static openssl#g' >> configure.saved > configure >> >> >> and then redo the whole build including running configure. If that works fine, >> it might be possible to add a configure flag for static OpenSSL linking. > > Sorry that it took so long. > > Nope, this didn't help either. here's the log: > https://evermeet.cx/pub/logs/config.php72.1.log
I am sorry, error on my side. I forgot I had already adjusted configure myself, so the above sed wouldn't change anything in the original file (you can also diff the original and the new file to see the outcome of the sed command yourself). If you are willing for another round: # The next line only if configure.saved # no longer exists from the previous try cp -p configure configure.saved # The sed command here is three lines, # the first two of them continued by a # backslash at the end of line sed -e 's/\(LIBS=.*\)-lssl \(.*\)/\1 -lssl -lcrypto \2/' \ -e 's/\(LIBS=.*-lssl *-lcrypto\)\(.*\)/\1 `$PKG_CONFIG --libs --static openssl` \2/' \ configure.saved > configure If it doesn't work, then please again give us the config.log plus the "diff configure.saved configure". Regards, Rainer
  107625
October 22, 2019 07:18 "Helmut K. C. Tessarek" <tessarek@evermeet.cx>
--fSuXueWlPKiJqzhZuy24dF4cKaExXmOzo
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

On 2019-10-22 02:32, Rainer Jung wrote:
> If you are willing for another round: >=20 > # The next line only if configure.saved > # no longer exists from the previous try > cp -p configure configure.saved >=20 > # The sed command here is three lines, > # the first two of them continued by a > # backslash at the end of line > sed -e 's/\(LIBS=3D.*\)-lssl \(.*\)/\1 -lssl -lcrypto \2/' \ > =C2=A0=C2=A0=C2=A0 -e 's/\(LIBS=3D.*-lssl=C2=A0 *-lcrypto\)\(.*\)/\1 `$= PKG_CONFIG --libs --static
> openssl` \2/' \ > =C2=A0=C2=A0=C2=A0 configure.saved > configure >=20 > If it doesn't work, then please again give us the config.log plus the "= diff
> configure.saved configure".
It didn't work, but it can't work this way: LIBS=3D" -lssl -lcrypto `$PKG_CONFIG --libs --static openssl` $LIBS" This will find the system openssl and not my openssl 1.1.1. But if I set export PKG_CONFIG_PATH=3D/usr/local/ssl-1.1.1/lib/pkgconfig then other libraries are not found. I seriously don't understand why link= ing to 2 files in /usr/local/ssl-1.1.1/lib is so complicated. Apache httpd ca= n do it. dovecot can do it. Every other software paxckage I compile can do it.= PHP is the only one that fails. Once again, it does work with my other (non-system static openssl 1.0.2).= I never link against the system openssl (my server has an uptime of more = than 5 years), but unfortunately I can't remove it either. So if I change the path from /usr/local/ssl-1.1.1 to /usr/local/ssl (whic= h holds my static 1.0.2 non-sysetm openssl) all works well. Anyway, here are the 2 files you requested: https://evermeet.cx/pub/logs/config.php72.2.log https://evermeet.cx/pub/logs/diff.2.patch I'm heading to bed now. Thanks for all your help so far. Cheers, K. C. --=20 regards Helmut K. C. Tessarek KeyID 0x172380A011EF4944 Key fingerprint =3D 8A55 70C1 BD85 D34E ADBC 386C 1723 80A0 11EF 4944 /* Thou shalt not follow the NULL pointer for chaos and madness await thee at its end. */ --fSuXueWlPKiJqzhZuy24dF4cKaExXmOzo--
  107633
October 23, 2019 02:33 "Helmut K. C. Tessarek" <tessarek@evermeet.cx>
--wOy9KuaonFFdVshq6gEFkHGoxyoMcJawJ
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

Eureka!

After a few more hours of trial and error I managed to get it working.

However, the `-lpthread` in OPENSSL_LIBS is ignored. I checked the config=
=2Elog,
 but it wasn't added to the linker command. But adding it to LIBS solved =
the
issue.

This is the command that finally worked:

=2E/configure [snip] --with-openssl=3D/usr/local/ssl-1.1.1 [snip]
CFLAGS=3D-I/usr/local/include LDFLAGS=3D-L/usr/local/lib LIBS=3D"-lpthrea=
d"
OPENSSL_LIBS=3D"-L/usr/local/ssl-1.1.1/lib -l:libssl.a -l:libcrypto.a -ld=
l
-lpthread" OPENSSL_CFLAGS=3D"-I/usr/local/ssl-1.1.1/include"

I will also update the bug, so that people have this info on file as a re=
ference.

Cheers,
  K. C.

--=20
regards Helmut K. C. Tessarek              KeyID 0x172380A011EF4944
Key fingerprint =3D 8A55 70C1 BD85 D34E ADBC 386C 1723 80A0 11EF 4944

/*
   Thou shalt not follow the NULL pointer for chaos and madness
   await thee at its end.
*/


