Project

General

Profile

Actions

Regression #14635

closed

"Legacy" strength PKCS#12 Export needs ``-legacy`` provider parameter on OpenSSL command

Added by Jim Pingle 9 months ago. Updated 5 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Certificates
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
23.09
Release Notes:
Force Exclusion
Affected Version:
Affected Architecture:

Description

On current dev snapshots with OpenSSL 3.0, the "Legacy" strength PKCS#12 export (RC2-40+SHA1) is unsupported by default. Attempting to use it results in the page reloading without producing an export file.

The other levels (high and low) work as expected.

Adding -legacy to the OpenSSL command parameters for that export strength enables the legacy provider and allows the command to work:

diff --git a/src/etc/inc/certs.inc b/src/etc/inc/certs.inc
index 46325aec1d..8c8ff1ae92 100644
--- a/src/etc/inc/certs.inc
+++ b/src/etc/inc/certs.inc
@@ -2655,7 +2655,7 @@ function cert_pkcs12_export($cert, $encryption = 'high', $passphrase = '', $add_
        /* Encryption and Digest */
        switch ($encryption) {
                case 'legacy':
-                       $algo = '-certpbe PBE-SHA1-RC2-40 -keypbe PBE-SHA1-RC2-40';
+                       $algo = '-legacy -certpbe PBE-SHA1-RC2-40 -keypbe PBE-SHA1-RC2-40';
                        $hash = '';
                        break;
                case 'low':

A similar change will be needed inside the export package but it will need to be wrapped in a version test of some kind since that parameter will not work on OpenSSL 1.1.x I will start a separate issue for that.

Actions #1

Updated by Jim Pingle 9 months ago

Export package issue: #14636

Actions #2

Updated by Jim Pingle 9 months ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions #3

Updated by Chris Linstruth 8 months ago

% openssl pkcs12 -legacy -info -in HA+OpenVPN+Server-Legacy.p12
MAC Iteration 2048
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And40BitRC2-CBC, Iteration 2048

% openssl pkcs12 -info -in HA+OpenVPN+Server-Low.p12
MAC Iteration 2048
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048

% openssl pkcs12 -info -in HA+OpenVPN+Server-High.p12
MAC: sha256, Iteration 2048
MAC length: 32, salt length: 8
PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256
PKCS7 Data
Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256

Actions #4

Updated by Jim Pingle 8 months ago

  • Status changed from Feedback to Resolved

Looks good. When it failed it produced no file to download for the 'legacy' option at all, not even a 0-byte file.

Actions #5

Updated by Jim Pingle 5 months ago

  • Target version changed from 2.8.0 to 2.7.1
Actions

Also available in: Atom PDF