FTBFS against OpenSSL 4.0.0

[fazalmajid]

Description

OpenSSL 4.0.0 removed a number of deprecated APIs and made ASN1_STRING an opaque type. This causes PHP to fail to build from source, see ftbfs.txt for the output/

FWIW, here is a patch generated by Claude that fixes:

1. php_openssl.h — adds #ifndef ERR_NUM_ERRORS / #define ERR_NUM_ERRORS 16 /
   #endif after #include <openssl/err.h>. This constant was removed from OpenSSL
   4.0's err.h and is used in the struct definition plus 3 places in openssl.c.
2. openssl_backend_common.c — replaces three direct ->data/->length member
   accesses on ASN1_STRING (now an opaque typedef) with the public accessors
   ASN1_STRING_get0_data() and ASN1_STRING_length().
3. xp_ssl.c — same treatment for the GEN_IPADD block: introduces
   ip_data/ip_len locals via the accessors, used in the IPv4 snprintf, IPv6
   length check, and EXPAND_IPV6_ADDRESS macro.

It is failing several TLS-related test, not sure how much of this is removed APIs (the gettext tests are expected, I disable gettext with gettext-tiny on this system):

=====================================================================
FAILED TEST SUMMARY
---------------------------------------------------------------------
CURLOPT_SSL* basic client auth tests [ext/curl/tests/curl_setopt_ssl.phpt]
Bug #53251 (bindtextdomain with null dir doesn't return old value) [ext/gettext/tests/bug53251.phpt]
#66265: gettext doesn't switch locales within the same script [ext/gettext/tests/bug66267.phpt]
Gettext basic test with en_US locale that should be on nearly every system [ext/gettext/tests/gettext_basic-enus.phpt]
Gettext basic test [ext/gettext/tests/gettext_basic.phpt]
Test if bindtextdomain() returns string id if no directory path is set(if directory path is 'null') [ext/gettext/tests/gettext_bindtextdomain-cwd.phpt]
Test dcgettext() functionality [ext/gettext/tests/gettext_dcgettext.phpt]
Test dgettext() functionality [ext/gettext/tests/gettext_dgettext.phpt]
Test if dngettext() returns the correct translations (optionally plural). [ext/gettext/tests/gettext_dngettext-plural.phpt]
Test ngettext() functionality [ext/gettext/tests/gettext_ngettext.phpt]
Check if textdomain() returns the new domain [ext/gettext/tests/gettext_textdomain-retval.phpt]
Bug #28382 (openssl_x509_parse extensions support) [ext/openssl/tests/bug28382.phpt]
Bug #74796: TLS encryption fails behind HTTP proxy [ext/openssl/tests/bug74796.phpt]
openssl_*() with OPENSSL_KEYTYPE_EC for ec custom params [ext/openssl/tests/ecc_custom_params.phpt]
openssl_x509_parse() tests [ext/openssl/tests/openssl_x509_parse_basic_openssl32.phpt]
sni_server [ext/openssl/tests/sni_server.phpt]
sni_server with separate pk and cert [ext/openssl/tests/sni_server_key_cert.phpt]
tls stream wrapper with min version 1.0 and max version 1.1 [ext/openssl/tests/tls_min_v1.0_max_v1.1_wrapper.phpt]
tls stream wrapper [ext/openssl/tests/tls_wrapper.phpt]
tls stream wrapper when TLS 1.3 available [ext/openssl/tests/tls_wrapper_with_tls_v1.3.phpt]
tlsv1.0 stream wrapper [ext/openssl/tests/tlsv1.0_wrapper.phpt]
tlsv1.1 stream wrapper [ext/openssl/tests/tlsv1.1_wrapper.phpt]
tlsv1.2 stream wrapper [ext/openssl/tests/tlsv1.2_wrapper.phpt]
Killing server should terminate all worker processes [sapi/cli/tests/php_cli_server_pdeathsig.phpt]
=====================================================================

=====================================================================
WARNED TEST SUMMARY
---------------------------------------------------------------------
Test multiple watch elements pointing to the same watchpoint [sapi/phpdbg/tests/watch_006.phpt] (warn: XFAIL section but test passes)
=====================================================================

php-openssl4.txt

ftbfs.txt

PHP Version

PHP 8.5.5 (cli) (built: Apr 14 2026 22:42:02) (NTS)
Copyright (c) The PHP Group
Zend Engine v4.5.5, Copyright (c) Zend Technologies
    with Zend OPcache v8.5.5, Copyright (c), by Zend Technologies

Operating System

Alpine Linux 3.23.3

[SakiTakamachi]

Hi!

For PHP 8.4 and later, the supported OpenSSL versions are 1.1.1 or newer, but still below 4.0. In other words, OpenSSL 4.0.0 is not supported yet.

https://www.php.net/manual/en/openssl.requirements.php

[SakiTakamachi]

Until support is implemented, it would be a good idea to add an upper bound on the OpenSSL version in the build-time checks.

I will probably make that change in the next few days.

[MrSuddenJoy]

In general openSSL has recently made some highly controversial moves I (as well as bunch of others) am not very comfortable with. This seems to be one of this kind of moves.

[TimWolla]

If the final patch is indeed as simple as the proof-of-concept patch provided in the issue, I think it would be good idea to treat this as a bug and to at least fix PHP 8.5 instead of waiting for PHP 8.6 to be released to unblock “rolling release” distros.