pfSense

On 2.4.x with OpenSSL 1.0.x, the default message digest (md) value was "md5" (eew). On 2.5.0 with OpenSSL 1.1.1 we manually set sha256.

Between the hardcoded md value and the difference in OpenSSL defaults between the versions, it needs a nudge before it could possibly decrypt an old config on a new system ("legacy" mode in the function). Old syntax examples like on the forum would not work as-is on 2.5.0.

So when $legacy is true, the OpenSSL command should pass -md md5 which should let it work fully.