1.2.890. Openssl Encrypt Default Algorithm Change

openssl_pkcs7_encrypt() and openssl_cms_encrypt() will now default to using AES-128-CBC rather than RC2-40. The RC2-40 cipher is considered insecure and not enabled by default in OpenSSL 3.

This means that the default argument of OPENSSL_CIPHER_RC2_40 is replaced by OPENSSL_CIPHER_AES_128_CBC.

<?php
// extracted from the PHP documentation
// encrypt it
if (openssl_pkcs7_encrypt("msg.txt", "enc.txt", $key,
    array("To" => "nighthawk@example.com", // keyed syntax
          "From: HQ <hq@example.com>", // indexed syntax
          "Subject" => "Eyes only"))) {
    // message encrypted - send it!
    exec(ini_get("sendmail_path") . " < enc.txt");
}
?>

1.2.890.1. Connex PHP features

1.2.890.1.1. Suggestions

  • Explicitly set the 5th and 6th argument of the functioncalls to avoid a disruption.

  • Update the target service to handle the new cipher algorithm.

1.2.890.1.2. Specs

Short name

Php/OpensslEncryptAlgoChange

Rulesets

All, Changed Behavior, CompatibilityPHP81

Exakat since

2.2.3

PHP Version

All

Severity

Minor

Time To Fix

Quick (30 mins)

Precision

Medium

Available in

Entreprise Edition, Exakat Cloud