Project

General

Profile

Actions

Regression #14877

closed

Import PKCS #12 (PFX) certificate error when using legacy/low ciphers

Added by Danilo Zrenjanin 6 months ago. Updated 6 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Certificates
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
23.09
Release Notes:
Force Exclusion
Affected Version:
Affected Architecture:

Description

Tested against:

23.09-BETA (amd64)
built on Fri Oct 13 6:00:00 UTC 2023
FreeBSD 14.0-CURRENT

When trying to import a PKCS #12 certificate, I am getting the following error:

The following input errors were detected:
* The submitted password does not unlock the submitted PKCS #12 certificate.

I can successfully import the same cert using the same password in the 23.05.1.

I generated the certificate on macOS Keychain Access.

Keychain Access --> Certificate Assistant --> Create a certificate.


Files

clipboard-202310140940-xxtcp.png (80 KB) clipboard-202310140940-xxtcp.png Danilo Zrenjanin, 10/14/2023 07:40 AM
Actions #1

Updated by Lev Prokofev 6 months ago

Tested, on

23.09-BETA (amd64)
built on Fri Oct 13 6:00:00 UTC 2023
FreeBSD 14.0-CURRENT

It works fine with a Cert generated on a Win server using AES256-SH256 or 3DES-SHA1

Actions #2

Updated by Danilo Zrenjanin 6 months ago

In the MacOS, the password gets generated once you right-click on the cert in the Keychain Access and choose export.

After entering that password in the pfSense import certificate page, it fails with the error message:

The following input errors were detected:
* The submitted password does not unlock the submitted PKCS #12 certificate.

The same procedure works fine in 23.05.1.

Actions #3

Updated by Jim Pingle 6 months ago

  • Subject changed from Import PKCS #12 (PFX) certificate error to Import PKCS #12 (PFX) certificate error when using legacy/low ciphers
  • Status changed from New to In Progress
  • Assignee set to Jim Pingle
  • Target version set to 2.8.0
  • Plus Target Version set to 23.09

That's because when it gets exported it's using a low/old/deprecated cipher set. Then the import code doesn't support those.

The only way I can see to fix it is to enable the legacy provider by default in OpenSSL which we may need to do for this release. Otherwise we'd have to completely rewrite PKCS#12 import to use the openssl CLI commands or we'd have to tell users we can't import these bundles.

For safety/compatibility at least in this release, enabling the legacy provider should be OK.

Actions #4

Updated by Jim Pingle 6 months ago

  • Release Notes changed from Default to Force Exclusion
Actions #5

Updated by Jim Pingle 6 months ago

  • Status changed from In Progress to Feedback
  • % Done changed from 0 to 100

Fixed by 275ae19ad70336f06ed53d655ceb96c8b2ab56f0 which enables the legacy provider by default.

If testing via applying a patch instead of by snapshot upgrade, either restart PHP-FPM and nginx (e.g 16/11 from the menu) or reboot after applying the patch.

Actions #6

Updated by Jim Pingle 6 months ago

After internal discussion we decided not to enable the legacy provider by default because it had other potentially negative repercussions.

I reverted that change and I have imported a new change to the error message that notes that if it fails it may be due to a bad cipher.

In other words, these P12 files will fail but that's expected and not a bug, and that failure case should be made more obvious by the updated error message.

Actions #7

Updated by Danilo Zrenjanin 6 months ago

  • Status changed from Feedback to Resolved

Tested against the latest Beta release.

The error message now accurately describes the cause of the failure.

The following input errors were detected:

The submitted password does not unlock the submitted PKCS #12 certificate or the bundle uses unsupported encryption ciphers.

I am marking this ticket resolved.

Actions #8

Updated by Jim Pingle 6 months ago

  • Target version changed from 2.8.0 to 2.7.1
Actions

Also available in: Atom PDF