Can I use Magento without mcrypt? [duplicate]
https://magento.stackexchange.com/questions/100393
-
28-09-2020 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
My shop was moved to a server without mcrypt and for some reason mcrypt can not be installed (don't ask me why!).
Looks like passwords are only encrypted with md5 with a salt (bad!) so I wonder what mcrypt is used for at all. Someone hacked Magento and was able to install it without mcrypt. Does not sound good to me but it was working for him.
Now i would like to know what for encrypt is used and will the show break if I replace it with a dummy? Is there a better workaround? May get secure random from openssl and add an encryption lib?
TL;DR
- What is mcrypt used for in Magento?
- Is a good workaround possible?
Solution
MCrypt is not used for password and URL key hashing but for encrypting and decrypting sensitive data such as API passwords, e.g. stored in / retrieved from the system configuration.
All MCrypt functionality is encapsulated in Varien_Crypt_Mcrypt. This class again is accessed via Mage_Core_Model_Encryption. The encryption model that should be used throughout the application is configured in the config/global/helpers/core/encryption_model node.
So (in theory) there is sort of a chance to replace this one by your own encryption model – as long as it satisfies the former's interface. At first glance it looks like you need to extend Mage_Core_Model_Encryption and replace the _getCrypt method. This should return a class instance that implements the same methods as Varien_Crypt_Mcrypt – but makes use of a different encryption library.
OTHER TIPS
You could patch the Magento code (for example via the app/local codepool) and replace the mcrypt functionality by those from PHPSecLib which offer an implementation of the functionality in pure PHP http://phpseclib.sourceforge.net/