--wOy9KuaonFFdVshq6gEFkHGoxyoMcJawJ--
  107634
October 23, 2019 04:03 phpdev@ehrhardt.nl (Jan Ehrhardt)
"Helmut K. C. Tessarek" in php.internals (Tue, 22 Oct 2019 22:33:39 -0400):
>Eureka! > >After a few more hours of trial and error I managed to get it working. > >However, the `-lpthread` in OPENSSL_LIBS is ignored. I checked the config.log, > but it wasn't added to the linker command. But adding it to LIBS solved the >issue. > >This is the command that finally worked: > >./configure [snip] --with-openssl=/usr/local/ssl-1.1.1 [snip] >CFLAGS=-I/usr/local/include LDFLAGS=-L/usr/local/lib LIBS="-lpthread" >OPENSSL_LIBS="-L/usr/local/ssl-1.1.1/lib -l:libssl.a -l:libcrypto.a -ldl >-lpthread" OPENSSL_CFLAGS="-I/usr/local/ssl-1.1.1/include"
That is more or less the same answer I posted 13 hours earlier https://news-web.php.net/php.internals/107628 Too bad it did not bave seemed to reach the mailinglist and/or https://externals.io/message/103582 Frustrating that https://news-web.php.net/php.internals is not in sync with the mailinglist and/or https://externals.io/ BTW: should not that be '-pthread' in stead of '-lpthread'? It was stripped from OPENSSL_LIBS as found by Nikita: https://news-web.php.net/php.internals/107543 -- Jan
  107635
October 23, 2019 04:17 "Helmut K. C. Tessarek" <tessarek@evermeet.cx>
--S3QqymcD7x55PNHxvPRu83Q69Uf7cc4iK
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

On 2019-10-23 00:03, Jan Ehrhardt wrote:
> That is more or less the same answer I posted 13 hours earlier=20 > https://news-web.php.net/php.internals/107628
Darn, that would have saved me a lot of time... ;-)
> BTW: should not that be '-pthread' in stead of '-lpthread'? It was > stripped from OPENSSL_LIBS as found by Nikita:=20 > https://news-web.php.net/php.internals/107543
Yep, I tried that too. But it didn't work. At least not on 7.2. Cheers, K. C. --=20 regards Helmut K. C. Tessarek KeyID 0x172380A011EF4944 Key fingerprint =3D 8A55 70C1 BD85 D34E ADBC 386C 1723 80A0 11EF 4944 /* Thou shalt not follow the NULL pointer for chaos and madness await thee at its end. */ --S3QqymcD7x55PNHxvPRu83Q69Uf7cc4iK--
  107636
October 23, 2019 04:28 phpdev@ehrhardt.nl (Jan Ehrhardt)
On 2019-10-23 06:17, Helmut K. C. Tessarek wrote:
> On 2019-10-23 00:03, Jan Ehrhardt wrote: > >> That is more or less the same answer I posted 13 hours earlier >> https://news-web.php.net/php.internals/107628 > > Darn, that would have saved me a lot of time... ;-)
Yes. Really bad that nntp://news.php.net, https://external.io and the mailing list are not in sync anymore. First time I experienced that.
>> BTW: should not that be '-pthread' in stead of '-lpthread'? It was >> stripped from OPENSSL_LIBS as found by Nikita: >> https://news-web.php.net/php.internals/107543 > > Yep, I tried that too. But it didn't work. At least not on 7.2.
It worked in my PHP 7.2 when I added '-pthread' to CFLAGS: https://news-web.php.net/php.internals/107632 -- Jan
  107637
October 23, 2019 04:36 "Helmut K. C. Tessarek" <tessarek@evermeet.cx>
--u8rYbSsXYFv9aGCQrHW0PctvgdOdMiR0e
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

On 2019-10-23 00:28, Jan Ehrhardt wrote:
> It worked in my PHP 7.2 when I added '-pthread' to CFLAGS: > https://news-web.php.net/php.internals/107632
Hmm, CFLAGS shouldn't be used for linker flags. It should be added to LDF= LAGS. In either case, it's possible that it works with those, but I was talking= about OPENSSL_LIBS, which was suggested by Nikita and Rainer. Anyway, I'm very happy that it works now. Cheers, K. C. --=20 regards Helmut K. C. Tessarek KeyID 0x172380A011EF4944 Key fingerprint =3D 8A55 70C1 BD85 D34E ADBC 386C 1723 80A0 11EF 4944 /* Thou shalt not follow the NULL pointer for chaos and madness await thee at its end. */ --u8rYbSsXYFv9aGCQrHW0PctvgdOdMiR0e--
  107638
October 23, 2019 05:01 phpdev@ehrhardt.nl (Jan Ehrhardt)
On 2019-10-23 06:36, Helmut K. C. Tessarek wrote:
> On 2019-10-23 00:28, Jan Ehrhardt wrote: > >> It worked in my PHP 7.2 when I added '-pthread' to CFLAGS: >> https://news-web.php.net/php.internals/107632 > > Hmm, CFLAGS shouldn't be used for linker flags. It should be added to > LDFLAGS. > In either case, it's possible that it works with those, but I was > talking > about OPENSSL_LIBS, which was suggested by Nikita and Rainer.
I was just following Nikita's example by using '-pthread' in CFLAGS: https://news-web.php.net/php.internals/107632 -- Jan
  107639
October 23, 2019 05:16 phpdev@ehrhardt.nl (Jan Ehrhardt)
On 2019-10-23 07:01, Jan Ehrhardt wrote:
> On 2019-10-23 06:36, Helmut K. C. Tessarek wrote: >> On 2019-10-23 00:28, Jan Ehrhardt wrote: >> >>> It worked in my PHP 7.2 when I added '-pthread' to CFLAGS: >>> https://news-web.php.net/php.internals/107632 >> >> Hmm, CFLAGS shouldn't be used for linker flags. It should be added to >> LDFLAGS. >> In either case, it's possible that it works with those, but I was >> talking >> about OPENSSL_LIBS, which was suggested by Nikita and Rainer. > > I was just following Nikita's example by using '-pthread' in CFLAGS: > https://news-web.php.net/php.internals/107632
Correct reference should be https://news-web.php.net/php.internals/107541 It gets confusing when one is following internals via various interfaces. -- Jan
  107704
October 26, 2019 12:20 phpdev@ehrhardt.nl (Jan Ehrhardt)
"Helmut K. C. Tessarek" in php.internals (Tue, 22 Oct 2019 22:33:39
-0400):
>After a few more hours of trial and error I managed to get it working. > >However, the `-lpthread` in OPENSSL_LIBS is ignored. I checked the config.log, > but it wasn't added to the linker command. But adding it to LIBS solved the >issue. > >This is the command that finally worked: > >./configure [snip] --with-openssl=/usr/local/ssl-1.1.1 [snip] >CFLAGS=-I/usr/local/include LDFLAGS=-L/usr/local/lib LIBS="-lpthread" >OPENSSL_LIBS="-L/usr/local/ssl-1.1.1/lib -l:libssl.a -l:libcrypto.a -ldl >-lpthread" OPENSSL_CFLAGS="-I/usr/local/ssl-1.1.1/include" > >I will also update the bug, so that people have this info on file as a reference.
In my implementation I ran into a serious problem. PHPMailer stopped sending mails to a remote smtp server over port 587. After really a lot of debugging I found out that stream_socket_enable_crypto failed: Warning: stream_socket_enable_crypto(): SSL operation failed with code 1 OpenSSL Error messages: error:1416F086:SSL routines: tls_process_server_certificate:certificate verify failed I wrote an example program to illustrate this: https://gist.github.com/Jan-E/7f0055624b82c39dee6ae5b712f2c97a Fill in a smtp-server of your choice (like smtp.gmail.com) and run it. It is non optimized for speed, so it might take 2 minutes before the results show. @Helmut and @Nikita: could you test this and share your results here? I had to revert back to PHP versions, compiled with the system OpenSSL libs. -- Jan
  107705
October 26, 2019 19:49 "Helmut K. C. Tessarek" <tessarek@evermeet.cx>
--MiTy47Gd1eMDaDshZ9R71sQV8ZAQ74XB4
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

