Cryptographic functions testing and support

[djmetzle]

Description

Build PHP from source on Fedora, we're seeing test failures due to cryptographic function policies.

The crypto policies in Fedora have been by default getting stricter.
See:

• https://fedoraproject.org/wiki/Changes/OpenSSLDistrustSHA1SigVer
• https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3
• https://fedoraproject.org/wiki/Changes/StrongCryptoSettings2

Test php src test suite has several additional new failures when upgrading from building on Fedora 40 to Fedora 41:

$ diff default.out legacy.out 
12,22d11
< openssl_x509_verify() tests [ext/openssl/tests/openssl_x509_verify.phpt]
< Capture SSL session meta array in stream context [ext/openssl/tests/session_meta_capture.phpt]
< Basic bitwise stream crypto context flag assignment [ext/openssl/tests/stream_crypto_flags_001.phpt]
< TLSv1.1 and TLSv1.2 bitwise stream crypto flag assignment [ext/openssl/tests/stream_crypto_flags_002.phpt]
< Server bitwise stream crypto flag assignment [ext/openssl/tests/stream_crypto_flags_003.phpt]
< Specific protocol method specification [ext/openssl/tests/stream_crypto_flags_004.phpt]
< tls stream wrapper with min version 1.0 and max version 1.1 [ext/openssl/tests/tls_min_v1.0_max_v1.1_wrapper.phpt]
< tls stream wrapper [ext/openssl/tests/tls_wrapper.phpt]
< tls stream wrapper when TLS 1.3 available [ext/openssl/tests/tls_wrapper_with_tls_v1.3.phpt]
< tlsv1.0 stream wrapper [ext/openssl/tests/tlsv1.0_wrapper.phpt]
< tlsv1.1 stream wrapper [ext/openssl/tests/tlsv1.1_wrapper.phpt]
25,29d13
< Phar::setSupportedSignatures() with hash [ext/phar/tests/phar_setsignaturealgo2.phpt]
< Phar::setSupportedSignatures() with hash, tar-based [ext/phar/tests/tar/phar_setsignaturealgo2.phpt]
< Phar: tar archive, require_hash=1, OpenSSL hash [ext/phar/tests/tar/tar_openssl_hash.phpt]
< Phar: verify signature parsing works [ext/phar/tests/test_signaturealgos.phpt]
< Phar::setSupportedSignatures() with hash, zip-based [ext/phar/tests/zip/phar_setsignaturealgo2.phpt]

These tests all pass if i switch to the LEGACY policy with update-crypto-policies. Otherwise there was no significant difference in build or testing process.

---

There are most likely lots of legacy applications that require these functions, so dropping support entirely for insecure algorithms is probably not possible.

Maybe it is possible to test directly if those algorithms are supported, and guard on that in the remaining tests that rely on it?

PHP Version

8.4.2

Operating System

Fedora

[cmb69]

cc @remicollet

[bukka]

This is a known issue. I plan to actually look into better handling of this next week.

[djmetzle]

Awesome! Thanks @bukka. We'll track #14201 instead.