Yii2: yii\base\Security.php -> generateRandomKey() in 2.0.7-dev throws "Unable to generate a random key"
As i could see there is a new Implementation of generateRandomKey(). We end up in base Exception:
Message: Unable to generate a random key
File: vendor/yiisoft/yii2/base/Security.php
Line: 542
Environment:
- PHP Version 5.5.9-1ubuntu4.9
- CGI/FastCGI
OpenSSL is enabled:
OpenSSL support enabled
OpenSSL Library Version OpenSSL 1.0.1f 6 Jan 2014
OpenSSL Header Version OpenSSL 1.0.1f 6 Jan 2014
nadar
All 25 comments
@tom-- any idea?
samdark
on 4 Jan 2016
One: Relative to <= 2.0.6, OpenSSL was removed for non-Windows platforms owing to https://bugs.php.net/bug.php?id=70014 and the general OpenSSL concerns.
Two: I don't understand why this system cannot read /dev/urandom. @nadar would you put phpinfo() into a gist please? That might have clues.
tom--
on 4 Jan 2016
@tom-- i just wrote you in gitter.
nadar
on 4 Jan 2016
@nadar in what now?
tom--
on 4 Jan 2016
i just wrote you a private message on Gitter (https://gitter.im/tom--), as there is sensitive data.
nadar
on 4 Jan 2016
@nadar please try this test script and paste the results here.
tom--
on 4 Jan 2016
1 function_exists('random_bytes')
false
2 defined('OPENSSL_VERSION_TEXT') ? OPENSSL_VERSION_TEXT : null
'OpenSSL 1.0.1f 6 Jan 2014'
3 PHP_VERSION_ID
50509
4 function_exists('mcrypt_create_iv')
false
5 DIRECTORY_SEPARATOR
'/'
6 sprintf('%o', lstat('/dev/urandom')['mode'])
'0'
7 sprintf('%o', lstat('/dev/urandom')['mode'] & 0170000)
'0'
8 bin2hex(@file_get_contents('/dev/urandom', false, null, 0, 16))
''
@nadar thanks. i added another test to the script. please update your output
tom--
on 4 Jan 2016
1 function_exists('random_bytes')
false
2 defined('OPENSSL_VERSION_TEXT') ? OPENSSL_VERSION_TEXT : null
'OpenSSL 1.0.1f 6 Jan 2014'
3 PHP_VERSION_ID
50509
4 function_exists('mcrypt_create_iv')
false
5 DIRECTORY_SEPARATOR
'/'
6 sprintf('%o', lstat('/dev/urandom')['mode'])
'0'
7 sprintf('%o', lstat('/dev/urandom')['mode'] & 0170000)
'0'
8 bin2hex(@file_get_contents('/dev/urandom', false, null, 0, 16))
''
9 ini_get('open_basedir')
'/var/www/vhosts/MY_EXAMPLE_HOST_DOT_COM/:/tmp/'
_MY_EXAMPLE_HOST_DOT_COM_ represents the current domain
nadar
on 4 Jan 2016
Looks like shared hosting in which the provider has denied access to /dev/urandom and doesn't have mcrypt. This leaves you in a tough position because problems with OpenSSL's RNG arose last year: It was discovered that PHP was using it in an unsafe way that didn't get fixed until 5.6.10 and OpenSSL's RNG fell out of favor in general. This is why Yii stopped using openssl_random_pseudo_bytes() in 2.0.7 except on Windows.
I can think of two options for you:
- Get your hosting provider to install the PHP mcrypt extension. This reads internally from
/dev/urandombut not in a way that the open_basedir setting inhibits. I just tested with PHP 5.4 and restrictive open_basedir andmcrypt_create_iv()appeared to work.
On this Ubuntu system it would be (for a sysop as simple as) apt-get install php5-mcrypt and restart FPM
- Get your hosting provider to append
":/dev/urandom"to the open_basedir INI setting and restart FPM
I don't know how to configure an Ubuntu LTS to use LibreSSL instead of OpenSSL. This would be a nice option.
