OpenSSL not working on Windows, errors 0x02001003 0x2006D080 0x0E064002

Brock Hensley picture Brock Hensley · Mar 21, 2013 · Viewed 35.5k times · Source

Problem: OpenSSL is not working in my Windows environment. OpenSSL repeatedly reports errors 0x02001003, 0x2006D080 and 0x0E064002.

Environment:

Windows NT x 6.1 build 7601 (Windows 7 Business Edition Service Pack 1) i586
Apache/2.4.4 (Win32)
PHP/5.4.13 x86
PHP Directory: E:\wamp\php\
Virtual Host Directory: E:\Projects\1\public_html

What I've Attempted:

  • Installation Instructions http://www.php.net/manual/en/openssl.installation.php
  • PHP.ini extension=php_openssl.dll
  • Openssl.cnf E:\wamp\php\extras\openssl.cnf
  • %PATH% E:\wamp\php
  • Rebooted
  • phpinfo:
    ----OpenSSL support enabled
    ----OpenSSL Library Version OpenSSL 1.0.1e 11 Feb 2013
    ----OpenSSL Header Version OpenSSL 0.9.8y 5 Feb 2013
  • With and without specifying config in configargs
  • With and without specifying <Directory E:\wamp\php\extras> in apache config
  • Copied openssl.cnf to virtualhost public_html, pointed to that and still get same errors
  • Nothing logged in error_log
  • Researched: I've spent the last 2 days researching this, surprised there isn't more info on it so I'm posting here. Seems to be problem with OpenSSL config or apache/php not reading config properly.

Code:

$privateKey = openssl_pkey_new();
while($message = openssl_error_string()){
    echo $message.'<br />'.PHP_EOL;
}

Results:

error:02001003:system library:fopen:No such process
error:2006D080:BIO routines:BIO_new_file:no such file
error:0E064002:configuration file routines:CONF_load:system lib
error:02001003:system library:fopen:No such process
error:2006D080:BIO routines:BIO_new_file:no such file
error:0E064002:configuration file routines:CONF_load:system lib

OpenSSL Manually:

E:\wamp\apache\bin>openssl.exe pkey
WARNING: can't open config file: c:/openssl-1.0.1e/ssl/openssl.cnf

E:\wamp\apache\bin>set OPENSSL_CONF="E:\wamp\php\extras\openssl.cnf"

E:\wamp\apache\bin>openssl.exe pkey
3484:error:0200107B:system library:fopen:Unknown error:.\crypto\bio\bss_file.c:169:fopen('"E:\wamp\php\extras\openssl.cnf"','rb')
3484:error:2006D002:BIO routines:BIO_new_file:system lib:.\crypto\bio\bss_file.c:174:
3484:error:0E078002:configuration file routines:DEF_LOAD:system lib:.\crypto\conf\conf_def.c:199:

EDIT:

  1. Thanks to @Gordon I can now see open_ssl errors using openssl_error_string
  2. Completely uninstall EasyPHP. Manually installed stable versions of PHP/Apache. Same results! Definitely something I'm doing wrong with implementing openssl on windows.
  3. OpenSSL Manually section... additional error info

FINAL THOUGHTS:
I set up a linux box and I'm getting the same errors. After some playing around I see that even though it's throwing errors at the openssl_pkey_new it does eventually create my test p12 file. Long story short, the errors are misleading and it has to deal more with how you are using openssl functions not so much server-side configuration.

Final code:

// Create the keypair
$res=openssl_pkey_new();

// Get private key
openssl_pkey_export($res, $privkey);

// Get public key
$pubkey=openssl_pkey_get_details($res);
$pubkey=$pubkey["key"];

// Actual file
$Private_Key = null;
$Unsigned_Cert = openssl_csr_new($Info,$Private_Key,$Configs);
$Signed_Cert = openssl_csr_sign($Unsigned_Cert,null,$Private_Key,365,$Configs);
openssl_pkcs12_export_to_file($Signed_Cert,"test.p12",$Private_Key,"123456");

Close away.

A year later...

So I found myself doing this again a year later, and regardless of whatever PATH variables I set on the computer or during the script execution, it kept erroring about file not found. I was able to resolve it by passing in the config parameter in the config_args array in openssl_pkey_new. Here is a function that tests the ability to successfully use OpenSSL:

    /**
     * Tests the ability to 1) create pub/priv key pair 2) extract pub/priv keys 3) encrypt plaintext using keys 4) decrypt using keys
     * 
     * @return boolean|string False if fails, string if success
     */
    function testOpenSSL($opensslConfigPath = NULL)
    {
        if ($opensslConfigPath == NULL)
        {
            $opensslConfigPath = "E:/Services/Apache/httpd-2.4.9-win32-VC11/conf/openssl.cnf";
        }
        $config = array(
            "config" => $opensslConfigPath,
            "digest_alg" => "sha512",
            "private_key_bits" => 4096,
            "private_key_type" => OPENSSL_KEYTYPE_RSA,
        );

        $res = openssl_pkey_new($config); // <-- CONFIG ARRAY
        if (empty($res)) {return false;}

        // Extract the private key from $res to $privKey
        openssl_pkey_export($res, $privKey, NULL, $config); // <-- CONFIG ARRAY

        // Extract the public key from $res to $pubKey
        $pubKey = openssl_pkey_get_details($res);
        if ($pubKey === FALSE){return false;}

        $pubKey = $pubKey["key"];

        $data = 'plaintext data goes here';

        // Encrypt the data to $encrypted using the public key
        $res = openssl_public_encrypt($data, $encrypted, $pubKey);
        if ($res === FALSE){return false;}

        // Decrypt the data using the private key and store the results in $decrypted
        $res = openssl_private_decrypt($encrypted, $decrypted, $privKey);
        if ($res === FALSE){return false;}

        return $decrypted;
    }

    // Example usage:
    $res = testOpenSSL();
    if ($res === FALSE)
    {
        echo "<span style='background-color: red;'>Fail</span>";
    } else {
        echo "<span style='background-color: green;'>Pass: ".$res."</span>";
    }

Answer

Brock Hensley picture Brock Hensley · Mar 26, 2013

The code below works as expected. BUT if you run openssl_error_string() after the openssl methods it shows error:0E06D06C:configuration file routines:NCONF_get_string:no value which is some notice I have not been able to find documentation on.

Further note that according to http://www.php.net/manual/en/function.openssl-error-string.php you could be seeing mis-leading errors as error messages are queued:

Be careful when using this function to check errors, as it seems to read from a buffer of > errors, which could include errors from another script or process that was using openssl > functions. (I was surprised to find it returing error messages before I had called any > openssl_* functions)

<?php
/* Create the private and public key */
$res = openssl_pkey_new();
openssl_error_string(); // May throw error even though its working fine!

/* Extract the private key from $res to $privKey */
openssl_pkey_export($res, $privKey);
openssl_error_string(); // May throw error even though its working fine!

/* Extract the public key from $res to $pubKey */
$pubKey = openssl_pkey_get_details($res);
$pubKey = $pubKey["key"];

$data = 'i.amniels.com is a great website!';

/* Encrypt the data using the public key
 * The encrypted data is stored in $encrypted */
openssl_public_encrypt($data, $encrypted, $pubKey);

/* Decrypt the data using the private key and store the
 * result in $decrypted. */
openssl_private_decrypt($encrypted, $decrypted, $privKey);

echo $decrypted;
?>