[horde] Horde update, not getting errors in log

Michael M Slusarz slusarz at horde.org
Tue Nov 20 23:28:46 UTC 2012 

Quoting "John H. Bennett III" <bennettj at thebennetthome.com>:

> Quoting Michael M Slusarz <slusarz at horde.org>:
>
>> Quoting "John H. Bennett III" <bennettj at thebennetthome.com>:
>>
>>> Hello all,
>>>
>>> Today I did a pear update, via pear upgrade -B -c horde, and now I  
>>> see these errors when logging into the system.
>>>
>>> Nov 20 12:13:08 www HORDE: [imp] PHP ERROR: openssl_encrypt() [<a  
>>> href='function.openssl-encrypt'>function.openssl-encrypt</a>]:  
>>> Using an empty Initialization Vector (iv) is potentially insecure  
>>> and not recommended [pid 2919 on line 37 of  
>>> "/usr/share/pear/Horde/Crypt/Blowfish/Openssl.php"]
>>
>> This was fixed over 2 years ago in PHP:
>>
>> http://svn.php.net/viewvc?view=revision&revision=304179
>
> Thanks Michael for responding.
>
> All I can report is these log messages didn't appear in my log  
> yesterday or today, until after I updated my horde install today.  I  
> don't know what changed that all of a sudden made these appear.   
> From your link, I believe this is just log noise and I can ignore.   
> If not, I don't know how to fix it myself anyway, so I'll continue  
> testing and see if they cause any real issues.

This is because we switched from using PEAR's Crypt_Blowfish library  
to our custom Horde_Crypt_Blowfish library as of our package releases  
on monday.  openssl_encrypt() is significantly faster than the  
PHP-based version contained in Crypt_Blowfish, and since openssl is  
highly recommended (and even required) for several Horde features,  
most people will take advantage of this speed increase.

(It is true that both Crypt_Blowfish and Horde_Crypt_Blowfish will  
also try to use mcrypt functions, if available, but we don't  
personally require mcrypt anymore and this optional extension is not  
commonly included in a base PHP distribution install).

The error message is harmless because initialization vectors (IV's)  
are not used in the cipher mode used in Horde (ECB).

michael

___________________________________
Michael Slusarz [slusarz at horde.org]

More information about the horde mailing list