Am 24.01.2013 18:08, schrieb Kevin Kinsey:
On Thu, Jan 24, 2013 at 05:55:35PM +0100, steffo76@xxxxxx wrote:
Hi list,
I am having trouble with error messages saying
"Using an empty Initialization Vector (iv) is potentially insecure and not recommended"
These messages turn up using horde which uses ecb. I don't know the inner workings of php and openssl but if I understand correctly, there is no IV used in ecb hence there should be no error message according to this:
http://svn.php.net/viewvc?view=revision&revision=304179
(I am running php version 5.3.20)
Does anybody have any idea why I am getting these errors ? I can reproduce them using this code:
<?php
openssl_encrypt ("Hallo","bf-ecb","abcdef");
?>
Regards
Stephan
Because E_WARNING is issued if the optional fourth parameter, Initialization
Vector, is NULL.
Is that so ? In ext/openssl/openssl.c it looks like php is questioning
openssl if the cipher in question needs an iv by calling
EVP_CIPHER_iv_length which according to its manpage returns 0 if the
cipher does not use an iv. If I understand correctly the warning only
gets thrown if the vector is needed and empty. Since ecb does not need
an iv this warning should not appear at all, should it ? This is also
how I understand the log for the code change:
http://svn.php.net/viewvc?view=revision&revision=304179
How exactly are the error messages troubling you? If they're appearing on
your site/pages, you should adjust server or site configuration.
That is what I did as a workaround but the question remains why I keep
getting the warning with recent versions of php. It doesn't matter if I
compile php against the 0.9.8 or the 1.0.1 versions of openssl.
Thanks
Stephan
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
