Hi. So, back to the GOST ciphers problem. This is kinda a long story. Basically, there's tow sides of it. On one side there's a lack of OPENSSL_config() calls in ext/openssl/openssl.c. On the other hand, there's also a curl, which is also linked to Openssl. In case you want any encryption, you will probably want to use both modules, for obvious reasons. Curl (in this case - the upstream curl) also lacks OPENSSL_config() calls, so one would think he should add OPENSSL_config() call in every place. This isn't correct, because being called sequentlially, this leads to openssl initialization error, so OPENSSL_config() call should be called once, and it should be called in the module that is loaded first. In case you are using curl AND openssl, this definitely is curl module, because openssl initialization is done in the upstream library. Considering this, no curl/openssl modification is needed in PHP distribution, - you can patch curl upstream distribution by the method described above, and use GOST ciphers. In case you aren't using curl, you need to patch the openssl module in it's code.
Curl guys are aware of the problem, but they don't want to make things even worse, so they decided to do nothing at this moment: http://sourceforge.net/p/curl/bugs/1208/ . So, why am I writing all of this ? Because I have next problem. I have a patched curl, php linked with it, fresh openssl with GOST ciphers and one of the ciphers not accessible by php: this is GOST R 34.10-2001 cipher. Here's what I have: /usr/local/openssl/bin/openssl ciphers aGOST01 GOST2001-GOST89-GOST89:GOST2001-NULL-GOST94 (so, openssl has it, according to is manual - "aGOST01 - cipher suites using GOST R 34.10-2001 authentication.") Curl also has it: /usr/local/curl/bin/curl --engine gost --ciphers GOST2001-GOST89-GOST89 https://google.com curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure I got a failure, but when the non-existent cipher suite is used, the error is different: /usr/local/curl/bin/curl --engine gost --ciphers GOST2001-GOST89-GOST666 https://google.com curl: (59) failed setting cipher list So, openssl has it, curl has it, but for some reason php doesn't. openssl_get_md_methods() shows a couple of GOST digest but not GOST R 34.11-94: array(30) { [0]=> string(3) "DSA" [1]=> string(7) "DSA-SHA" [2]=> string(17) "GOST 28147-89 MAC" [3]=> string(15) "GOST R 34.11-94" [4]=> string(3) "MD4" [5]=> string(3) "MD5" [6]=> string(4) "MDC2" [7]=> string(9) "RIPEMD160" [8]=> string(3) "SHA" [9]=> string(4) "SHA1" [10]=> string(6) "SHA224" [11]=> string(6) "SHA256" [12]=> string(6) "SHA384" [13]=> string(6) "SHA512" [14]=> string(13) "dsaEncryption" [15]=> string(10) "dsaWithSHA" [16]=> string(15) "ecdsa-with-SHA1" [17]=> string(8) "gost-mac" [18]=> string(3) "md4" [19]=> string(3) "md5" [20]=> string(9) "md_gost94" [21]=> string(4) "mdc2" [22]=> string(9) "ripemd160" [23]=> string(3) "sha" [24]=> string(4) "sha1" [25]=> string(6) "sha224" [26]=> string(6) "sha256" [27]=> string(6) "sha384" [28]=> string(6) "sha512" [29]=> string(9) "whirlpool" } Why ? How to investigate it ? Thanks. Eugene.
