phpmacosopensslcomposer-phpzend-server

Zend-Server 8.5, not managed to update OpenSSL for PHP


Did really wide investigation on the topic, but still not managed to force the fresh version of OpenSSL to work with ZendServer v.8.5.2 on OSX El Capitan.

Prehistory: by default it seems ZendServer and El Capitan goes with openssl-0.9.8zc. The fresh version of PHP 5.6.15 doesn't work normally with this version of OpenSSL and Composer-PHP. I was getting errors:

Unable to locate a valid CA certificate file. You must set a valid 'cafile' option. A valid CA certificate file is required for SSL/TLS protection. ...

[Composer\Downloader\TransportException]
The configured cafile was not valid or could not be read.

I did the update of version of OpenSSL with Brew, and then made sure it's properly registered in the system:

 brew unlink openssl && brew link --force openssl

But in reality, it seems ZendServer has it's own local copy of openssl lib in binaries directory:

/usr/local/zend/bin/openssl

openssl.cafile was empty, so I decided to point it to the new path, as it was recommended in some tutorials: usr/local/etc/openssl/cert.pem

In result:

it seems the system is pointing to the proper version of openssl:

$ openssl version
OpenSSL 1.0.2f  28 Jan 2016
$ openssl version -d
OPENSSLDIR: "/usr/local/etc/openssl"

At the same time which is pointing to the zend's version of OpenSSL:

$ which -a openssl
/usr/local/zend/bin/openssl
/usr/local/bin/openssl
/usr/bin/openssl

And PHP it seems still have the old default configuration, by the path which doesn't exist in my system anymore:

$ php -i | grep openssl
Configure Command =>  './configure'  '--prefix=/usr/local/zend' '--with-config-file-path=/usr/local/zend/etc' '--with-config-file-scan-dir=/usr/local/zend/etc/conf.d' '--disable-debug' '--enable-inline-optimization' '--disable-all' '--enable-libxml' '--enable-session' '--enable-spl' '--enable-xml' '--enable-hash' '--enable-reflection' '--with-pear' '--with-apxs2=/usr/local/zend/apache2/bin/apxs' '--with-layout=GNU' '--enable-filter' '--with-pcre-regex' '--with-zlib' '--enable-simplexml' '--enable-dom' '--with-libxml-dir=/usr/local' '--with-openssl=/usr/local/openssl-0.9.8zc' '--enable-pdo' '--with-pdo-sqlite' '--with-pdo-mysql=mysqlnd' '--with-libedit' '--with-pdo-pgsql' '--with-iconv' '--with-sqlite3' '--disable-phar' '--enable-xmlwriter' '--enable-xmlreader' '--enable-mysqlnd' '--enable-json' 'CC=gcc' 'CFLAGS=-fPIC '-O2' '-pipe' '-g' '-fno-common' '-g'' 'CPPFLAGS=-fPIC 'CXXFLAGS=-fPIC 'CXX=g++' 'LDFLAGS='
openssl
Openssl default config => /usr/local/openssl-0.9.8zc/ssl/openssl.cnf
openssl.cafile => /usr/local/etc/openssl/cert.pem => /usr/local/etc/openssl/cert.pem
openssl.capath => no value => no value

I haven't found any way to change the default Zend's OpenSSL configuration for PHP in Zend Server 8.5.2, and to point it to the fresh OpenSSL in the OSX.

Composer is still throwing the same error and doesn't work. I crawled StackOverflow here and there, haven't found the solution, which works in my case. Any help would be highly appreciated.

Thanks!


Answer to myself: it seems, when PHP is compiled, those libraries are built in into PHP so upgrading the SSL lib files won't have any effect unless PHP is recompiled. Sounds to me, there's no way to update OpenSSL lib in ZendServer, unless to download the newer version (there's not newer versions).


Solution

  • After a several days' investigation, it seems there's no way to update OpenSSL for PHP in ZendServer without re-compilation of PHP and the libs. So the question it seems is not answerable. There's no easy way to do it. You'll still have the system version of OpenSSL, which is different from the version being pre-compiled with PHP.

    I dropped an idea to upgrade OpenSSL for PHP in ZendServer, as it's built-in to PHP itself. Instead, I rolled back my configs, and ZendServer setup, so it works it least somehow, with an old version of OpenSSL.


    It may also help in certain cases, without re-installation: to manually update certificates

    1. Downloaded cacert.pem from http://curl.haxx.se/ca/cacert.pem
    2. Copy cacert.pem to '/usr/local/zend/etc/ssl/certs/'
    3. Modify CURL configuration (Zend Server Configuration -> PHP -> CURL) and change:

    curl.cainfo = '/usr/local/zend/etc/ssl/certs/cacert.pem'

    1. Restart PHP and check if CURL can read from HTTPS URL.

    More information can be found in the article Fixing the expired intermediate certificate on Mac OS X