openssl: 3.0.0-alpha1: "openssl pkcs12" is unable to parse or create PKCS#12 archives with default ciphers
Works in 1.1.1:
$ openssl version
OpenSSL 1.1.1d FIPS 10 Sep 2019
$ openssl pkcs12 -in cert.pem -inkey key.pem -out foo.p12 -export
Enter Export Password:
Verifying - Enter Export Password:
Fails in 3.0.0:
$ $HOME/openssl-3.0.0/bin/openssl version
OpenSSL 3.0.0-alpha1 23 Apr 2020 (Library: OpenSSL 3.0.0-alpha1 23 Apr 2020)
$ $HOME/openssl-3.0.0/bin/openssl pkcs12 -in cert.pem -inkey key.pem -out foo.p12 -export
Enter Export Password:
Verifying - Enter Export Password:
40:A7:D6:79:1B:7F:00:00:error:digital envelope routines:evp_generic_fetch:fetch failed:crypto/evp/evp_fetch.c:307:Default library context, Algorithm (RC2-40-CBC), Properties ()
40:A7:D6:79:1B:7F:00:00:error:digital envelope routines:EVP_CipherInit_ex:initialization error:crypto/evp/evp_enc.c:336:
40:A7:D6:79:1B:7F:00:00:error:digital envelope routines:EVP_PBE_CipherInit:keygen failure:crypto/evp/evp_pbe.c:132:
40:A7:D6:79:1B:7F:00:00:error:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor cipherinit error:crypto/pkcs12/p12_decr.c:36:
40:A7:D6:79:1B:7F:00:00:error:PKCS12 routines:PKCS12_item_i2d_encrypt:encrypt error:crypto/pkcs12/p12_decr.c:133:
40:A7:D6:79:1B:7F:00:00:error:PKCS12 routines:PKCS12_pack_p7encdata:encrypt error:crypto/pkcs12/p12_add.c:119:
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Reactions: 2
- Comments: 37 (34 by maintainers)
Commits related to this issue
- pkcs12 : Changes defaults from RC2 to PBES2 with PBKDF2 Fixes issue #11672 Adds provider option legacy to load the legacy provider Signed-off-by: Sahana Prasad <sahana@redhat.com> — committed to sahanaprasad07/openssl by deleted user 4 years ago
- apps/pkcs12: Change defaults from RC2 to PBES2 with PBKDF2 Fixes #11672 Add "-legacy" option to load the legacy provider and fall back to the old legacy default algorithms. doc/man1/openssl-pkcs12.... — committed to swenkeratmicrosoft/openssl by deleted user 4 years ago
- fix(release) use openssl legacy provider for pkcs12 Ref. https://github.com/openssl/openssl/issues/11672. This is a short-term measure to fix the weekly release process. — committed to jenkins-infra/release by dduportal 2 years ago
I’ll work on the PR soon.
(Note I blocked user qa8302…they have been commenting on various issues/PRs with random spam)
No, please, we should not use RC2 and similar abominations by default. And not having legacy provider loaded by default prevents this nicely.
What is the point of creating insecurely encrypted pkcs12 files by default in openssl-3.0?
But why not default to PBES2 with PBKDF2 algos? And perhaps add a -legacy option to create a legacy-encrypted pkcs12 which would also load the legacy provider?