Created attachment 194679 [details] Add openssl to USE_PHP when building phar extension Phar requires the openssl extension to work.
I'm sorry, but this is not correct. Phar has no dependency to openssl. Can you please explain why do you think it has? Most times the used phar application has an dependency to openssl, but it could also have an dependency to any other PHP module.
The documentation for Phar documentation Requirements section ( http://php.net/manual/en/phar.requirements.php ) says it requires it: "In addition, to take advantage of OpenSSL signing, the OpenSSL extension must be enabled." Ports does not build lang/php71 with native OpenSSL support, so the module is required. Background: When I was testing the mail/postfixadmin 3.2 update, I got this error: 2018/06/27 08:05:52 [error] 69399#101392: *6 FastCGI sent in stderr: "PHP message: PHP Fatal error: Uncaught PharException: phar "/usr/local/www/postfixadmin/lib/random_compat.phar" openssl signature could not be verified: openssl not loaded in /usr/local/www/postfixadmin/lib/random_compat.phar:8 Stack trace: #0 /usr/local/www/postfixadmin/lib/random_compat.phar(8): Phar::webPhar(NULL, 'index.php') #1 /usr/local/www/postfixadmin/common.php(72): require_once('/usr/local/www/...') #2 /usr/local/www/postfixadmin/public/common.php(2): require_once('/usr/local/www/...') #3 /usr/local/www/postfixadmin/public/login.php(30): require_once('/usr/local/www/...') #4 {main} thrown in /usr/local/www/postfixadmin/lib/random_compat.phar on line 8" while reading response header from upstream, client: fe80::7102:4df8:1f13:5c55, server: catnip.pilgrimaccounting.com, request: "GET /pfa/login.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php-fpm.sock:", host: "catnip.pilgrimaccounting.com" Line 8 of random_compat.phar is a Phar::webPhar() call. The poudriere logs for my local repo (which uses DEFAULT_VERSIONS+= ssl=openssl) shows the following: For lang/php71: --CONFIGURE_ARGS-- --with-layout=GNU --with-config-file-scan-dir=/usr/local/etc/php --disable-all --enable-libxml --enable-mysqlnd --with-libxml-dir=/usr/local --with-pcre-regex=/usr/local --program-prefix="" --enable-fpm --with-fpm-user=www --with-fpm-group=www --enable-embed --enable-dtrace --prefix=/usr/local ${_LATE_CONFIGURE_ARGS} --End CONFIGURE_ARGS-- Yielding "checking for OpenSSL support... no" in the configure phase. The results in the configure phase of archivers/php71-phar showing: checking for phar openssl support... no Which appears to result in PHAR_HAVE_OPENSSL undefined, there by including the code in phar/util.c circa line 1500, which checks if the openssl module is registered and returns the "openssl not loaded" error if it isn't. There isn't a knob to build lang/php71 with native OpenSSL support, so archivers/php71-phar needs security/php71-openssl. I fully admit I could be mistaken (the PHP ports framework is daunting from the lay perspective, to say the least), but I do know that installing the openssl extension solved the error I was getting and everything I can see points at USE_PHP+= openssl for php71-openssl being the fix.
(In reply to Melissa Pilgrim from comment #2) The documentation you quote clearly states, that openssl is optional. There is no dependency. As you describe your problem, that the requirement of openssl is not given by Phar, but by postfixadmin. In the Makefile of mail/postfixadmin there is this line: USE_PHP= mbstring pcre session spl xmlrpc Try to change it to this: USE_PHP= mbstring openssl pcre phar session spl xmlrpc This should fix your issue as far as i understand it. But it is a little bit strange, where it pulls in the support for phar itself since it is not defined. To be more explicit i added it also. Can you please check if this helps? Greetings, Torsten
Saying it's postfixadmin's baliwick to ensure third-party dependencies are met for an opaque process doesn't seem like upholding POLA. Phar can operate without OpenSSL only for unsigned or hashed phars. Key-signed distributions are best practice now and phar provides no option to disable signature verification, so OpenSSL is effectively mandatory in the best practice use case. Can we compromise at a config knob for archivers/php*-phar that lets someone drop the openssl dependency if they don't want it?
(In reply to Melissa Pilgrim from comment #4) > Can we compromise at a config knob for archivers/php*-phar that > lets someone drop the openssl dependency if they don't want it? This also would be a POLA. We have multiple PHAR based ports in the tree, which do not need openssl. With this change we will pull them in without any reason. A better compromise would be a knob to *add* the dependency, since its clearly optional. Also we could try to convert this knob also to be a flavor, so you can depend on archivers/php*-phar-openssl. This way no manual compilation is needed. What do you think about this idea?
I like the flavour idea if it was clearly documented that using phar-openssl instead of phar is how to fix the "openssl is not loaded" error.
Can be closed unresolved.