Project

General

Profile

Actions

Bug #13257

closed

Exporting a PKCS#12 file from the certificate manager does not use the intended encryption algorithm

Added by Jim Pingle almost 2 years ago. Updated over 1 year ago.

Status:
Resolved
Priority:
High
Assignee:
Category:
Certificates
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
23.01
Release Notes:
Default
Affected Version:
Affected Architecture:

Description

In source:src/usr/local/www/system_certmanager.php#L198 or thereabouts it sets a parameter encrypt_key_cipher intending to use AES-256 for exporting a PKCS#12 file. The parameter used is not honored by PHP. It isn't listed in the documentation for openssl_pkcs12_export(), nor in the source, and the resulting PKCS#12 file is created using the OpenSSL default RC2+3DES algorithms.

OpenSSL is deprecating RC2 in OpenSSL 3.0, so we should fix this for the next release if possible, in one of two ways:

1. Wait until we import PHP 8.1 and see if this is fixed there. Based on the source, I doubt it is, but worth checking.
2. Change from the PHP function to make a PKCS#12 cert to using OpenSSL directly as is done on the OpenVPN client export package. When exporting there, we can pass -certpbe AES-256-CBC -keypbe AES-256-CBC which results in a file encrypted with the expected algorithms.


Related issues

Has duplicate Bug #13472: Cert Manager and OpenVPN exporter use **obsolete** sig/algo combinationDuplicate

Actions
Actions

Also available in: Atom PDF