Project

General

Profile

Actions

Regression #14635

closed

"Legacy" strength PKCS#12 Export needs ``-legacy`` provider parameter on OpenSSL command

Added by Jim Pingle over 1 year ago. Updated about 1 year ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Certificates
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
23.09
Release Notes:
Force Exclusion
Affected Version:
Affected Architecture:

Description

On current dev snapshots with OpenSSL 3.0, the "Legacy" strength PKCS#12 export (RC2-40+SHA1) is unsupported by default. Attempting to use it results in the page reloading without producing an export file.

The other levels (high and low) work as expected.

Adding -legacy to the OpenSSL command parameters for that export strength enables the legacy provider and allows the command to work:

diff --git a/src/etc/inc/certs.inc b/src/etc/inc/certs.inc
index 46325aec1d..8c8ff1ae92 100644
--- a/src/etc/inc/certs.inc
+++ b/src/etc/inc/certs.inc
@@ -2655,7 +2655,7 @@ function cert_pkcs12_export($cert, $encryption = 'high', $passphrase = '', $add_
        /* Encryption and Digest */
        switch ($encryption) {
                case 'legacy':
-                       $algo = '-certpbe PBE-SHA1-RC2-40 -keypbe PBE-SHA1-RC2-40';
+                       $algo = '-legacy -certpbe PBE-SHA1-RC2-40 -keypbe PBE-SHA1-RC2-40';
                        $hash = '';
                        break;
                case 'low':

A similar change will be needed inside the export package but it will need to be wrapped in a version test of some kind since that parameter will not work on OpenSSL 1.1.x I will start a separate issue for that.

Actions

Also available in: Atom PDF