OpenSSL not working on Windows, errors 0x02001003 0x2006D080 0x0E064002

Question

Problem: OpenSSL is not working in my Windows environment. OpenSSL repeatedly reports errors 0x02001003, 0x2006D080 and 0x0E064002.

Environment:

Windows NT x 6.1 build 7601 (Windows 7 Business Edition Service Pack 1) i586
Apache/2.4.4 (Win32)
PHP/5.4.13 x86
PHP Directory: E:\wamp\php\
Virtual Host Directory: E:\Projects\1\public_html

What I've Attempted:

• Installation Instructions http://www.php.net/manual/en/openssl.installation.php
• PHP.ini extension=php_openssl.dll
• Openssl.cnf E:\wamp\php\extras\openssl.cnf
• %PATH% E:\wamp\php
• Rebooted
• phpinfo:
  ----OpenSSL support enabled
  ----OpenSSL Library Version OpenSSL 1.0.1e 11 Feb 2013
  ----OpenSSL Header Version OpenSSL 0.9.8y 5 Feb 2013
• With and without specifying config in configargs
• With and without specifying <Directory E:\wamp\php\extras> in apache config
• Copied openssl.cnf to virtualhost public_html, pointed to that and still get same errors
• Nothing logged in error_log
• Researched: I've spent the last 2 days researching this, surprised there isn't more info on it so I'm posting here. Seems to be problem with OpenSSL config or apache/php not reading config properly.

Code:

$privateKey = openssl_pkey_new();
while($message = openssl_error_string()){
    echo $message.'<br />'.PHP_EOL;
}

Results:

error:02001003:system library:fopen:No such process
error:2006D080:BIO routines:BIO_new_file:no such file
error:0E064002:configuration file routines:CONF_load:system lib
error:02001003:system library:fopen:No such process
error:2006D080:BIO routines:BIO_new_file:no such file
error:0E064002:configuration file routines:CONF_load:system lib

OpenSSL Manually:

E:\wamp\apache\bin>openssl.exe pkey
WARNING: can't open config file: c:/openssl-1.0.1e/ssl/openssl.cnf

E:\wamp\apache\bin>set OPENSSL_CONF="E:\wamp\php\extras\openssl.cnf"

E:\wamp\apache\bin>openssl.exe pkey
3484:error:0200107B:system library:fopen:Unknown error:.\crypto\bio\bss_file.c:169:fopen('"E:\wamp\php\extras\openssl.cnf"','rb')
3484:error:2006D002:BIO routines:BIO_new_file:system lib:.\crypto\bio\bss_file.c:174:
3484:error:0E078002:configuration file routines:DEF_LOAD:system lib:.\crypto\conf\conf_def.c:199:

EDIT:

1. Thanks to @Gordon I can now see open_ssl errors using openssl_error_string
2. Completely uninstall EasyPHP. Manually installed stable versions of PHP/Apache. Same results! Definitely something I'm doing wrong with implementing openssl on windows.
3. OpenSSL Manually section... additional error info

FINAL THOUGHTS:
I set up a linux box and I'm getting the same errors. After some playing around I see that even though it's throwing errors at the openssl_pkey_new it does eventually create my test p12 file. Long story short, the errors are misleading and it has to deal more with how you are using openssl functions not so much server-side configuration.

Final code:

// Create the keypair
$res=openssl_pkey_new();

// Get private key
openssl_pkey_export($res, $privkey);

// Get public key
$pubkey=openssl_pkey_get_details($res);
$pubkey=$pubkey["key"];

// Actual file
$Private_Key = null;
$Unsigned_Cert = openssl_csr_new($Info,$Private_Key,$Configs);
$Signed_Cert = openssl_csr_sign($Unsigned_Cert,null,$Private_Key,365,$Configs);
openssl_pkcs12_export_to_file($Signed_Cert,"test.p12",$Private_Key,"123456");

Close away.

A year later...

