1.2.884. Openssl Encrypt Default Algorithm Change¶
openssl_pkcs7_encrypt() and openssl_cms_encrypt() will now default to using AES-128-CBC rather than RC2-40. The RC2-40 cipher is considered insecure and not enabled by default in OpenSSL 3.
This means that the default argument of OPENSSL_CIPHER_RC2_40 is replaced by OPENSSL_CIPHER_AES_128_CBC.
<?php
// extracted from the PHP documentation
// encrypt it
if (openssl_pkcs7_encrypt("msg.txt", "enc.txt", $key,
array("To" => "nighthawk@example.com", // keyed syntax
"From: HQ <hq@example.com>", // indexed syntax
"Subject" => "Eyes only"))) {
// message encrypted - send it!
exec(ini_get("sendmail_path") . " < enc.txt");
}
?>
1.2.884.1. Suggestions¶
Explicitly set the 5th and 6th argument of the functioncalls to avoid a disruption.
Update the target service to handle the new cipher algorithm.
1.2.884.2. Specs¶
Short name |
Php/OpensslEncryptAlgoChange |
Rulesets |
|
Exakat since |
2.2.3 |
PHP Version |
All |
Severity |
Minor |
Time To Fix |
Quick (30 mins) |
Precision |
Medium |
Features |
cryptography, openssl |
Available in |