So, back to the GOST ciphers problem. This is kinda a long story.
Basically, there's tow sides of it. On one side there's a lack of
OPENSSL_config() calls in ext/openssl/openssl.c.
On the other hand, there's also a curl, which is also linked to Openssl.
In case you want any encryption, you will probably want to use both
modules, for obvious reasons. Curl (in this case - the upstream curl)
also lacks OPENSSL_config() calls, so one would think he should add
OPENSSL_config() call in every place. This isn't correct, because being
called sequentlially, this leads to openssl initialization error, so
OPENSSL_config() call should be called once, and it should be called in
the module that is loaded first. In case you are using curl AND openssl,
this definitely is curl module, because openssl initialization is done
in the upstream library. Considering this, no curl/openssl modification
is needed in PHP distribution, - you can patch curl upstream
distribution by the method described above, and use GOST ciphers. In
case you aren't using curl, you need to patch the openssl module in it's

Curl guys are aware of the problem, but they don't want to make things
even worse, so they decided to do nothing at this moment:
http://sourceforge.net/p/curl/bugs/1208/ .

So, why am I writing all of this ? Because I have next problem. I have a
patched curl, php linked with it, fresh openssl with GOST ciphers and
one of the ciphers not accessible by php: this is GOST R 34.10-2001 cipher.

Here's what  I have:

/usr/local/openssl/bin/openssl ciphers aGOST01

(so, openssl has it, according to is manual - "aGOST01 - cipher suites
using GOST R 34.10-2001 authentication.")

Curl also has it:

/usr/local/curl/bin/curl --engine gost --ciphers GOST2001-GOST89-GOST89
curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3
alert handshake failure

I got a failure, but when the non-existent cipher suite is used, the
error is different:

/usr/local/curl/bin/curl --engine gost --ciphers GOST2001-GOST89-GOST666
curl: (59) failed setting cipher list

So, openssl has it, curl has it, but for some reason php doesn't.
openssl_get_md_methods() shows a couple of GOST digest but not GOST R

array(30) {
  string(3) "DSA"
  string(7) "DSA-SHA"
  string(17) "GOST 28147-89 MAC"
  string(15) "GOST R 34.11-94"
  string(3) "MD4"
  string(3) "MD5"
  string(4) "MDC2"
  string(9) "RIPEMD160"
  string(3) "SHA"
  string(4) "SHA1"
  string(6) "SHA224"
  string(6) "SHA256"
  string(6) "SHA384"
  string(6) "SHA512"
  string(13) "dsaEncryption"
  string(10) "dsaWithSHA"
  string(15) "ecdsa-with-SHA1"
  string(8) "gost-mac"
  string(3) "md4"
  string(3) "md5"
  string(9) "md_gost94"
  string(4) "mdc2"
  string(9) "ripemd160"
  string(3) "sha"
  string(4) "sha1"
  string(6) "sha224"
  string(6) "sha256"
  string(6) "sha384"
  string(6) "sha512"
  string(9) "whirlpool"

Why ? How to investigate it ?


Reply via email to