So I found myself doing this again a year later, and regardless of whatever PATH variables I set on the computer or during the script execution, it kept erroring about file not found. I was able to resolve it by passing in the config parameter in the config_args array in openssl_pkey_new. Here is a function that tests the ability to successfully use OpenSSL:

    /**
     * Tests the ability to 1) create pub/priv key pair 2) extract pub/priv keys 3) encrypt plaintext using keys 4) decrypt using keys
     * 
     * @return boolean|string False if fails, string if success
     */
    function testOpenSSL($opensslConfigPath = NULL)
    {
        if ($opensslConfigPath == NULL)
        {
            $opensslConfigPath = "E:/Services/Apache/httpd-2.4.9-win32-VC11/conf/openssl.cnf";
        }
        $config = array(
            "config" => $opensslConfigPath,
            "digest_alg" => "sha512",
            "private_key_bits" => 4096,
            "private_key_type" => OPENSSL_KEYTYPE_RSA,
        );

        $res = openssl_pkey_new($config); // <-- CONFIG ARRAY
        if (empty($res)) {return false;}

        // Extract the private key from $res to $privKey
        openssl_pkey_export($res, $privKey, NULL, $config); // <-- CONFIG ARRAY

        // Extract the public key from $res to $pubKey
        $pubKey = openssl_pkey_get_details($res);
        if ($pubKey === FALSE){return false;}

        $pubKey = $pubKey["key"];

        $data = 'plaintext data goes here';

        // Encrypt the data to $encrypted using the public key
        $res = openssl_public_encrypt($data, $encrypted, $pubKey);
        if ($res === FALSE){return false;}

        // Decrypt the data using the private key and store the results in $decrypted
        $res = openssl_private_decrypt($encrypted, $decrypted, $privKey);
        if ($res === FALSE){return false;}

        return $decrypted;
    }

    // Example usage:
    $res = testOpenSSL();
    if ($res === FALSE)
    {
        echo "<span style='background-color: red;'>Fail</span>";
    } else {
        echo "<span style='background-color: green;'>Pass: ".$res."</span>";
    }

Answer 1

The code below works as expected. BUT if you run openssl_error_string() after the openssl methods it shows error:0E06D06C:configuration file routines:NCONF_get_string:no value which is some notice I have not been able to find documentation on.

Further note that according to http://www.php.net/manual/en/function.openssl-error-string.php you could be seeing mis-leading errors as error messages are queued:

Be careful when using this function to check errors, as it seems to read from a buffer of > errors, which could include errors from another script or process that was using openssl > functions. (I was surprised to find it returing error messages before I had called any > openssl_* functions)

<?php
/* Create the private and public key */
$res = openssl_pkey_new();
openssl_error_string(); // May throw error even though its working fine!

/* Extract the private key from $res to $privKey */
openssl_pkey_export($res, $privKey);
openssl_error_string(); // May throw error even though its working fine!

/* Extract the public key from $res to $pubKey */
$pubKey = openssl_pkey_get_details($res);
$pubKey = $pubKey["key"];

$data = 'i.amniels.com is a great website!';

/* Encrypt the data using the public key
 * The encrypted data is stored in $encrypted */
openssl_public_encrypt($data, $encrypted, $pubKey);

/* Decrypt the data using the private key and store the
 * result in $decrypted. */
openssl_private_decrypt($encrypted, $decrypted, $privKey);

echo $decrypted;
?>

Answer 2

I had a similar problem, for me it helped to set the environment variable 'OPENSSL_CONF' manually at the beginning of my script.

Somehow the environment variable wasn't set correctly, or didn't get through to my php (Setup: AMPPS, Win7 64Bit).

