Project

General

Profile

Actions

Bug #13472

closed

Cert Manager and OpenVPN exporter use **obsolete** sig/algo combination

Added by Thomas Ward about 2 years ago. Updated about 2 years ago.

Status:
Duplicate
Priority:
Normal
Assignee:
-
Category:
Certificates
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
Affected Architecture:
All

Description

Hello.

It was identified today that the Cert Manager when exporting .p12 files containing private keys and cert chains is using an extremely obsolete algoritm and sig size.

Currently, all .p12 files exported from the certificate manager in the pfSense interface use this algorithm: RC2-40-CBC

This provides no more security than a simple rot13 algorithm, and OpenSSL upstream with default security levels of 1 now deem this obsolete and cannot open the exported .p12 files with the following error output:

Error outputting keys and certificates
40E7B5B6887F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()

This means that it is impossible to use the .p12s exported from pfSense in later OpenSSL versions. According to a lift from OpenSSL's manpages (https://www.openssl.org/docs/man3.0/man1/openssl-pkcs12.html) today:

The default encryption algorithm is AES-256-CBC with PBKDF2 for key derivation.

The RC2-40-CBC algo that is being used currently by pfSense is considered "legacy" (aka: Dead) in OpenSSL and is obsolete. This should be considered a Security Issue with PKCS12 exports being made with insecure encryption algorithms and key derivation mechanisms.

PLEASE update the underlying systems to export PKCS12 files with sane defaults so that we don't need to rely on legacy algos.


Related issues

Is duplicate of Bug #13257: Exporting a PKCS#12 file from the certificate manager does not use the intended encryption algorithmResolvedJim Pingle

Actions
Actions #1

Updated by Jim Pingle about 2 years ago

  • Status changed from New to Duplicate
  • Priority changed from High to Normal

We're already aware, it's being tracked internally as #13257

Our code sets all of the correct parameters but they are not honored by the PHP OpenSSL library when generating a PKCS#12 archive so we are looking into alternate means of generating the archives.

Actions #2

Updated by Jim Pingle about 2 years ago

  • Is duplicate of Bug #13257: Exporting a PKCS#12 file from the certificate manager does not use the intended encryption algorithm added
Actions

Also available in: Atom PDF