On 2019-10-26 08:20, Jan Ehrhardt wrote:
> Fill in a smtp-server of your choice (like smtp.gmail.com) and run it. > It is non optimized for speed, so it might take 2 minutes before the > results show. @Helmut and @Nikita: could you test this and share your > results here?
I ran it on the command line and this was the result: $ php secure_stream_test.php
64.233.167.108:587 connected
220 smtp.gmail.com ESMTP e12sm6843183wrs.49 - gsmtp

Send EHLO smtp.gmail.com
250-smtp.gmail.com at your service, [MYIPHERE]
250-SIZE 35882577
250-8BITMIME
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-CHUNKING
250 SMTPUTF8

Send STARTTLS
220 2.0.0 Ready to start TLS

Turn on encryption for login phase: stream_socket_enable_crypto=

64.233.167.108:587: stream_socket_enable_crypto returned true

Send EHLO smtp.gmail.com

250-smtp.gmail.com at your service, [MYIPHERE]
250-SIZE 35882577
250-8BITMIME
250-AUTH LOGIN PLAIN XOAUTH2 PLAIN-CLIENTTOKEN OAUTHBEARER XOAUTH
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-CHUNKING
250 SMTPUTF8

QUIT & close

Cheers,
  K. C.

--=20
regards Helmut K. C. Tessarek              KeyID 0x172380A011EF4944
Key fingerprint =3D 8A55 70C1 BD85 D34E ADBC 386C 1723 80A0 11EF 4944

/*
   Thou shalt not follow the NULL pointer for chaos and madness
   await thee at its end.
*/


