PHP 7.0 Adds Better Support for Asymmetric Encryption
Published by John on November 4, 2015 Under PHPCentOS, which stands for Community Enterprise Operating System, is a very popular Linux distribution that is based on Redhat Enterprise Linux(RHEL.) RHEL provides long term support for their distribution, meaning you can install the latest version and can expect to get security updates for around 7-10 years. However, security updates often don’t translate to the newest version of software.
For example, RHEL 7, which was released in 2014 and will be supported until 2024, uses PHP Version 5.4, but the latest stable version of PHP is 5.6 and PHP 7.0 was just released. While having a stable release and long term very important, sometimes you need a newer version of software to get access to new methods or features.
I ran into this recently, when attempting to use PHP’s openssl_seal function to preform Asymmetric Encryption.
openssl_seal Segmentation Fault When Using AES or Other Cipher Suites Requiring Initialization Vector
In my case, I ran into an issue using php’s openssl_seal and openssl_open functions. Specifically in versions of PHP <= 5.6.14, using openssl_seal with a cipher suite that requires an Initialization Vector causes a segmentation fault. So, you are left using RC4 or a handful of other ciphers, which have known limitations. This isn't currently documented in the official documentation of openssl_seal. However, there is a bug for it on the PHP bugtracker.
If you read through the bug, which dates back to 2011, there is some interesting discussion on it. The segmentation fault was ‘fixed’ a couple months ago…I believe in 5.6.14. However, the fix was to print a warning and not have a segmentation fault. So, now if you try to run with a cipher like AES-256-XTS that requires IV, you will see the following error:
Warning: openssl_seal(): Ciphers with modes requiring IV are not supported
Using openssl_seal with an Initialization Vector
In the bug above, it was decided that adding support for ciphers like AES requiring an Initialization Vector would be released as part of PHP 7. Support for it was added mid September in Version 7.0.0 RC3, which can be seen in this bug.
The new functions are as follows and allow support for more modern cipher suites:
openssl_seal($data, $sealed, $ekeys, array($pub_key, $pub_key), $cipher, $iv); openssl_open($sealed, $decrypted, $ekeys[0], $priv_key, $cipher, $iv);
I haven’t fully tested this, but have done some limited playing and it appears to work using more modern cipher suites.
Upgrading Centos to PHP7.0
Important Caveat: Installing a different/newer version of PHP can break things, may be incompatible with your current PHP web-apps, and can otherwise cause problems. You should not preform an upgrade without careful consideration and I would recommend using extreme caution if considering this on a production server!
There are a few ways to get a more modern version of PHP on your CentOS Server. One is to use Software Collections. Software Collections, which is often referred to as SCL, includes packages for RHEL based distros, like Fedora, CentOS, and Scientific Linux. You can install a number of different softwares, including newer versions of Mariadb(Mysql) and PHP. Unfortunately, at the time of this post, PHP7 is not available, and even the PHP6 version that is available is a bit dated.
So, if you are needing a newer version of PHP, you are probably going to want to go with Remi’s Repo.
Installing PHP7 is fairly easy, but again you will want to use extreme caution if you plan on installing this on a production server! It is possible that it will cause some issues with older php code, as it represents a very significant PHP update.
The instructions below are for setting Remi’s Repo up for Centos 6. If you are using a different version of Centos, make sure you use the appropriate RPM!
Note this installs both EPEL and Remi’s repo
First download/install new yum repos. After this, they should be present in /etc/yum.repos.d/
wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm wget http://rpms.remirepo.net/enterprise/remi-release-6.rpm rpm -Uvh remi-release-6.rpm epel-release-latest-6.noarch.rpm
Next enable the PHP70 Repo and Update!
yum-config-manager --enable remi-php70 yum update
Verify you have the latest php version and restart your webserver
[root@localhost ~]# /usr/bin/php -v PHP 7.0.0RC6 (cli) (built: Oct 28 2015 10:49:46) ( NTS ) Copyright (c) 1997-2015 The PHP Group Zend Engine v3.0.0-dev, Copyright (c) 1998-2015 Zend Technologies service httpd restart
This should now give you the latest version of PHP, so you can do some playing and make sure your web-apps are compatible with the new version.
No Comments |
Add a Comment