1

phpinfo() reports I'm using OpenSSL 0.9.8y and has a configure command containing '--with-openssl=/usr/local/openssl-0.9.8y'. When I do a yum info openssl it shows that OpenSSL 1.0.1e is installed.

Do I need to recompile PHP to fix th? Since I'm using Zend Sever CE, is this the right process to correct my issue with openssl in PHP? http://files.zend.com/help/Zend-Server-6/zend-server.htm#compiling_php_extensions.htm

What scenario do I use in the link above and what steps would I use specifically for openssl?

NOTE: I am using CentOS 6.5, Zend Server CE 6.3, and PHP 5.4. The above is a link to docs for Zend Server CE 6.2 and I have 6.3 but I suspect it would be the same process???

god_is_love
  • 571
  • 5
  • 18
  • PHP will use the version of openssl that it was compiled against, not the version that you have installed (unless you built from source yourself against a specific version of openssl) – Mark Baker Apr 21 '14 at 23:45
  • But if you are going to do a manual build yourself with a higher version of openssl, make sure that it's with version 1.0.1g, not the 1.0.1e that you have installed, as 1.0.1e is susceptible to heartbleed – Mark Baker Apr 21 '14 at 23:47
  • @MarkBaker SSL for the connection between the browser and the server comes from Apache, not PHP, so would it really be a big deal if a vulnerable version was used with PHP? – Mike Apr 22 '14 at 01:13
  • First, how do I get 1.0.1g because I only see 1.0.1e when doing a yum update openssl? Second, which scenario do I use [from the link in my question](http://files.zend.com/help/Zend-Server-6/zend-server.htm#compiling_php_extensions.htm)... **Compile A PECL extension** or **Compile a PHP Extension Included in the Main PHP Source**? – god_is_love Apr 22 '14 at 01:13
  • @god_is_love if that's the version available from the official repositories, then it should be fixed. You can also test it by going to http://filippo.io/Heartbleed/ (remember to restart your http server first). – Mike Apr 22 '14 at 01:20
  • If you're using OpenSSL from PHP (e.g. using curl or similar), then PHP will use the version of openssl that it was compiled against; and you don't need it enabled for PHP unless you're using it like this.... so you don't need it enabled in PHP for the browser/webserver connection – Mark Baker Apr 22 '14 at 07:01
  • @Mike Other symptoms on the server come from error logs: "Generating RSA private key, 1024 bit long modulus ....++++++ ................................++++++ unable to write 'random state' e is 65537 (0x10001)" Also logging into the backend of a TYPO3 CMS instance on this server I get the error message: "PHP OpenSSL extension not working Something went wrong while trying to create a new private key for testing. Please check the integration of the PHP OpenSSL extension and if it is installed correctly." – god_is_love Apr 22 '14 at 15:59
  • @god_is_love See http://stackoverflow.com/questions/94445/using-openssl-what-does-unable-to-write-random-state-mean – Mike Apr 22 '14 at 18:19
  • @Mike I have already tried doing `rm ~/.rnd` for the root user and don't see any more .rnd files on my server. I had already [asked a question about this](http://stackoverflow.com/questions/22469249/php-error-log-unable-to-write-random-state-e-is-65537-0x10001) but got not response so far. – god_is_love Apr 25 '14 at 20:03

0 Answers0