https://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162022-06-08T10:38:04ZpfSense bugtrackerpfSense - Bug #13257: Exporting a PKCS#12 file from the certificate manager does not use the intended encryption algorithmhttps://redmine.pfsense.org/issues/13257?journal_id=617402022-06-08T10:38:04ZJim Pingle
<ul></ul><p>See also: <a class="issue tracker-4 status-3 priority-4 priority-default closed" title="Todo: Set PKCS#12 algorithm when exporting OpenVPN ZIP or Windows bundles (Resolved)" href="https://redmine.pfsense.org/issues/13255">#13255</a></p> pfSense - Bug #13257: Exporting a PKCS#12 file from the certificate manager does not use the intended encryption algorithmhttps://redmine.pfsense.org/issues/13257?journal_id=619922022-06-28T12:01:11ZJim Pingle
<ul><li><strong>Plus Target Version</strong> changed from <i>22.09</i> to <i>22.11</i></li></ul> pfSense - Bug #13257: Exporting a PKCS#12 file from the certificate manager does not use the intended encryption algorithmhttps://redmine.pfsense.org/issues/13257?journal_id=628022022-09-06T14:57:24ZJim Pingle
<ul></ul><p>This is not fixed on PHP 8.1, so option 2 seems to be the path forward here.</p> pfSense - Bug #13257: Exporting a PKCS#12 file from the certificate manager does not use the intended encryption algorithmhttps://redmine.pfsense.org/issues/13257?journal_id=628042022-09-06T14:58:14ZJim Pingle
<ul><li><strong>Has duplicate</strong> <i><a class="issue tracker-1 status-11 priority-4 priority-default closed" href="/issues/13472">Bug #13472</a>: Cert Manager and OpenVPN exporter use **obsolete** sig/algo combination</i> added</li></ul> pfSense - Bug #13257: Exporting a PKCS#12 file from the certificate manager does not use the intended encryption algorithmhttps://redmine.pfsense.org/issues/13257?journal_id=628482022-09-12T14:46:55ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>In Progress</i></li></ul> pfSense - Bug #13257: Exporting a PKCS#12 file from the certificate manager does not use the intended encryption algorithmhttps://redmine.pfsense.org/issues/13257?journal_id=628632022-09-15T11:16:21ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>In Progress</i> to <i>Feedback</i></li><li><strong>% Done</strong> changed from <i>0</i> to <i>100</i></li><li><strong>Private</strong> changed from <i>Yes</i> to <i>No</i></li></ul><p>I merged changes which move from using the native PHP function to using OpenSSL directly so we can control the algorithms involved.</p>
<p>Exported archives now use AES-256 and SHA256:</p>
<pre>
$ openssl pkcs12 -info -in jimp.p12 -passin pass:abc123 -passout pass:abc123
MAC: sha256, Iteration 2048
MAC length: 32, salt length: 8
PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256
[...]
PKCS7 Data
Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256
</pre>
<p>We could also consider increasing the iterations if need be.</p> pfSense - Bug #13257: Exporting a PKCS#12 file from the certificate manager does not use the intended encryption algorithmhttps://redmine.pfsense.org/issues/13257?journal_id=628742022-09-16T07:57:25ZJim Pingle
<ul></ul><p>The new export code works fine on internal snapshots, though we should probably test how well other systems can read/import the .p12 files.</p>
<p>Also the OpenVPN client export package should probably be updated to tie into this new function so it isn't duplicating effort, but that will be a separate Redmine task. Even if it doesn't use this function it should be changed to use the same algorithms since it already calls OpenSSL to make the archive in a similar way.</p> pfSense - Bug #13257: Exporting a PKCS#12 file from the certificate manager does not use the intended encryption algorithmhttps://redmine.pfsense.org/issues/13257?journal_id=628752022-09-16T09:50:52ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>In Progress</i></li></ul><p>The new files import OK into pfSense (current snapshots, 22.05, and 2.6.0) and a current Windows 10 at least, but apparently macOS is not yet compatible with the higher encryption, nor are older versions of Windows. macOS fails to import the P12 into its cert manager, though it can read them at the CLI with the <code>openssl</code> command.</p>
<p>The older versions of Windows aren't a significant concern, but macOS is, so it looks like we might need an option to weaken the security down to 3DES/SHA1 while defaulting to stronger encryption. It's OK to only make this available from the cert edit screen for now as both macOS and Windows need the export password defined anyhow.</p> pfSense - Bug #13257: Exporting a PKCS#12 file from the certificate manager does not use the intended encryption algorithmhttps://redmine.pfsense.org/issues/13257?journal_id=628782022-09-16T11:55:00ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>In Progress</i> to <i>Feedback</i></li></ul><p>Added an option to change the encryption level to high (AES-256+SHA256), low (3DES+SHA1), and legacy (RC2-40 + SHA1). Most things non-macOS are good with "high", and macOS is happy with "low". Anything even older can use "legacy".</p> pfSense - Bug #13257: Exporting a PKCS#12 file from the certificate manager does not use the intended encryption algorithmhttps://redmine.pfsense.org/issues/13257?journal_id=631232022-10-11T07:54:40ZChris Linstruth
<ul></ul><p>I looked at this mainly using macos as a client and it seemed to function well. Successful import using "low" and unsuccessful using "high".</p> pfSense - Bug #13257: Exporting a PKCS#12 file from the certificate manager does not use the intended encryption algorithmhttps://redmine.pfsense.org/issues/13257?journal_id=631252022-10-11T09:36:05ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>Resolved</i></li></ul><p>That's a good enough test in addition to all the testing I've done. It's passed and functional testing and inspection of the results I've done thus far.</p>
<p>I'll close this out, we can always revisit if someone has an issue.</p> pfSense - Bug #13257: Exporting a PKCS#12 file from the certificate manager does not use the intended encryption algorithmhttps://redmine.pfsense.org/issues/13257?journal_id=631682022-10-11T14:40:58ZJim Pingle
<ul><li><strong>Plus Target Version</strong> changed from <i>22.11</i> to <i>23.01</i></li></ul>