Incorrect openssl.cnf location for PHP 7.3 images

[stronk7]

Describe the bug
PHP with openssl comes with the following default paths to locate the (mandatory for some operations), openssl.cnf file:

• PHP 7.4 and up:
  • C:\Program Files\Common Files\SSL\openssl.cnf (x64)
  • C:\Program Files (x86)\Common Files\SSL\openssl.cnf (x86)
• prior to PHP 7.4.0, C:\usr\local\ssl\openssl.cnf.

(source: PHP Manual: OpenSSL >Installing/Configuring)

And those are the values, that the snapshots built here have. From this run, that is plenty of var_dump() information, I can see that:

• The 7.3 job shows (phpinfo): Openssl default config => C:\usr\local\ssl/openssl.cnf
• The 8.0 job shows (phpinfo): Openssl default config => C:\Program Files\Common Files\SSL/openssl.cnf

So, all right so far.

The problem is that the C:\usr\local\ssl/openssl.cnf file DOES NOT exist in the 7.3 environment, only the C:\Program Files\Common Files\SSL/openssl.cnf is there. The job above also tries to var_dump() the contents of the 2 files and only the later is there, both in the 7.3 and 8.0 snapshots.

And that leads to all sort of failures with various openssl operations requiring a valid openssl.cnf, for example:

PHP Warning:  openssl_pkey_export(): cannot get key from parameter 1 in ....

In theory, that problem can be workaround by setting some env variable (OPENSSL_CONF, ...)pointing to the later file but, ideally, it should work without requiring that.

So, somehow, that default Openssl default config should be pointing to the existing (later) file or, alternatively, that file should be copied to the former location so PHP 7.3 is able to find it.

Version

• PHP 7.3 verified (and maybe also older versions).

Operating systems

• Github Actions Environments windows-latest (2019 right now).

To Reproduce

• Using the PHP and OS specified above, try any simple openssl script in PHP, for example:

<?php

$config = [
   "digest_alg" => "sha256",
   "private_key_bits" => 2048,
   "private_key_type" => OPENSSL_KEYTYPE_RSA,
];
$res = openssl_pkey_new($config);
openssl_pkey_export($res, $privatekey);
var_dump($privatekey);

Expected behavior
A private key is generated and printed, without any PHP Warning

Screenshots/Logs
output / error log shows: PHP Warning: openssl_pkey_export(): cannot get key from parameter 1 in...

Are you willing to submit a PR?
Sorry, I'm not able to help with that... in fact I was not sure if this issue corresponds to this, to setup-php or to the environments themselves, noob here, specially with Windows stuff.

If I can help with anything else, glad to help. Ciao :-)

[shivammathur]

@stronk7
We only build snaps for PHP 8.0 and above here, older versions are just cached from the official builds. In the official windows builds the OpenSSL conf file path was changed in PHP 7.4.
Ref: See changelog in https://www.php.net/manual/en/openssl.installation.php#Changelog

You can create a conf file in a step above your tests and provide its path to the options in openssl_pkey_export with the config key.
https://www.php.net/manual/en/function.openssl-csr-new.php.

[shivammathur]

@mlocati Can this be solved in phpmanager, maybe for PHP 7.3 and older a conf file can be created in the install path and set $env:OPENSSL_CONF in the registry.

[stronk7]

Aha, thanks @shivammathur,

yeah, I was aware it can be changed both via env variable and also, in php code (that I prefer not to modify) .

Just was prospecting if, at some level (here in the snapshots, I did not know you are not building the old ones), or in the action, or maybe in the environments themselves, that could be changed somehow and allow it to work “by default”.

Thanks!

[mlocati]

Can this be solved in phpmanager, maybe for PHP 7.3 and older a conf file can be created in the install path and set $env:OPENSSL_CONF in the registry.

Can't you simply write this somewhere?

$Env:OPENSSL_CONF = 'C:\Path\to\openssl.cnf'

[shivammathur]

GitHub Actions does not carry over environment variables from one step to another as it starts a new shell. It would have to be set in GITHUB_ENV or hkcu:\Environment. I can do this in the next setup php release :)

[mlocati]

PS: I also am working on it: https://github.com/mlocati/powershell-phpmanager/commits/fix-openssl_conf-path

(No ETA though)

[shivammathur]

@mlocati That looks great, will use it once released.

[stronk7]

Heap thanks, @shivammathur & @mlocati !

[mlocati]

I've just published a new version of Powershell PhpManager (1.26.0).
It comes with a new function (Set-OpenSSLConf) that can be used to set the OPENSSL_CONF environment variable, with the value of the path to a openssl.cnf file.

PS C:\> Get-Help Set-OpenSSLConf -Detailed

NAME
    Set-OpenSSLConf

SYNOPSIS
    Persist/fix the path of the openssl.cnf file by settng the OPENSSL_CONF environment variable


SYNTAX
    Set-OpenSSLConf [[-Path] <String>] [[-Target] <String>] [<CommonParameters>]


DESCRIPTION


PARAMETERS
    -Path <String>
        The path to the openssl.cnf file (if not provided we'll try to detect it)

    -Target <String>
        'Process' [default] to set the OPENSSL_CONF environment variable for the current process only
        'User' to set the OPENSSL_CONF environment variable for the current process and the current user
        'Machine' to set the OPENSSL_CONF environment variable for the current process and the local machine

    <CommonParameters>
        This cmdlet supports the common parameters: Verbose, Debug,
        ErrorAction, ErrorVariable, WarningAction, WarningVariable,
        OutBuffer, PipelineVariable, and OutVariable. For more information, see
        about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).

    -------------------------- EXAMPLE 1 --------------------------

    PS > Set-OpenSSLConf C:\Path\to\openssl.cnf

PS: PHP comes with a sample openssl.cnf file. If you omit the Path parameter, and if the directory containing the installed php.exe is listed in the PATH environment variable, Set-OpenSSLConf will use that openssl.cnf file (see here for the paths where Set-OpenSSLConf looks for openssl.cnf).

[shivammathur]

Added support in 7ad352e

Test workflow: https://github.com/shivammathur/test-setup-php/actions/runs/1834950656/workflow

[shivammathur]

Added in 2.17.1.

[stronk7]

I can confirm that, now, previous PHPUnit runs affected by this (PHP 7.3) are now passing perfectly.

Link: https://github.com/stronk7/moodle/runs/5378218227
(note that there are still a couple of failures there, but they are unrelated, the SSL ones are now gone)

Heap thanks!