Todo #13255: Set PKCS#12 algorithm when exporting OpenVPN ZIP or Windows bundles - pfSense Packages - pfSense bugtracker

Actions

Copy link

#1

Updated by Jim Pingle almost 2 years ago

Description updated (diff)

Actions

Copy link

#3

Updated by Thomas Ward about 1 year ago

Jim Pingle wrote:

Currently when crafting a PKCS#12 archive the OpenVPN Client Export package does not set a specific encryption algorithm, so it ends up using the current default in OpenSSL 1.1.1 which is RC2. OpenSSL 3.0 is dropping support for RC2, and given its weakness we should be exporting using something stronger anyhow.

The package should set AES-256 by passing -certpbe AES-256-CBC -keypbe AES-256-CBC when creating the PKCS#12 file, perhaps with an option to omit them so it uses the old algorithms for legacy clients.

Borrowing from comments/logs in #13257 but, could we do something similar here to what was done for general PKCS#12 exports?

Added an option to change the encryption level to high (AES-256+SHA256), low (3DES+SHA1), and legacy (RC2-40 + SHA1). Most things non-macOS are good with "high", and macOS is happy with "low". Anything even older can use "legacy".

This way, we can still use the "lower" security that is required/present for "older" things (a-la Macs) and default to "high" unless selected by admin/exporter in the UI.

Actions

Copy link

#4