Recompile PHP with OpenSSL on CentOS

Question

I have upgraded openssl version to 1.02l from 1.0.1e and PHP version from PHP 5.6 to PHP 7.1.8 (PHP is installed using yum)

The problem is, PHP still detects openssl version to 1.0.1e whereas I want it to be updated to latest openssl version installed i.e 1.0.2l

I want to know what are my options here, how do I go about telling PHP to use the latest installed openssl version?

My finding tells me that the only way to do it is by recompiling PHP? (will appreciate if someone can tell me if there is other way) If the only way is by recompiling, I need help on how to go about it? what are the steps involved. From my understanding, here is how I think I have to do.

Remove PHP version installed from YUM
Download latest version of PHP from source and unzip in tmp directory
Compile & Install PHP

Am I missing anything here?

** UPDATE **

Here are the list of php extensions installed using yum

 php-bcmath                        x86_64       7.1.8-1.el7.remi             @remi-php71        94 k
 php-common                        x86_64       7.1.8-1.el7.remi             @remi-php71       7.9 M
 php-fedora-autoloader             noarch       0.2.1-2.el7                  @epel              14 k
 php-gd                            x86_64       7.1.8-1.el7.remi             @remi-php71       204 k
 php-intl                          x86_64       7.1.8-1.el7.remi             @remi-php71       947 k
 php-json                          x86_64       7.1.8-1.el7.remi             @remi-php71        80 k
 php-mbstring                      x86_64       7.1.8-1.el7.remi             @remi-php71       2.8 M
 php-mysqlnd                       x86_64       7.1.8-1.el7.remi             @remi-php71       850 k
 php-pdo                           x86_64       7.1.8-1.el7.remi             @remi-php71       386 k
 php-pecl-zip                      x86_64       1.13.5-2.el7.remi.7.1        @remi-php71       175 k
 php-php-gettext                   noarch       1.0.12-1.el7                 @epel              57 k
 php-process                       x86_64       7.1.8-1.el7.remi             @remi-php71       180 k
 php-tcpdf                         noarch       6.2.13-1.el7                 @epel              11 M
 php-tcpdf-dejavu-sans-fonts       noarch       6.2.13-1.el7                 @epel             1.5 M
 php-tidy                          x86_64       7.1.8-1.el7.remi             @remi-php71       106 k
 php-xml                           x86_64       7.1.8-1.el7.remi             @remi-php71       851 k

I now want to configure PHP to use this extensions, so far I have comeup with following

./configure --with-openssl --with-openssl-dir=/usr/bin \
    --with-zlib \
    --enable-zip \
    --enable-xmlreader \
    --enable-xmlwriter \
    --enable-opcache \
    --enable-simplexml \
    --with-sqlite3 \
    --with-pdo-sqlite \
    --with-pdo-mysql=mysqlnd \
    --with-mysqli=mysqlnd \
    --with-mysql-sock=/var/lib/mysql/mysql.sock \
    --enable-mysqlnd \
    --with-mcrypt \
    --enable-mbstring \
    --enable-intl \
    --with-png-dir \
    --with-jpeg-dir \
    --enable-gd-native-ttf \
    --with-gd \
    --with-curl \
    --with-bz2 \
    --enable-bcmath

I just want to know now, If I need to enable any extension from above list do I use --enable or --with ? for example how do I enable php-xml. Do I only use --enable-php-xml ?

The repo I installed from already gave me the latest PHP version. The problem is when I install it from yum, somehow PHP only gets openssl 1.0.1e whereas my application has a dependency with openssl version 1.2.5 or above. — Ibrahim Azhar Armar, Aug 15 '17 at 17:26
Notice that RHEL (and thus CentOS) 7.4 have openssl 1.0.2 by default, so PHP in remi repository will use it (have to wait a few weeks to see this happen) — Remi Collet, Aug 16 '17 at 05:14

iXCray · Accepted Answer · 2017-08-15T18:22:34.763

2

Yes, you need to download dev package of openssl (sources/headers), sources of PHP and configure it with following keys:

--with-openssl --with-openssl-dir=/usr/local/bin

as per PHP Manual > OpenSSL > Installing/Configuring

You also may want to use other keys like --with-curl=/usr/local or --with-gd -- check with documentation at PHP Manual > Appendices > Configure options and installation manuals for every module your want to compile it with like GD2 or Curl

NOTE: You will need to download dev-packages of every module you are going to compile - it consumes noticable amount of time, plan accordingly.