--MiTy47Gd1eMDaDshZ9R71sQV8ZAQ74XB4--
  107708
October 27, 2019 18:50 phpdev@ehrhardt.nl (Jan Ehrhardt)
Helmut K. C. Tessarek in gmane.comp.php.devel (Sat, 26 Oct 2019 15:49:30 -0400):
>On 2019-10-26 08:20, Jan Ehrhardt wrote: >> Fill in a smtp-server of your choice (like smtp.gmail.com) and run it. >> It is non optimized for speed, so it might take 2 minutes before the >> results show. @Helmut and @Nikita: could you test this and share your >> results here? > >I ran it on the command line and this was the result: [snip]
>Turn on encryption for login phase: stream_socket_enable_crypto >64.233.167.108:587: stream_socket_enable_crypto returned true
For me it still fails, also on the command line. OpenSSL 1.1.1d builds with 1 subtest failing: test/recipes/20-test_enc.t. A known issue. OpenSSL 1.1.1c builds with no errors, so to be sure I recompiled everything with 1.1.1c. Can you give me your exact configure line? For instance: did your build include nghttp2? Mine did. This is the output of ldd: ldd /usr/local/php72/bin/php linux-vdso.so.1 => (0x00007ffcf6fb8000) libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007f67e0e81000) libz.so.1 => /usr/local/lib/libz.so.1 (0x00007f67e0c65000) libexslt.so.0 => /usr/local/lib/libexslt.so.0 (0x00007f67e0a50000) liblzma.so.0 => /usr/lib64/liblzma.so.0 (0x00007f67e082f000) librt.so.1 => /lib64/librt.so.1 (0x00007f67e0627000) libgcrypt.so.11 => /lib64/libgcrypt.so.11 (0x00007f67e03b2000) libdl.so.2 => /lib64/libdl.so.2 (0x00007f67e01ae000) libgpg-error.so.0 => /lib64/libgpg-error.so.0 (0x00007f67dffaa000) libm.so.6 => /lib64/libm.so.6 (0x00007f67dfd26000) libsodium.so.23 => /usr/local/lib/libsodium.so.23 (0x00007f67dfad5000) libstdc++.so.6 => /usr/local/lib/../lib64/libstdc++.so.6 (0x00007f67df73e000) libjpeg.so.9 => /usr/local/lib/libjpeg.so.9 (0x00007f67df504000) libwebp.so.7 => /usr/local/lib/libwebp.so.7 (0x00007f67df296000) libpcre.so.0 => /usr/local/lib/libpcre.so.0 (0x00007f67df029000) libnsl.so.1 => /lib64/libnsl.so.1 (0x00007f67dee10000) libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007f67debcc000) libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007f67de8e5000) libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007f67de6b9000) libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007f67de4b5000) libcurl.so.4 => /usr/local/ssl-1.1.1/lib/libcurl.so.4 (0x00007f67ddf4b000) libnghttp2.so.14 => /usr/local/lib/libnghttp2.so.14 (0x00007f67ddd25000) librtmp.so.0 => /usr/lib64/librtmp.so.0 (0x00007f67ddb0d000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f67dd8f0000) libfreetype.so.6 => /usr/local/lib/libfreetype.so.6 (0x00007f67dd649000) libbz2.so.1 => /lib64/libbz2.so.1 (0x00007f67dd438000) libpng16.so.16 => /usr/local/lib/libpng16.so.16 (0x00007f67dd206000) libicui18n.so.58 => /usr/local/icu/lib/libicui18n.so.58 (0x00007f67dcd8e000) libicuuc.so.58 => /usr/local/icu/lib/libicuuc.so.58 (0x00007f67dc9e4000) libicudata.so.58 => /usr/local/icu/lib/libicudata.so.58 (0x00007f67daee4000) libicuio.so.58 => /usr/local/icu/lib/libicuio.so.58 (0x00007f67dacd7000) libxslt.so.1 => /usr/local/lib/libxslt.so.1 (0x00007f67daa98000) libxml2.so.2 => /usr/local/lib/libxml2.so.2 (0x00007f67da735000) libiconv.so.2 => /usr/local/lib/libiconv.so.2 (0x00007f67da43a000) libgcc_s.so.1 => /usr/local/lib/../lib64/libgcc_s.so.1 (0x00007f67da224000) libc.so.6 => /lib64/libc.so.6 (0x00007f67d9e90000) libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f67d9c76000) libfreebl3.so => /lib64/libfreebl3.so (0x00007f67d9a73000) /lib64/ld-linux-x86-64.so.2 (0x00007f67e10b8000) libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007f67d9868000) libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007f67d9665000) libgnutls.so.26 => /usr/lib64/libgnutls.so.26 (0x00007f67d93b5000) libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f67d9196000) libtasn1.so.3 => /usr/lib64/libtasn1.so.3 (0x00007f67d8f86000) Curl was included as shared: perl -pi -e 's|CURL_CHECK_PKGCONFIG\(zlib\)|#CURL_CHECK_PKGCONFIG(zlib)|g' configure.ac LIBS="-ldl" ./configure --prefix=/usr/local/ssl-1.1.1 --with-nghttp2=/usr/local --with-ssl=/usr/local/ssl-1.1.1 But I once also tested a curl build with --disable-shared. -- Jan
  107709
October 27, 2019 20:19 "Helmut K. C. Tessarek" <tessarek@evermeet.cx>
--Gu6gtFh2kert5TNWSWgjsIdYSVU2fe9la
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

