pfSense

Hello.

It was identified today that the Cert Manager when exporting .p12 files containing private keys and cert chains is using an extremely obsolete algoritm and sig size.

Currently, all .p12 files exported from the certificate manager in the pfSense interface use this algorithm: RC2-40-CBC

This provides no more security than a simple rot13 algorithm, and OpenSSL upstream with default security levels of 1 now deem this obsolete and cannot open the exported .p12 files with the following error output:

Error outputting keys and certificates
40E7B5B6887F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()

This means that it is impossible to use the .p12s exported from pfSense in later OpenSSL versions. According to a lift from OpenSSL's manpages (https://www.openssl.org/docs/man3.0/man1/openssl-pkcs12.html) today:

The default encryption algorithm is AES-256-CBC with PBKDF2 for key derivation.

The RC2-40-CBC algo that is being used currently by pfSense is considered "legacy" (aka: Dead) in OpenSSL and is obsolete. This should be considered a Security Issue with PKCS12 exports being made with insecure encryption algorithms and key derivation mechanisms.

PLEASE update the underlying systems to export PKCS12 files with sane defaults so that we don't need to rely on legacy algos.