flownative · kdambekalns · Feb 23, 2024
diff --git a/Dockerfile b/Dockerfile
@@ -30,6 +30,7 @@ RUN export FLOWNATIVE_LOG_PATH_AND_FILENAME=/dev/stdout \
     && /build.sh build_extension xdebug \
     && /build.sh disable_extension xdebug \
     && /build.sh build_extension ssh2 \
+    && /build.sh configure_openssl \
     && /build.sh clean
 
 USER 1000

diff --git a/README.md b/README.md
@@ -67,6 +67,7 @@ similar mechanism in Kubernetes or your actual platform.
 
 | Variable Name                   | Type    | Default                                | Description                                                                                                                                         |
 |---------------------------------|---------|----------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------|
+| OPENSSL_LEGACY_MODE             | boolean | false                                  | If enabled, OpenSSL will have "legacy providers" enabled, see https://github.com/php/php-src/issues/12369 for details                               |
 | PHP_BASE_PATH                   | string  | /opt/flownative/php                    | Base path for PHP (read-only)                                                                                                                       |
 | PHP_DATE_TIMEZONE               | string  | UTC                                    | Default timezone ([doc](https://www.php.net/manual/en/datetime.configuration.php#ini.date.timezone))                                                |
 | PHP_ERROR_REPORTING             | string  | 2147483647                             | PHP error reporting log levels ([doc](https://www.php.net/manual/en/errorfunc.configuration.php#ini.error-reporting))                               |
@@ -88,7 +89,6 @@ similar mechanism in Kubernetes or your actual platform.
 | PHP_FPM_PORT                    | string  | 9000                                   | Port the PHP-FPM process listens to                                                                                                                 |
 | PHP_FPM_MAX_CHILDREN            | string  | 20                                     | Maximum number of children to run                                                                                                                   |
 | PHP_FPM_PM_MODE                 | string  | ondemand                               | Process manager mode for PHP-FPM; "static", "ondemand" or "dynamic"                                                                                 |
-|                                 |         |                                        |                                                                                                                                                     |
 
 ## Security aspects
 

diff --git a/root-files/build.sh b/root-files/build.sh
@@ -403,6 +403,7 @@ build_disable_php_extension() {
 build_adjust_permissions() {
     chown -R root:root "${PHP_BASE_PATH}"
     chmod -R g+rwX "${PHP_BASE_PATH}"
+    chmod g+w /usr/lib/ssl/extra-options.cnf
 
     chown -R 1000 \
         "${PHP_BASE_PATH}/etc" \
@@ -426,6 +427,18 @@ build_clean() {
         "${PHP_BASE_PATH}/src"
 }
 
+# ---------------------------------------------------------------------------------------
+# configure_openssl() - Add OpenSSL extra options include
+#
+# @return void
+#
+configure_openssl() {
+    cat >> /etc/ssl/openssl.cnf << EOF
+
+.include /usr/lib/ssl/extra-options.cnf
+EOF
+}
+
 # ---------------------------------------------------------------------------------------
 # Main routine
 
@@ -453,6 +466,9 @@ build_extension)
 disable_extension)
     build_disable_php_extension $2
     ;;
+configure_openssl)
+    configure_openssl
+    ;;
 clean)
     build_adjust_permissions
 

diff --git a/root-files/entrypoint.sh b/root-files/entrypoint.sh
@@ -10,13 +10,17 @@ set -o pipefail
 . "${FLOWNATIVE_LIB_PATH}/supervisor.sh"
 . "${FLOWNATIVE_LIB_PATH}/banner.sh"
 . "${FLOWNATIVE_LIB_PATH}/php-fpm.sh"
+. "${FLOWNATIVE_LIB_PATH}/openssl.sh"
 
 banner_flownative PHP
 
 eval "$(syslog_env)"
 syslog_initialize
 syslog_start
 
+eval "$(openssl_env)"
+openssl_initialize
+
 eval "$(php_fpm_env)"
 eval "$(supervisor_env)"
 

diff --git a/root-files/opt/flownative/lib/openssl.sh b/root-files/opt/flownative/lib/openssl.sh
@@ -0,0 +1,51 @@
+#!/bin/bash
+# shellcheck disable=SC1090
+
+# =======================================================================================
+# LIBRARY: OpenSSL
+# =======================================================================================
+
+# Load helper lib
+
+. "${FLOWNATIVE_LIB_PATH}/log.sh"
+
+# ---------------------------------------------------------------------------------------
+# openssl_env() - Load global environment variables for configuring OpenSSL
+#
+# @global OPENSSL_* The OPENSSL_* environment variables
+# @return "export" statements which can be passed to eval()
+#
+openssl_env() {
+    cat <<"EOF"
+export OPENSSL_LEGACY_MODE="${OPENSSL_LEGACY_MODE:-false}"
+EOF
+}
+
+# ---------------------------------------------------------------------------------------
+# openssl_initialize() - Initialize OpenSSL configuration
+#
+# @global OPENSSL_* The OPENSSL_* environment variables
+# @return void
+#
+openssl_initialize() {
+    if is_boolean_yes "${OPENSSL_LEGACY_MODE}"; then
+        info "OpenSSL: Legacy providers are enabled"
+        cat >> /usr/lib/ssl/extra-options.cnf << EOF
+
+[openssl_init]
+providers = provider_sect
+
+[provider_sect]
+default = default_sect
+legacy = legacy_sect
+
+[default_sect]
+activate = 1
+
+[legacy_sect]
+activate = 1
+EOF
+    else
+        info "OpenSSL: Legacy providers are disabled"
+    fi
+ }
diff --git a/root-files/usr/lib/ssl/extra-options.cnf b/root-files/usr/lib/ssl/extra-options.cnf
@@ -0,0 +1 @@
+# extra options for OpenSSL can be added here