On 2019-10-27 14:50, Jan Ehrhardt wrote:
> For me it still fails, also on the command line. OpenSSL 1.1.1d builds > with 1 subtest failing: test/recipes/20-test_enc.t. A known issue.
Nope, no errors on my system, otherwise my openssl install would have fai= led when doing: make && make test && make install Just run the openssl tests again: =2E./test/recipes/20-test_enc.t ...................... ok
> Can you give me your exact configure line? For instance: did your build=
> include nghttp2? Mine did. This is the output of ldd:
No nghttpd2. Here's my configure line: =2E/configure --prefix=3D/usr/local/php72 --with-config-file-path=3D/etc/= php72 --enable-fpm --with-fpm-user=3Dnobody --with-fpm-group=3Dnobody --with-fp= m-systemd --with-IBM_DB2=3D/home/db2inst1/sqllib --with-pdo-ibm=3D/home/db2inst1/sq= llib --disable-ipv6 --with-pic --with-readline --enable-bcmath --enable-exif --enable-ftp --enable-sockets --enable-sysvsem --enable-sysvshm --enable-sysvmsg --enable-wddx --enable-shmop --enable-calendar --with-ge= ttext --with-zlib --with-zlib-dir=3D/usr/lib --with-imap --with-openssl=3D/usr/local/ssl-1.1.1 --with-gd --with-freetype-dir=3D/us= r/lib --with-jpeg-dir=3D/usr/lib --with-png-dir=3D/usr/lib --with-curl --with-x= mlrpc --with-pdflib=3D/usr/local/pdflib --with-bz2 --enable-mbstring --enable-z= ip --with-hkct=3D/usr/local/bin --with-mysqli --with-pdo-mysql --with-mysql-sock=3D/data/mysql/mysql.sock --enable-mysqlnd --with-gnupg --enable-pcntl --enable-intl CFLAGS=3D-I/usr/local/include LDFLAGS=3D-L/usr/local/lib LIBS=3D"-lgpg-error -lpthread" OPENSSL_LIBS=3D"-L/usr/local/ssl-1.1.1/lib -l:libssl.a -l:libcrypto.a -ld= l -lpthread" OPENSSL_CFLAGS=3D"-I/usr/local/ssl-1.1.1/include"
> ldd /usr/local/php72/bin/php
Mine is: linux-vdso.so.1 =3D> (0x00007fffed992000) libcrypt.so.1 =3D> /lib64/libcrypt.so.1 (0x0000003846600000) libz.so.1 =3D> /lib64/libz.so.1 (0x00000036d3200000) libresolv.so.2 =3D> /lib64/libresolv.so.2 (0x00000036d4a00000) libreadline.so.6 =3D> /lib64/libreadline.so.6 (0x00000036d4e00000) libncurses.so.5 =3D> /lib64/libncurses.so.5 (0x00000036dd600000) libtinfo.so.5 =3D> /lib64/libtinfo.so.5 (0x00000036d8200000) librt.so.1 =3D> /lib64/librt.so.1 (0x00000036d4200000) libpdf.so.6 =3D> /usr/local/pdflib/lib/libpdf.so.6 (0x00007f7fee97d000) libm.so.6 =3D> /lib64/libm.so.6 (0x00000036d2e00000) libstdc++.so.6 =3D> /lib64/libstdc++.so.6 (0x00000036d5200000) libpam.so.0 =3D> /lib64/libpam.so.0 (0x00000036dc600000) libdb2.so.1 =3D> /home/db2inst1/sqllib/lib64/libdb2.so.1 (0x00007f7febc78= 000) libgpgme.so.11 =3D> /lib64/libgpgme.so.11 (0x00000036e8a00000) libpng16.so.16 =3D> /lib64/libpng16.so.16 (0x00000036dc200000) libjpeg.so.62 =3D> /lib64/libjpeg.so.62 (0x0000003874400000) libbz2.so.1 =3D> /lib64/libbz2.so.1 (0x00007f7feba67000) libdl.so.2 =3D> /lib64/libdl.so.2 (0x00000036d2a00000) libnsl.so.1 =3D> /lib64/libnsl.so.1 (0x00000039a7200000) libgpg-error.so.0 =3D> /lib64/libgpg-error.so.0 (0x00000036dee00000) libsystemd-daemon.so.0 =3D> /lib64/libsystemd-daemon.so.0 (0x00000032dae0= 0000) libxml2.so.2 =3D> /lib64/libxml2.so.2 (0x0000003dd8e00000) libcurl.so.4 =3D> /lib64/libcurl.so.4 (0x0000003a54a00000) libfreetype.so.6 =3D> /lib64/libfreetype.so.6 (0x00000036dca00000) libaprutil-1.so.0 =3D> /usr/local/apr-util/lib/libaprutil-1.so.0 (0x00007f7feb82d000) libexpat.so.1 =3D> /lib64/libexpat.so.1 (0x00000036d7a00000) libapr-1.so.0 =3D> /usr/local/apr/lib/libapr-1.so.0 (0x00007f7feb5e8000) libpthread.so.0 =3D> /lib64/libpthread.so.0 (0x00000036d2600000) libicuio.so.50 =3D> /lib64/libicuio.so.50 (0x00007f7feb3da000) libicui18n.so.50 =3D> /lib64/libicui18n.so.50 (0x00000036cbc00000) libicuuc.so.50 =3D> /lib64/libicuuc.so.50 (0x00000036cd800000) libicudata.so.50 =3D> /lib64/libicudata.so.50 (0x00000036cc200000) libgcc_s.so.1 =3D> /lib64/libgcc_s.so.1 (0x00000036d4600000) libc.so.6 =3D> /lib64/libc.so.6 (0x00000036d2200000) libfreebl3.so =3D> /lib64/libfreebl3.so (0x0000003846200000) /lib64/ld-linux-x86-64.so.2 (0x00000036d1e00000) libaudit.so.1 =3D> /lib64/libaudit.so.1 (0x00000036db200000) libdb2dascmn.so.1 =3D> /opt/ibm/db2/VXX.X/lib64/libdb2dascmn.so.1 (0x00007f7feb1ad000) libdb2g11n.so.1 =3D> /opt/ibm/db2/VXX.X/lib64/libdb2g11n.so.1 (0x00007f7f= ea92f000) libdb2genreg.so.1 =3D> /opt/ibm/db2/VXX.X/lib64/libdb2genreg.so.1 (0x00007f7fea6eb000) libdb2install.so.1 =3D> /opt/ibm/db2/VXX.X/lib64/libdb2install.so.1 (0x00007f7fea4d9000) libdb2locale.so.1 =3D> /opt/ibm/db2/VXX.X/lib64/libdb2locale.so.1 (0x00007f7fea2b3000) libdb2osse.so.1 =3D> /opt/ibm/db2/VXX.X/lib64/libdb2osse.so.1 (0x00007f7f= e9b49000) libdb2osse_db2.so.1 =3D> /opt/ibm/db2/VXX.X/lib64/libdb2osse_db2.so.1 (0x00007f7fe98c4000) libdb2sdbin.so.1 =3D> /opt/ibm/db2/VXX.X/lib64/libdb2sdbin.so.1 (0x00007f= 7fe962e000) libdb2trcapi.so.1 =3D> /opt/ibm/db2/VXX.X/lib64/libdb2trcapi.so.1 (0x00007f7fe9417000) libassuan.so.0 =3D> /lib64/libassuan.so.0 (0x00000036e8600000) liblzma.so.5 =3D> /lib64/liblzma.so.5 (0x00000036d3600000) libssh2.so.1 =3D> /lib64/libssh2.so.1 (0x0000003847600000) libgssapi_krb5.so.2 =3D> /lib64/libgssapi_krb5.so.2 (0x0000003844a00000) libkrb5.so.3 =3D> /lib64/libkrb5.so.3 (0x0000003844600000) libk5crypto.so.3 =3D> /lib64/libk5crypto.so.3 (0x0000003844e00000) libcom_err.so.2 =3D> /lib64/libcom_err.so.2 (0x0000003307e00000) libldap-2.4.so.2 =3D> /lib64/libldap-2.4.so.2 (0x0000003847200000) liblber-2.4.so.2 =3D> /lib64/liblber-2.4.so.2 (0x00000036dda00000) libssl.so.10 =3D> /lib64/libssl.so.10 (0x0000003845200000) libcrypto.so.10 =3D> /lib64/libcrypto.so.10 (0x0000003843e00000) libkrb5support.so.0 =3D> /lib64/libkrb5support.so.0 (0x0000003844200000) libkeyutils.so.1 =3D> /lib64/libkeyutils.so.1 (0x00000036d5e00000) libsasl2.so.3 =3D> /lib64/libsasl2.so.3 (0x0000003846e00000) libssl3.so =3D> /lib64/libssl3.so (0x0000003845e00000) libsmime3.so =3D> /lib64/libsmime3.so (0x0000003846a00000) libnss3.so =3D> /lib64/libnss3.so (0x0000003845600000) libnssutil3.so =3D> /lib64/libnssutil3.so (0x0000003845a00000) libplds4.so =3D> /lib64/libplds4.so (0x00000036d8e00000) libplc4.so =3D> /lib64/libplc4.so (0x00000036d8a00000) libnspr4.so =3D> /lib64/libnspr4.so (0x00000036d9200000) libselinux.so.1 =3D> /lib64/libselinux.so.1 (0x00000039f5c00000) libpcre.so.1 =3D> /lib64/libpcre.so.1 (0x00000039f6000000) Not sure, if we should discuss this on the list. Well, you can always send me an email, whatever you decide. Cheers, K. C. --=20 regards Helmut K. C. Tessarek KeyID 0x172380A011EF4944 Key fingerprint =3D 8A55 70C1 BD85 D34E ADBC 386C 1723 80A0 11EF 4944 /* Thou shalt not follow the NULL pointer for chaos and madness await thee at its end. */ --Gu6gtFh2kert5TNWSWgjsIdYSVU2fe9la--
  107713
October 28, 2019 02:03 phpdev@ehrhardt.nl (Jan Ehrhardt)
"Helmut K. C. Tessarek" in php.internals (Sun, 27 Oct 2019 16:19:39 -0400):
>On 2019-10-27 14:50, Jan Ehrhardt wrote: >> For me it still fails, also on the command line. OpenSSL 1.1.1d builds >> with 1 subtest failing: test/recipes/20-test_enc.t. A known issue. > >Nope, no errors on my system, otherwise my openssl install would have failed >when doing: make && make test && make install > >Just run the openssl tests again: >../test/recipes/20-test_enc.t ...................... ok
It is a harmless error: https://github.com/openssl/openssl/issues/9866#issuecomment-533035463
>> Can you give me your exact configure line? For instance: did your build >> include nghttp2? Mine did. This is the output of ldd: > >No nghttpd2. Here's my configure line: [snip, snip]
>libssl.so.10 => /lib64/libssl.so.10 (0x0000003845200000) >libcrypto.so.10 => /lib64/libcrypto.so.10 (0x0000003843e00000)
Your build is still linking the system OpenSSL.
>Not sure, if we should discuss this on the list.
Maybe not. On the other hand it might be a real bug. Somehow my builds fail on validating the peers. If I set $options['ssl']['verify_peer'] to FALSE in the secure_stream_test.php at https://gist.github.com/Jan-E/7f0055624b82c39dee6ae5b712f2c97a the stream_socket_enable_crypto succeeds. But in a production environment you cannot and should not do without verifying peers. -- Jan
  107715
October 28, 2019 02:31 "Helmut K. C. Tessarek" <tessarek@evermeet.cx>
--9VBQuEkBTqAVl9JqVrXdBgF8BOf8rTyqm
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