I don't think it would be fair to the community of Yii users to reintroduce unconditional OpenSSL. Part of the idea with this update was tighten Yii's use of available RNGs.
tom--
on 4 Jan 2016
Actually, a couple more options:
- extend
Security::generateRandomKey()something like this and configure Yii to use your component instead of the base component. NOTE: I have not tested this - stay on 2.0.6
tom--
on 4 Jan 2016
Thanks for you reply and your effort regarding this problem! It would be nice to know how many Yii users would have the same issue on their hosting providers, but for me its not a problem to avoid this problem as i can partially manage those servers by our selfs since i know what has to be changed. So i guess, the issue can be closed and other users will find this topic trough googling.
nadar
on 4 Jan 2016
I'm keeping the diagnostic script here for anyone else experiencing issues.
tom--
on 4 Jan 2016
For everybody who did not install php-mcrypt right now (thats why the exception was thrown in my case), http://php.net/manual/de/mcrypt.installation.php:
Linux
apt-get install php5-mcrypt
mv -i /etc/php5/conf.d/mcrypt.ini /etc/php5/mods-available/
php5enmod mcrypt
service apache2 restart
linslin
on 3 May 2016
Hi @linslin Would you please run the platform diagnostic script? I am curious why your PHP cannot read /dev/urandom.
tom--
on 3 May 2016
Here are my results prior to installing mcrypt.
1 function_exists('random_bytes')
false
2 defined('OPENSSL_VERSION_TEXT') ? OPENSSL_VERSION_TEXT : null
'OpenSSL 1.0.1f 6 Jan 2014'
3 PHP_VERSION_ID
50509
4 function_exists('mcrypt_create_iv') ? bin2hex(mcrypt_create_iv(8, MCRYPT_DEV_URANDOM)) : null
NULL
5 DIRECTORY_SEPARATOR
'/'
6 sprintf('%o', lstat('/dev/urandom')['mode'])
'20666'
7 sprintf('%o', lstat('/dev/urandom')['mode'] & 0170000)
'20000'
8 bin2hex(file_get_contents('/dev/urandom', false, null, 0, 8))
'bddd76d88fdc02ae'
9 ini_get('open_basedir')
''
mcki0127
on 28 Jun 2016
@mcki0127 Couple of bits of info that could be in the diag script but unfortunately are not:
- os?
- yii version? this issue's title mentions 2.0.7
tom--
on 28 Jun 2016
Here are my result before installing mycrypt
1 function_exists('random_bytes')
false
2 defined('OPENSSL_VERSION_TEXT') ? OPENSSL_VERSION_TEXT : null
'OpenSSL 1.0.1f 6 Jan 2014'
3 PHP_VERSION_ID
50509
4 function_exists('mcrypt_create_iv') ? bin2hex(mcrypt_create_iv(8, MCRYPT_DEV_URANDOM)) : null NULL
5 DIRECTORY_SEPARATOR
'/'
6 sprintf('%o', lstat('/dev/urandom')['mode'])
'0'
7 sprintf('%o', lstat('/dev/urandom')['mode'] & 0170000)
'0'
8 bin2hex(file_get_contents('/dev/urandom', false, null, 0, 8))
''
9 ini_get('open_basedir')
'/var/www/clients/client1/web4/web:/var/www/clients/client1/web4/private:/var/www/clients/client1/web4/tmp:/var/www/MY_EXAMPLE_HOST_DOT_COM/web:/srv/www/MY_EXAMPLE_HOST_DOT_COM/web:/usr/share/php5:/usr/share/php:/tmp:/usr/share/phpmyadmin:/etc/phpmyadmin:/var/lib/phpmyadmin'
OS: Ubuntu 14.04.4 LTS (GNU/Linux 3.13.0-74-generic x86_64)
Yii version 2.0.7.
When I tried apt-get install php5-mcrypt
Here is the response I am getting
Reading package lists... Done
Building dependency tree
Reading state information... Done
php5-mcrypt is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 5 not upgraded.
riyaskp
on 28 Jun 2016
@riyaskp your open_basedir prevents reading anything in /dev
php7 is also a good option. (it's also very fast)
tom--
on 28 Jun 2016
@tom--
OS: Ubuntu 14.04.4 LTS
Yii version: 2.08
php5enmod mcrypt fixed the problem for me.
mcki0127
on 28 Jun 2016
@mcki0127 thanks.
i do not understand why generateRandomKey() could not read /dev/urandom on your system.
tom--
on 28 Jun 2016
i do not understand why generateRandomKey() could not read /dev/urandom on your system.
open_basedir.
cebe
on 3 Jul 2016
OS: Ubuntu 14.04.4 LTS
Yii version: 2.08
php5enmod mcrypt fixed the problem for me too.
professor93
on 10 Jul 2016
@cebe open_basedir was empty in the output from mcki0127. you were probably looking at riyaskp's.
tom--
on 10 Jul 2016
Oh yeah right. For mcki0127 it could be a difference in web and console PHP?
cebe
on 10 Jul 2016
Related issues
skcn022
路
3Comments
Kolyunya
路
3Comments
jpodpro
路
3Comments
wartur
路
3Comments
Locustv2
路
3Comments
Most helpful comment
For everybody who did not install php-mcrypt right now (thats why the exception was thrown in my case), http://php.net/manual/de/mcrypt.installation.php:
Linux