NOTE 2: Keep in mind that all modules you are going to compile into your own build of PHP will be accessible through its functions (like image manipulation, https/curl requests etc), so it is highly recommended to use only stable and proven versions of modules not to add a new vulnerability to your web-site.

** UPDATE **

./configure --with-openssl --with-openssl-dir=/usr/bin \
    --with-zlib=[DIR] \
    --enable-zip \
    --enable-opcache \
    --with-pdo-mysql=[DIR] \
    --with-mysqli=[DIR] \
    --with-mysql-sock=/var/lib/mysql/mysql.sock \
    --with-mcrypt=[DIR] \
    --enable-mbstring \
    --enable-intl \
    --with-png-dir=[DIR] \
    --with-jpeg-dir=[DIR] \
    --with-gd=[DIR] \
    --with-curl=[DIR] \
    --with-bz2=[DIR] \
    --enable-bcmath

[DIR]'s can be discovered automatically, but I faced a lot of situations when they are different from what PHP expects.

xmlreader, xmlwriter, simplexml are enabled by default starting with PHP 5.1.2

sqlite3, pdo-sqlite are enabled by default starting with PHP 5.3.0

--enable-gd-native-ttf is deprecated starting PHP 5.5.0, removed in PHP 7.2.0.

edited Aug 15 '17 at 18:22

answered Aug 15 '17 at 17:34

iXCray

1,072
8
13

Just to confirm. when I run `which openssl` it displays me `/usr/bin/openssl` so I need to update the parameter `--with-openssl-dir=/usr/bin` ? – Ibrahim Azhar Armar Aug 15 '17 at 17:38
Correct. If there will be any errors in paths, don't worry - `configure` will tell you about it before you will spend time for compilation. – iXCray Aug 15 '17 at 17:41
Another question: I already have all required PHP modules installed from yum on my server. I only removed the PHP and did not remove any modules. So when compiling/installing can I tell PHP to use all modules already installed from yum? – Ibrahim Azhar Armar Aug 15 '17 at 17:42
Most likely you will need to recompile them also with `phpize`, because version of PHP may differ – iXCray Aug 15 '17 at 17:44
It is the same version of PHP. i.e the version installed from yum is PHP `7.1.8` and the downloaded version is `7.1.8` as well. If PHP version matches, does it mean I can use it? – Ibrahim Azhar Armar Aug 15 '17 at 17:46
Should work - check with installation manuals of modules. You need to compile with `--with-gd` to use `gd2.so`. – iXCray Aug 15 '17 at 17:53
I have one last question. I have several modules installed which I need to enable using ./configure. Can you please refer my question (I have updated it) I need help on whether or not my command to enable the module is correct. – Ibrahim Azhar Armar Aug 15 '17 at 18:01
Updated answer, check. – iXCray Aug 15 '17 at 18:22
He may need `-Wl,-rpath,..`, SONAMEs and New Tags linker options because Linux library paths are so f**k'd up. 30 years of Linux library path problems and no end in sight... – jww Aug 16 '17 at 12:07
@jww well, configurer will mention that at least and guide where fox is needed – iXCray Aug 16 '17 at 13:00

score 1 · Answer 2 · answered Aug 15 '17 at 17:36

You must re-configure the PHP building process. Instead of using the default configuration in the software obtained by yum, you must instruct your system to use an specific version of the SSL during the compilation.

If you have installed the last version of OpenSSL, you can go to your PHP source code and configure the bulding before compile the PHP.

./configure --with-openssl --with-openssl-dir=/usr/local/bin

Recompile PHP with OpenSSL on CentOS

2 Answers2