On 2019-10-27 22:03, Jan Ehrhardt wrote:
> Your build is still linking the system OpenSSL.
Maybe, but the openssl extension is not using it. $ php -r 'echo "openssl version text: " . OPENSSL_VERSION_TEXT . "\n"; ec= ho "openssl version number: 0x" . dechex(OPENSSL_VERSION_NUMBER) . "\n";' openssl version text: OpenSSL 1.1.1d 10 Sep 2019 openssl version number: 0x1010104f
>> Not sure, if we should discuss this on the list. > Maybe not. On the other hand it might be a real bug. Somehow my builds = fail on validating
> the peers. If I set $options['ssl']['verify_peer'] to FALSE in the secu= re_stream_test.php
> at https://gist.github.com/Jan-E/7f0055624b82c39dee6ae5b712f2c97a the > stream_socket_enable_crypto succeeds. But in a production environment y= ou cannot and
> should not do without verifying peers.
Hmm, it does not fail on my machine as you can see from the results I pos= ted earler. But I just had an idea: The extension is very picky about having a proper ca file. I ran into sim= ilar issues a while back. Can you please try to set openssl.cafile in php.ini? I always get the latest version from http://curl.haxx.se/ca/cacert.pem Cheers, K. C. --=20 regards Helmut K. C. Tessarek KeyID 0x172380A011EF4944 Key fingerprint =3D 8A55 70C1 BD85 D34E ADBC 386C 1723 80A0 11EF 4944 /* Thou shalt not follow the NULL pointer for chaos and madness await thee at its end. */ --9VBQuEkBTqAVl9JqVrXdBgF8BOf8rTyqm--
  107719
October 28, 2019 04:31 phpdev@ehrhardt.nl (Jan Ehrhardt)
"Helmut K. C. Tessarek" in php.internals (Sun, 27 Oct 2019 22:31:52
-0400):
>Hmm, it does not fail on my machine as you can see from the results I posted >earler. But I just had an idea: >The extension is very picky about having a proper ca file. I ran into similar >issues a while back. > >Can you please try to set openssl.cafile in php.ini? > >I always get the latest version from http://curl.haxx.se/ca/cacert.pem
Thanks! That did the trick. Silly that OpenSSL 1.0.1e (Centos 6 default) and OpenSSL 1.0.2-fips did not have the problem. Apparently they found the ca_bundle.crt in /etc/ssl/ (symlinked to /etc/pki/tls/certs/). In the mean time I also tried it with a Windows build. It succeeded without any php.ini. For the interested people: https://phpdev.toolsforresearch.com/php-7.2.24-static-openssl-1.1.1d.zip -- Jan
  107541
October 14, 2019 09:22 nikita.ppv@gmail.com (Nikita Popov)
On Sun, Oct 13, 2019 at 11:04 PM Helmut K. C. Tessarek <tessarek@evermeet.cx>
wrote:

