Project

General

Profile

Todo #13255

Updated by Jim Pingle over 2 years ago

Currently when crafting a PKCS#12 archive the OpenVPN Client Export package does not set a specific encryption algorithm, so it ends up using the current default in OpenSSL 1.1.1 which is RC2. OpenSSL 3.0 is dropping support for RC2, and given its weakness we should be exporting using something stronger anyhow. 

 The package should set AES-256 by passing @-certpbe AES-256-CBC -keypbe AES-256-CBC@ when creating the GUI Cert Manager PKCS#12 file, perhaps with an option to omit them export already explicitly sets @OPENSSL_CIPHER_AES_256_CBC@ so it seems natural to update the export package to match. 

 The export package uses its own function, @openvpn_client_pem_to_pk12()@, to generate a PKCS#12 archive and this calls OpenSSL directly. This could likely be changed to use the old algorithms PHP function instead which is what the GUI does. See source:src/usr/local/www/system_certmanager.php#L198 or thereabouts for legacy clients. 

 the argument setup and call to @openssl_pkcs12_export()@. 

Back