DEV Community

masatana
masatana

Posted on

When you want to build an old PHP from source, be careful of the certificate!

Recently I needed to build an old PHP (php-5.6.34) from source.
Somehow I could configure with openssl, and make it.

Then I just typed make test to check the result of the build, and I got the error below:

=====================================================================
FAILED TEST SUMMARY
---------------------------------------------------------------------
Bug #48182: ssl handshake fails during asynchronous socket connection [ext/openssl/tests/bug48182.phpt]
Bug #54992: Stream not closed and error not returned when SSL CN_match fails [ext/openssl/tests/bug54992.phpt]
Bug #65538: SSL context "cafile" supports stream wrappers [ext/openssl/tests/bug65538_001.phpt]
Bug #65538: SSL context "cafile" supports phar wrapper [ext/openssl/tests/bug65538_003.phpt]
capture_peer_cert context captures on verify failure [ext/openssl/tests/capture_peer_cert_001.phpt]
Testing peer fingerprint on connection [ext/openssl/tests/openssl_peer_fingerprint_basic.phpt]
Peer verification enabled for client streams [ext/openssl/tests/peer_verification.phpt]
Capture SSL session meta array in stream context [ext/openssl/tests/session_meta_capture.phpt]
Basic bitwise stream crypto context flag assignment [ext/openssl/tests/stream_crypto_flags_001.phpt]
TLSv1.1 and TLSv1.2 bitwise stream crypto flag assignment [ext/openssl/tests/stream_crypto_flags_002.phpt]
Server bitwise stream crypto flag assignment [ext/openssl/tests/stream_crypto_flags_003.phpt]
Specific protocol method specification [ext/openssl/tests/stream_crypto_flags_004.phpt]
Allow host name mismatch when "verify_host" disabled [ext/openssl/tests/stream_verify_peer_name_002.phpt]
Host name mismatch triggers error [ext/openssl/tests/stream_verify_peer_name_003.phpt]
=====================================================================

Well, I just build the source, why am I getting so many errors?

Digging in the source code, then I noticed that all of the test code above use the bug54992-ca.pem certificate. This is used to test the SSL/TLS connection.

Yes, bug54992-ca.pem is TOO OLD to be effective!

This is already fixed. I found the upstream patch of the PHP source; https://github.com/php/php-src/commit/687dad3674e9af12cec914bdc250a157680076ca

The test errors above disappeared after cherry-picking the patch manually.

Top comments (0)