Php: openssl can't open my cafile. libressl

https://pkgs.alpinelinux.org/contents?file=libssl.so&path=&name=&branch=v3.9&repo=main

What a reason for change package?

Because alpine packages in general are now compiled with openssl and not libressl (and we'd get openssl-dev, even if we tried to switch since it is a dependency of curl-dev and possibly other packages.

@yosifkit Igree.

How about php + openssl-dev error?

php can see it

file: /var/www/html/frontend/config/ssl/client01.crt; 
file_exists: 1;
is_readable: 1; 

but can't open connection throw fopen()

fopen(): Unable to set local cert chain file `/var/www/html/frontend/config/ssl/client01.crt'; Check that your cafile/capath settings include details of your certificate and its issuer

also I got same error with curlTransport (I use https://github.com/yiisoft/yii2-httpclient )

Curl error: #58 - could not load PEM client certificate, OpenSSL error error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak, (no key found, wrong pass phrase, or wrong file format?)

This is can error of configure/build openssl-dev or php in this Dockerfile?

so... I can see difference in config. libressl use purity tiny config without any path for ca files

docker-compose exec php cat /etc/ssl/openssl.cnf
[ req ]
#default_bits       = 2048
#default_md     = sha256
#default_keyfile    = privkey.pem
distinguished_name  = req_distinguished_name
attributes      = req_attributes

[ req_distinguished_name ]
countryName         = Country Name (2 letter code)
countryName_min         = 2
countryName_max         = 2
stateOrProvinceName     = State or Province Name (full name)
localityName            = Locality Name (eg, city)
0.organizationName      = Organization Name (eg, company)
organizationalUnitName      = Organizational Unit Name (eg, section)
commonName          = Common Name (eg, fully qualified host name)
commonName_max          = 64
emailAddress            = Email Address
emailAddress_max        = 64

[ req_attributes ]
challengePassword       = A challenge password
challengePassword_min       = 4
challengePassword_max       = 20

OpenSSL use biggest config with default settings for ca folder
...
```
[ CA_default ]

dir = ./demoCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept

...
may be this is importat not only for create new cert?...

So... May be I should to check ca

Weak (MD5) hashes in certificate signature (SSL_CTX_use_certificate md too weak)
like this man http://ics-openvpn.blinkt.de/FAQ.html

Weak (MD5) hashes in certificate signature (SSL_CTX_use_certificate md too weak)
Starting with OpenSSL version 1.1, OpenSSL rejects weak signatures in certificates like MD5.

MD5 signatures are completely insecure and should not be used anymore. MD5 collisions can be created in few hours at a minimal cost.. You should update the VPN certificates as soon as possible.

Unfortunately, older easy-rsa distributions included the config option "default_md md5". If you are using an old easy-rsa version, update to the latest version) or change md5 to sha256 and regenerate your certificates.

If you really want to use old and broken certificates use the custom configuration option tls-cipher "DEFAULT:@SECLEVEL=0" under advanced configuration or as additional line in your imported configuration

The same can happen for certificates with SHA1 hashing algorithm, like apple passkit wallet certificates, when using them to push notifications via HTTP/2.

To temporary solve this with openssl 1.1.1 you can set SECLEVEL=1 instead of 2 in /etc/ssl/openssl.conf.

SHA1 is outdated and insecure. Certificates using it should be replaced!