[BlueOnyx:26602] Re: 5211r php 5.6 libssl segfault

Michael Stauber mstauber at blueonyx.it
Tue Nov 28 20:25:49 -05 2023 

Hi Darren,

> I have an ancient site that requires PHP 5.6. I migrated it from 5209r 
> to 5211r with the php 5.6 package and I am now seeing some problems. The 
> user sees a “service unavailable” error, but the message log shows:
> 
> kernel: php-fpm[1566759]: segfault at 7f289cbf30c0 ip 00007f289cbf30c0 
> sp 00007ffc4cea7578 error 15 in libssl.so.3.0.7[7f289cbf2000+a000] 
> likely on CPU 7 (core 3, socket 0)
> 
> (I tried switching to suphp which did not help – it doesn’t give the 
> user an error, it just does nothing)

Yeah, the PHP-5.6 Package for 5211R is a kludge. I rolled it up over a 
year ago to provide at least some form of fallback for ancient Vsites 
that need a PHP-5.6 until they can get sorted out.

The complications of getting it to compile on EL9 were quite a 
challenge, as PHP-5.6 is so horribly outdated that it won't compile 
against many the system libraries. EL9 comes with OpenSSL 3.0 and an 
OpenSSL 1.0.2 (in itself long past EOL) was the newest that PHP-5.6 
would even recognize.

Still: Even by giving PHP-5.6 it's own private OpenSSL-1.0.2 install, 
some parts of it *still* linked against OpenSSL-3.0.7 and that causes 
the issues you see:

[root at 5211r bin]# ldd /home/solarspeed/php-5.6/bin/php|grep ssl
         libssl.so.1.0.0 => 
/home/solarspeed/php-5.6/openssl-1.0.2u/lib/libssl.so.1.0.0 
(0x00007fb6bb0e6000)
         libcrypto.so.1.0.0 => 
/home/solarspeed/php-5.6/openssl-1.0.2u/lib/libcrypto.so.1.0.0 
(0x00007fb6bae00000)
         libssl.so.3 => /lib64/libssl.so.3 (0x00007fb6ba849000)

I could fiddle with it for several more days, tweaking compiler options 
and hacking Makefiles, but that's time I don't have and it would be for 
something that is so far past EOL that it's not really worth the hassles.

This is about as good as it gets. If your ancient PHP website needs 
OpenSSL for some functions, then keeping it on PHP-5.6 is becoming 
increasingly more problematic, as OpenSSL-1.0.2 is lacking the secure 
ciphers (and protocols) to let it communicate with modern counterparts.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list