> On 2019-10-13 17:00, Nikita Popov wrote: > > Don't know about previous versions, but at least on 7.4 setting > > OPENSSL_CFLAGS and OPENSSL_LIBS appropriately (e.g. using pkg-config > > --static --cflags/--libs return values) should work. These environment > > variables allow you to bypass normal pkg-config checks, which are > generally > > going to be non-static. > > I've tried pretty much anything, so if you have flags and env vars that > work, > please post them here. >
Here's what pkg-config --static tells me on my system: -lssl -lcrypto -ldl -pthread So I use this for OPENSSL_LIBS, while explicitly requesting the static .a libs (on the assumption that only openssl should be linked statically, not all libs): ../configure --disable-all --with-openssl OPENSSL_LIBS="-l:libssl.a -l:libcrypto.a -ldl -pthread" configure passes, but then during linking I get: /usr/bin/ld: /usr/lib/gcc/x86_64-linux-gnu/8/../../../x86_64-linux-gnu/libcrypto.a(threads_pthread.o): undefined reference to symbol 'pthread_rwlock_wrlock@@GLIBC_2.2.5' It looks like the "-pthread" flag gets stripped. Then I tried: ../configure --disable-all --with-openssl OPENSSL_LIBS="-l:libssl.a -l:libcrypto.a -ldl" CFLAGS="-pthread" This compiles successfully.
> ldd sapi/cli/php linux-vdso.so.1 (0x00007ffd1531f000)
libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 (0x00007f04b79a9000) librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007f04b77a1000) libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f04b7403000) libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f04b71ff000) libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f04b6fe0000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f04b6bef000) /lib64/ld-linux-x86-64.so.2 (0x00007f04b8bee000) The fact that "-pthread" gets stripped from LIBS might be a bug. Hope this helps, Nikita
  107542
October 14, 2019 09:30 nikita.ppv@gmail.com (Nikita Popov)
On Mon, Oct 14, 2019 at 11:22 AM Nikita Popov ppv@gmail.com> wrote:

> On Sun, Oct 13, 2019 at 11:04 PM Helmut K. C. Tessarek < > tessarek@evermeet.cx> wrote: > >> On 2019-10-13 17:00, Nikita Popov wrote: >> > Don't know about previous versions, but at least on 7.4 setting >> > OPENSSL_CFLAGS and OPENSSL_LIBS appropriately (e.g. using pkg-config >> > --static --cflags/--libs return values) should work. These environment >> > variables allow you to bypass normal pkg-config checks, which are >> generally >> > going to be non-static. >> >> I've tried pretty much anything, so if you have flags and env vars that >> work, >> please post them here. >> > > Here's what pkg-config --static tells me on my system: > > -lssl -lcrypto -ldl -pthread > > So I use this for OPENSSL_LIBS, while explicitly requesting the static .a > libs (on the assumption that only openssl should be linked statically, not > all libs): > > ./configure --disable-all --with-openssl OPENSSL_LIBS="-l:libssl.a > -l:libcrypto.a -ldl -pthread" > > configure passes, but then during linking I get: > > /usr/bin/ld: > /usr/lib/gcc/x86_64-linux-gnu/8/../../../x86_64-linux-gnu/libcrypto.a(threads_pthread.o): > undefined reference to symbol 'pthread_rwlock_wrlock@@GLIBC_2.2.5' > > It looks like the "-pthread" flag gets stripped. Then I tried: > > ./configure --disable-all --with-openssl OPENSSL_LIBS="-l:libssl.a > -l:libcrypto.a -ldl" CFLAGS="-pthread" > > This compiles successfully. > > > ldd sapi/cli/php > linux-vdso.so.1 (0x00007ffd1531f000) > libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 (0x00007f04b79a9000) > librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007f04b77a1000) > libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f04b7403000) > libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f04b71ff000) > libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 > (0x00007f04b6fe0000) > libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f04b6bef000) > /lib64/ld-linux-x86-64.so.2 (0x00007f04b8bee000) > > The fact that "-pthread" gets stripped from LIBS might be a bug. >
Looks like the -pthread stripping happens here: https://github.com/php/php-src/blob/5197d0cd5e1f4581db1beca1260e1315368ea911/build/php.m4#L371-L377 It doesn't get stripped as much as relocated to EXTRA_LDFLAGS (for static builds, for shared it goes into SHARED_LIBADD). However EXTRA_LDFLAGS is only used when linking libraries, while programs use EXTRA_LDFLAGS_PROGRAM. This seems like an oversight, and it should be added to both. Nikita
  107543
October 14, 2019 09:46 nikita.ppv@gmail.com (Nikita Popov)
On Mon, Oct 14, 2019 at 11:30 AM Nikita Popov ppv@gmail.com> wrote:

