1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
|
<?xml version="1.0" encoding="utf-8"?>
<!-- $Revision$ -->
<section xml:id="openssl.installation" xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink">
&reftitle.install;
<para>
To use PHP's OpenSSL support you must also compile PHP <option
role="configure">--with-openssl</option>.
</para>
<para>
The OpenSSL library also has additional requirements for normal operation at
run-time. Most notably, OpenSSL requires access to a random or pseudo-random
number generator; on most Unix and Unix-like platforms (including Linux),
this means that it must have access to a <literal>/dev/urandom</literal> or
<literal>/dev/random</literal> device.
</para>
<para>
The configure option <option role="configure">--with-system-ciphers</option>
is available which causes PHP to use the system cipher list instead of a hard-coded default.
</para>
<note>
<title>Note to Win32 Users</title>
<para>
&ext.windows.path.dll;
<filename>libeay32.dll</filename>,
or, as of OpenSSL 1.1, <filename>libcrypto-*.dll</filename>
</para>
<para>
Additionally, if you are planning to use the key generation and certificate
signing functions, you will need to install a valid
<filename>openssl.cnf</filename> file on your system.
We include a sample configuration file
in our win32 binary distributions, in the
<filename class="directory">extras/ssl</filename> directory.
</para>
<para>
PHP will search for the <filename>openssl.cnf</filename> using the
following logic:
<itemizedlist>
<listitem>
<simpara>the <literal>OPENSSL_CONF</literal> environmental variable, if
set, will be used as the path (including filename) of the configuration
file.
</simpara>
</listitem>
<listitem>
<simpara>the <literal>SSLEAY_CONF</literal> environmental variable, if
set, will be used as the path (including filename) of the configuration
file.
</simpara>
</listitem>
<listitem>
<simpara>The file <filename>openssl.cnf</filename> will be assumed to be
found in the default certificate area, as configured at the time that
the openssl DLL was compiled. This is usually means that the default
filename is <filename>C:\Program Files\Common Files\SSL\openssl.cnf</filename> (x64)
or <filename>C:\Program Files (x86)\Common Files\SSL\openssl.cnf</filename> (x86), or,
prior to PHP 7.4.0, <filename>C:\usr\local\ssl\openssl.cnf</filename>.
</simpara>
</listitem>
</itemizedlist>
</para>
<simpara>
In your installation, you need to decide whether to install the
configuration file in the default path or
whether to install it someplace else and use environmental variables
(possibly on a per-virtual-host basis) to locate the configuration file.
Note that it is possible to override the default path from the script using
the <parameter>options</parameter> of the functions that require a
configuration file.
</simpara>
<caution>
<simpara>
Ensure that non-privileged users are not allowed to modify <filename>openssl.cnf</filename>.
</simpara>
</caution>
<simpara>
As of OpenSSL 3.0.0, which is used on Windows by default as of PHP 8.2.0, several
algorithms have been deemed legacy. Such algorithms have commonly fallen out of use,
have been deemed insecure by the cryptography community, or something similar.
These algorithms are still available via the legacy provider
(<filename>extras/ssl/legacy.dll</filename>); its usage is described in the
<link xlink:href="&url.openssl.config;#Provider-Configuration">provider configuration</link>
section of the OpenSSL manual.
</simpara>
</note>
<simplesect role="changelog">
&reftitle.changelog;
<para>
<informaltable>
<tgroup cols="2">
<thead>
<row>
<entry>&Version;</entry>
<entry>&Description;</entry>
</row>
</thead>
<tbody>
<row>
<entry>7.4.0</entry>
<entry>
The <option role="configure">--with-openssl[=DIR]</option> doesn't
accept a directory argument anymore in favor of setting the pkg-config
variable <envar>PKG_CONFIG_PATH</envar> to OpenSSL location, or by
specifying the <envar>OPENSSL_LIBS</envar> and
<envar>OPENSSL_CFLAGS</envar> variables.
</entry>
</row>
<row>
<entry>7.4.0</entry>
<entry>
The OpenSSL default config path has been changed from <filename>C:\usr\local\ssl</filename>
to <filename>C:\Program Files\Common Files\SSL</filename> and
<filename>C:\Program Files (x86)\Common Files\SSL</filename>, respectively.
</entry>
</row>
</tbody>
</tgroup>
</informaltable>
</para>
</simplesect>
</section>
<!-- Keep this comment at the end of the file
Local variables:
mode: sgml
sgml-omittag:t
sgml-shorttag:t
sgml-minimize-attributes:nil
sgml-always-quote-attributes:t
sgml-indent-step:1
sgml-indent-data:t
indent-tabs-mode:nil
sgml-parent-document:nil
sgml-default-dtd-file:"~/.phpdoc/manual.ced"
sgml-exposed-tags:nil
sgml-local-catalogs:nil
sgml-local-ecat-files:nil
End:
vim600: syn=xml fen fdm=syntax fdl=2 si
vim: et tw=78 syn=sgml
vi: ts=1 sw=1
-->
|