The example location used below is the path that you'd have to use with a standard AMPPS installation, so if you are using AMPPS, just copy&paste :

putenv("OPENSSL_CONF=C:\Program Files (x86)\Ampps\php\extras\openssl.cnf");

Answer 3

a few things here :

%PATH% should also contain windows and system32 so your %PATH% should look like c:\windows;c:\windows\system32;E:\wamp\php and in e:\wamp\php should be the openssl dll file

also try the openssl version matching the header version 0.9.8y 5 Feb 2013 download here for 32bit and here for 64bit

this code seems to work for me:

// Create the keypair
$res=openssl_pkey_new();

// Get private key
openssl_pkey_export($res, $privkey);

// Get public key
$pubkey=openssl_pkey_get_details($res);
$pubkey=$pubkey["key"];
$Info = array(
    "countryName" => "UK",
    "stateOrProvinceName" => "Somerset",
    "localityName" => "Glastonbury",
    "organizationName" => "The Brain Room Limited",
    "organizationalUnitName" => "PHP Documentation Team",
    "commonName" => "Wez Furlong",
    "emailAddress" => "wez@example.com"
);

// Actual file
$Private_Key = null;
$Unsigned_Cert = openssl_csr_new($Info,$Private_Key);
$Signed_Cert = openssl_csr_sign($Unsigned_Cert,null,$Private_Key,365);
openssl_pkcs12_export_to_file($Signed_Cert,"test.p12",$Private_Key,"123456");

Answer 4

If you're using Apache 2.4 + mod_fcgid, you can specify OpenSSL conf file by adding FcgidInitialEnv in httpd.conf file:

# OPENSSL CONF
FcgidInitialEnv OPENSSL_CONF "D:/apps/php70/extras/ssl/openssl.cnf"

I'm not using preconfigured package such as WAMP, I've got Apache from Apache Lounge and PHP from windows.php.net and configured by myself.

Answer 5

Have you installed OpenSSL via this method ? Installing OpenSSL on Windows

1. Go to http://gnuwin32.sourceforge.net/packages/openssl.htm, and download the "Setup" version of "Binaries", openssl-0.9.7c-bin.exe.

2. Double click on openssl-0.9.7c-bin.exe to install OpenSSL to \local\gnuwin32 directory.

3. Go back to the same page, download the "Setup" version of "Documentation", and install it to the same directory.

4. Open command line window, and try the following command: Code:

    \local\gnuwin32\bin\openssl -help
    openssl:Error: '-help' is an invalid command.

    Standard commands
    asn1parse      ca             ciphers        crl            crl2pkcs7
    dgst           dh             dhparam        dsa            dsaparam
    enc            engine         errstr         gendh          gendsa
    genrsa         nseq           ocsp           passwd         pkcs12
    pkcs7          pkcs8          rand           req            rsa
    rsautl         s_client       s_server       s_time         sess_id
    smime          speed          spkac          verify         version
    x509
    ......

If you see the list of commands printed by OpenSSL, you know that your installation is done correctly.

Answer 6

Clean solution:

1. Download archive (doesn't matter which) for PHP Windows binaries from here: http://windows.php.net/download
2. Inside you find file /extras/ssl/openssl.cnf
3. Extract openssl.cnf somewhere (e. g. "C:/WEB/PHP/extras/ssl/openssl.cnf")
4. Add global system variable OPENSSL_CONF with your used path (e. g. "C:\WEB\PHP\extras\openssl.cnf" (without the double quotes)).

You must add the path to the OPENSSL_CONF system variable. Adding it to the Path system variable is not sufficient! Under Windows 7 you find the settings dialog under: "Control Panel > System and Security > System > Advanced system settings (left menu) > Advanced (Tab) > Environment Variables...". Add the Variable OPENSSL_CONF there.

It is not required to prepare the openssl.cnf file before usage - it will work out of the box. But you can, if you want to fine tune settings.

Answer 7

In my case copying the files to c:\windows\system32 helped me out

libeay32.dll, ssleay32.dll

One can find them in OpenSSL_INSTALL_PATH\bin.

Answer 8

Might I suggest using Virtual Box, create a VM and install the LAMP stack. This will give you a "more real" environment. As well as troubleshooting OpenSSL is easier on Linux.

With that said, I believe your problem is you can't find the plugin file itself. Make sure it lives in the right path and exists on your machine and the process Apache runs under has permissions to read it.