Cloudlog: [OpenSSL] LotW Certificate import fails

At least HB9WDF reported that LotW cert upload fails with web server running PHP8.1 / OpenSSL 3. The application logs show an error like:

INFO - 2023-04-19 21:10:53 --> Model "LotwCert" initialized
ERROR - 2023-04-19 21:10:54 --> Severity: Warning --> Undefined array key "cert" /var/www/cloudlog/application/controllers/Lotw.php 406
ERROR - 2023-04-19 21:10:54 --> error:0308010C:digital envelope routines::unsupported

This seems to be a problem of recent OpenSSL versions and probably LotW using outdated security and hashing algorithms for their certificates. As of now it seems there is no workaround besides enabling the legacy options in SSL config /etc/ssl/openssl.cnf:

diff -purN openssl.cnf.orig openssl.cnf
--- openssl.cnf.orig	2023-04-19 23:14:57.860323988 +0200
+++ openssl.cnf	2023-04-19 23:14:30.976378880 +0200
@@ -57,6 +57,7 @@ ssl_conf = ssl_sect
 # List of providers to load
 [provider_sect]
 default = default_sect
+legacy = legacy_sect
 
 # The fips section name should match the section name inside the
 # included fipsmodule.cnf.
@@ -71,7 +72,10 @@ default = default_sect
 # OpenSSL may not work correctly which could lead to significant system
 # problems including inability to remotely access the system.
 [default_sect]
-# activate = 1
+activate = 1
+
+[legacy_sect]
+activate = 1

Taken from https://stackoverflow.com/a/73858615 resp. https://gist.github.com/rdh27785/97210d439a280063bd768006450c435d.

This enables legacy options in SSL. After doing the changes the web server / PHP application needs a restart. This ist definitely only a temporary solution because we should not touch these settings imho. Not sure if LotW uses more recent algos in newer certs?

According to https://www.openssl.org/docs/manmaster/man1/openssl-pkcs12.html we can extract data from a cert file with -info. So maybe there is someone out there who has a recent LotW certificate and could run

$ openssl pkcs12 -in Callsign_nopass.p12 -info

on his p12 file (extracted without password from tqsl application) and show the info about the algorithms in use? My cert is from 2021 and maybe ARRL uses more recent algorithms in newer certs?!

The (probably) relevant sections are:

PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048

The RC2_CBC algos are definitely deprecated and causing the issues here.

After all I think this is more related to the OpenSSL version than the PHP version but hey ā€¦

P.S.: Please do not post private key data šŸ˜ƒ

About this issue

  • Original URL
  • State: closed
  • Created a year ago
  • Comments: 15 (12 by maintainers)

Most upvoted comments

Yay

+1
magicbug on Sep 25, 2023

Hi, if your have this line commented out with # in openssl.cnf

#openssl_conf = openssl_init

You must uncomment it

openssl_conf = openssl_init

Iā€™m using Archlinux and it has already been uncommented.

After some research, I solved it by adding some additional support for openssl.

For anyone having the same issue:

First you have to find where your openssl.cnf is.

 $ php --info | grep "Openssl"
Openssl default config => /etc/ssl/openssl.cnf

Then open it with your editor.

Uncomment #openssl_conf = openssl_init as mentioned above.

Then if it still fails, add/modify the following:

[default_sect]
activate = 1
[legacy_sect]
activate = 1
[provider_sect]
default = default_sect
legacy = legacy_sect

credit: https://stackoverflow.com/questions/73832854/php-openssl-pkcs12-read-error0308010cdigital-envelope-routinesunsupported

+1
violarulan on Sep 17, 2023

Digged though my LotW certificates and also the most recent one (from 2022) uses SHA1And40BitRC2-CBC. So I guess they are still using it ā€¦ -.-

+1
phl0 on Apr 20, 2023
Read more comments on GitHub
← Cloudlog: Error when clicking "Logout"
Cloudlog: [PHP 8.1] "Passing null to parameter #1 ($datetime) of type string is deprecated" errors while searching in logbook →