Red Hat Bugzilla – Bug 1260315
Wrong warning by PHP openssl_encrypt() for missing IV even IV is not required
Last modified: 2016-05-31 21:45:52 EDT
Description of problem:
When running e.g. phpMyAdmin 4.4.14 on RHEL 6 this causes a warning:
openssl_encrypt(): Using an empty Initialization Vector (iv) is potentially
insecure and not recommended
This however is not a bug in phpMyAdmin, but in PHP 5.3.3 as shipped by
RHEL 6 and is already fixed at upstream.
Finally, something like
openssl_encrypt(str_repeat('.', 16), 'aes-256-ecb', str_repeat('a', 32),
causes the warning while ECB mode doesn't make use of an IV.
Note: This requires phpMyAdmin 4.4.x as shipped by upstream, not the EPEL
package (which is 4.0.x due to the old MySQL version in RHEL 6). And this
also requires a MariaDB (either via SCL or remote).
Version-Release number of selected component (if applicable):
Everytime, see above and below.
Wrong warning of openssl_encrypt() for missing IV even IV is not required.
Cross-filed case/ticket 01503945 on the Red Hat customer portal.
Low risk patch (same code still used in latest versions)
Nice to have especially as we encourage the use of openssl extension for encryption (instead of dead mcrypt).
php-phpseclib test suite is a good reproducer.
Both reproducer from description and phpseclib test suite ok with linked patch.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.