> On Mon, Oct 14, 2019 at 11:22 AM Nikita Popov ppv@gmail.com> > wrote: > >> On Sun, Oct 13, 2019 at 11:04 PM Helmut K. C. Tessarek < >> tessarek@evermeet.cx> wrote: >> >>> On 2019-10-13 17:00, Nikita Popov wrote: >>> > Don't know about previous versions, but at least on 7.4 setting >>> > OPENSSL_CFLAGS and OPENSSL_LIBS appropriately (e.g. using pkg-config >>> > --static --cflags/--libs return values) should work. These environment >>> > variables allow you to bypass normal pkg-config checks, which are >>> generally >>> > going to be non-static. >>> >>> I've tried pretty much anything, so if you have flags and env vars that >>> work, >>> please post them here. >>> >> >> Here's what pkg-config --static tells me on my system: >> >> -lssl -lcrypto -ldl -pthread >> >> So I use this for OPENSSL_LIBS, while explicitly requesting the static .a >> libs (on the assumption that only openssl should be linked statically, not >> all libs): >> >> ./configure --disable-all --with-openssl OPENSSL_LIBS="-l:libssl.a >> -l:libcrypto.a -ldl -pthread" >> >> configure passes, but then during linking I get: >> >> /usr/bin/ld: >> /usr/lib/gcc/x86_64-linux-gnu/8/../../../x86_64-linux-gnu/libcrypto.a(threads_pthread.o): >> undefined reference to symbol 'pthread_rwlock_wrlock@@GLIBC_2.2.5' >> >> It looks like the "-pthread" flag gets stripped. Then I tried: >> >> ./configure --disable-all --with-openssl OPENSSL_LIBS="-l:libssl.a >> -l:libcrypto.a -ldl" CFLAGS="-pthread" >> >> This compiles successfully. >> >> > ldd sapi/cli/php >> linux-vdso.so.1 (0x00007ffd1531f000) >> libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 >> (0x00007f04b79a9000) >> librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007f04b77a1000) >> libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f04b7403000) >> libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f04b71ff000) >> libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 >> (0x00007f04b6fe0000) >> libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f04b6bef000) >> /lib64/ld-linux-x86-64.so.2 (0x00007f04b8bee000) >> >> The fact that "-pthread" gets stripped from LIBS might be a bug. >> > > Looks like the -pthread stripping happens here: > https://github.com/php/php-src/blob/5197d0cd5e1f4581db1beca1260e1315368ea911/build/php.m4#L371-L377 > > It doesn't get stripped as much as relocated to EXTRA_LDFLAGS (for static > builds, for shared it goes into SHARED_LIBADD). However EXTRA_LDFLAGS is > only used when linking libraries, while programs use EXTRA_LDFLAGS_PROGRAM. > This seems like an oversight, and it should be added to both. >
This should be fixed with https://github.com/php/php-src/commit/c518932c0326a938f0fd0254f2adb03b1cddfbca. Now using just ../configure --disable-all --with-openssl OPENSSL_LIBS="-l:libssl.a -l:libcrypto.a -ldl -pthread" works for me. Nikita
  107623
October 22, 2019 03:34 "Helmut K. C. Tessarek" <tessarek@evermeet.cx>
--yULzT8NUogvPhnxVKEhcHkW4kwsBGF5Ox
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

On 2019-10-14 05:46, Nikita Popov wrote:

> Now using just >=20 > ./configure --disable-all --with-openssl OPENSSL_LIBS=3D"-l:libssl.a > -l:libcrypto.a -ldl -pthread" >=20 > works for me.
Hmm, I can't get it to work. My ssl is in: /usr/local/ssl-1.1.1 Cheers, K. C. --=20 regards Helmut K. C. Tessarek KeyID 0x172380A011EF4944 Key fingerprint =3D 8A55 70C1 BD85 D34E ADBC 386C 1723 80A0 11EF 4944 /* Thou shalt not follow the NULL pointer for chaos and madness await thee at its end. */ --yULzT8NUogvPhnxVKEhcHkW4kwsBGF5Ox--
  107714
October 28, 2019 02:23 phpdev@ehrhardt.nl (Jan Ehrhardt)
Nikita Popov in php.internals (Mon, 14 Oct 2019 11:22:24 +0200):
>./configure --disable-all --with-openssl OPENSSL_LIBS="-l:libssl.a >-l:libcrypto.a -ldl" CFLAGS="-pthread" > >This compiles successfully. > >> ldd sapi/cli/php >linux-vdso.so.1 (0x00007ffd1531f000) >libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 (0x00007f04b79a9000) >librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007f04b77a1000) >libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f04b7403000) >libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f04b71ff000) >libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 >(0x00007f04b6fe0000) >libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f04b6bef000) >/lib64/ld-linux-x86-64.so.2 (0x00007f04b8bee000)
I now tried #!/bin/sh ../configure \ --prefix=/usr/local/php72 \ --program-suffix=72 \ --enable-fpm \ --with-config-file-scan-dir=/usr/local/php72/lib/php.conf.d \ --disable-all \ --with-openssl=/usr/local/ssl-1.1.1 \ CFLAGS=-I/usr/local/include \ LDFLAGS=-L/usr/local/lib \ LIBS="-ldl -lpthread" \ OPENSSL_LIBS="-L/usr/local/ssl-1.1.1/lib -l:libssl.a -l:libcrypto.a -ldl -lpthread" \ OPENSSL_CFLAGS="-I/usr/local/ssl-1.1.1/include" with this as a result: ldd /usr/local/php72/bin/php linux-vdso.so.1 => (0x00007ffd5bb8b000) libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007f45d95bc000) libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f45d93a2000) librt.so.1 => /lib64/librt.so.1 (0x00007f45d919a000) libm.so.6 => /lib64/libm.so.6 (0x00007f45d8f16000) libnsl.so.1 => /lib64/libnsl.so.1 (0x00007f45d8cfd000) libdl.so.2 => /lib64/libdl.so.2 (0x00007f45d8af9000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f45d88dc000) libc.so.6 => /lib64/libc.so.6 (0x00007f45d8548000) libfreebl3.so => /lib64/libfreebl3.so (0x00007f45d8345000) /lib64/ld-linux-x86-64.so.2 (0x00007f45d97f3000) But it fails on stream_socket_enable_crypto in the test script in https://gist.github.com/Jan-E/7f0055624b82c39dee6ae5b712f2c97a Warning: stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed @Nikita: could you try that test with your build? Thanks. -- Jan