[TYPO3-core] openssl als required PHP extension
"Christian Müller (Kitsunet)"
christian.mueller at typo3.org
Fri Oct 21 14:10:24 CEST 2011
Hi all,
maybe it helps you, maybe not. In FLOW3 we use an external library for
random byte generation which has several algorithms integrated (openssl
first IF available).
See:
https://isecurity.svn.sourceforge.net/svnroot/isecurity/improved-security/php/Security/Randomizer.php
Christian
On 21/10/11 00:02, Steffen Gebert wrote:
> Hi,
>
> I'm a bit wondering about introducing openssl as required extension.
>
> * It is needed for rsaauth, thus it is checked in the 1-2-3 wizard.
> * On the other hand, rsaauth wouldn't enable itself, if openssl is not
> available (<- or has this been changed?)
>
> * "Restructure the random byte generator"
> https://review.typo3.org/4537
> is IMHO a requirement for the release, as it seems that we will fail
> otherwise on (some/all?) Windows systems.
>
> There was also some confusion, whether we can count on OpenSSL, or not.
>
> The thing is: What's with the people updating there installation (and
> running PHP without openssl? Stupid idea, I know. But I expect them (on
> *nix systems) to run into Fatal Error (openssl_random_pseudo_bytes()
> unknown).
> See:
> https://review.typo3.org/#patch,unified,4537,3,t3lib/class.t3lib_div.php
>
> So to come to a point: Although it might be good to require openssl
> extension, it has (except faster rand generator, secure smtp mail
> transport, better salted passwords implementation) no real benefits,
> when having its introduction because of saltedpasswords in mind.
> saltedpasswords can also run with a command line openssl binary.
>
> Currently, this fact is *not* mentioned in the Release Notes!
>
> Kind regards
> Steffen
>
More information about the TYPO3-team-core
mailing list