PHP 8.4: OpenSSL: Minimum required OpenSSL version increased to 1.1.1

Version8.4
TypeChange

The PHP OpenSSL extension provides encryption, authentication, key exchange, password hashing, and generic hashing functionality to PHP. The OpenSSL extension uses the OpenSSL library to provide this functionality.

On PHP 8.4 and later, the minimum requirement to build the OpenSSL extension is increased from 1.0.1 to 1.1.1. The extension continues to be compatible with OpenSSL as well.

Note that OpenSSL 1.1.1 (released 2018 September) has reached its End-Of-Life too. It is recommended to use a recent version, or to rely on a software source that backports security patches to older versions (such as Ubuntu LTS or RHEL/Rocky/EL). The major new feature in OpenSSL 1.1 is support for TLS 1.3. With this change, the PHP OpenSSL extension can safely assume that TLS 1.3 support will be available on the client-side.

The consideration for this version bump is that several Linux operating systems reaching their End-Of-Life dates by the time PHP 8.4 is released, and their next versions provide at least OpenSSL 1.1.1 and later in their default software repositories.

Distro name OpenSSL Version EOL Date
Debian buster 1.1.1n 2024 June
Ubuntu 20.04 1.1.1f 2025 April
RHEL/CentOS 7 1.0.2 2024 June
RHEL/Rocky/EL 8 1.1.2 2024 June
Fedora 38 3.0.9 rolling release

Most of the operating systems already provide OpenSSL 1.1.1 or later. As shown in the table above, only RHEL/Cent OS 7 is affected. Even on RHEL/CentOS 7, it is possible to compile PHP by compiling the extension with a newer openssl-devel package version.

Build Changes

On PHP 8.3 and older versions, the OpenSSL extension had a compilation flag named --with-kerberos to bring support for Kerberos ciphersuites in TLS.

Support for Kerberos ciphersuites was removed in OpenSSL 1.1.0, and the PHP OpenSSL extension no longer supports building the extension with Kerberos support.

PHP 8.4 removes this flag, and passing it to the ./configure script now shows a warning at the end to indicate that it is not a supported flag.

Backward Compatibility Impact

This change bumps the minimum supported OpenSSL library version for the PHP OpenSSL extension to 1.1.1.

Except on RHEL/CentOS 7 series, the operating system likely provides an OpenSSL version 1.1.1 or later, and thus there will be no impact from this change. RHEL/CentOS 7 is End-Of-Life at the time PHP 8.4 is released.

Note that Fedora 36 and later, the openssl-devel package provides OpenSSL 3.x series. The openssl11 package provided OpenSSL 1.1.1 for compatibility with older applications that do not support OpenSSL 3.x APIs. The openssl11 package is dropped on Fedora 40, and it is no longer available on default software repositories. PHP fully supports building the OpenSSL extension with OpenSSL 3.x, and the openssl11 package is not necessary in the first place.


Implementation