PHP is "broken" when it comes to 256-bit CBC AES encryption.
Check out these three blog posts:
The posts above demonstrate how Chilkat matches PHP with ECB-128, CBC-128, and Chilkat matches the .NET Framework (C#) with CBC-256.
Before we get to 256-bit AES in PHP, a few notes about the intialization vector and padding for AES:
1) The IV is equal to the block size of the encryption algorithm, not the key length. The standard block size of AES is 16-bytes. It doesn’t matter if it’s 128-bit, 192-bit, or 256-bit encryption, the block size is always 16 bytes.
2) AES output is padded to a multiple of the block size (16-bytes).
It seems that PHP is using a non-standard 32-byte block size for 256-bit AES encryption. It requires a 32-byte IV, and the output is padded to a multiple of 32-bytes. Therefore, PHP 256-bit AES encryption is going to be incompatible with most other systems.
Chilkat’s recommendation is to use 128-bit AES encryption in PHP.