OpenSSL openssl_random_pseudo_bytes() causing collisions

Question

OpenSSL openssl_random_pseudo_bytes() causing collisions

SlyDave opened this issue 7 years ago · 1 comments

OpenSSL uses openssl_random_pseudo_bytes() to generate its randomness, however there are known issues with this causing collisions in environments under apache/php-fpm, when instances are forked, the parent and child processes can end up generating the same uuid.

You can read all about it at https://benramsey.com/blog/2016/04/ramsey-uuid/ under the section "WHEN UUIDS COLLIDE".

The solution to this problem was to avoid using openSSL as a fallback for generating random bytes and add paragonie/random_compat as a fallback and use random_btyes() for PHP>=7

Answer 1 · 2017-09-03T19:46:58.000Z

This was already fixed in PR #15

It checks for the random_bytes function, and if present it will not even try openSSL or Mcrypt.

The suggestion for paragonie/random_compat was also added in May 2016.