Compiling OpenSSL 1.1 - certs directory is empty, how to obtain?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Compiling OpenSSL 1.1 - certs directory is empty, how to obtain?

Pete Cooper
I’m successfully compiling OpenSSL 1.1.1c from source for PHP-FPM to use in preference to the system-native OpenSSL (1.0.*).

I’m installing OpenSSL 1.1.1c to /etc/php/shared/openssl with the following configure flags (split for clarity):

./config \
--openssldir=/etc/php/shared/openssl \
--prefix=/etc/php/shared/openssl \
-fstack-protector-strong \
-Wl,-rpath,/etc/php/shared/openssl/lib \
no-ssl2 \
no-ssl3 \
no-weak-ssl-ciphers \
shared

The `config` and subsequent `make` complete without any visible issues shown. However, /etc/php/shared/openssl/certs is an empty directory.

The system-native OpenSSL uses /etc/ssl/certs for its *.pem files, and there are >250 of them in that directory.

Are there OpenSSL compile flags to explicitly build or obtain the current up-to-date *.pem files for my PHP-only OpenSSL build, or should be looking elsewhere?

Thank you in advance, and best wishes.

Please note: my working hours may not be your working hours. Please do not feel obligated to reply outside of your normal work schedule.

Reply | Threaded
Open this post in threaded view
|

RE: Compiling OpenSSL 1.1 - certs directory is empty, how to obtain?

Michael Wojcik
> From: openssl-users [mailto:[hidden email]] On Behalf Of Pete Cooper
> Sent: Saturday, August 24, 2019 13:10

> The `config` and subsequent `make` complete without any visible issues shown. However,
> /etc/php/shared/openssl/certs is an empty directory.

> Are there OpenSSL compile flags to explicitly build or obtain the current up-to-date
> *.pem files for my PHP-only OpenSSL build, or should be looking elsewhere?

I haven't seen a response to this on the list.

OpenSSL does not include a collection of trusted certificates. You need to get them from some other source. You may copy them from your OS distribution, for example.

Another popular source is the Mozilla certificate collection. Adam Langley wrote a Go program that converts the Mozilla collection to PEM and excludes those marked as untrusted; you can find it at:

   https://github.com/agl/extract-nss-root-certs

(And Go itself is available from https://golang.org, of course, if you don't have that installed.)

There are many opinions about what constitutes a good collection of trust anchors for various applications. Some people feel the collections provided with most OS and browser distributions are too generous, and saccrifice security for interoperability. If you're going to assemble a set of trust anchors that includes public CAs, it may be a good idea to familiarize yourself with the issues. Ivan Ristic's /Bulletproof SSL and TLS/ (available at https://feistyduck.com) has a good survey.

--
Michael Wojcik
Distinguished Engineer, Micro Focus



Reply | Threaded
Open this post in threaded view
|

Re: Compiling OpenSSL 1.1 - certs directory is empty, how to obtain?

OpenSSL - User mailing list
Another great source is https://github.com/nabla-c0d3/trust_stores_observatory

One-stop shopping for all of apple, Android, Windows, NSS, OpenJDK, Oracle Java.