RC2 is deprecated by OpenSSL 3.2.0 #14

nightkr · 2024-01-25T18:49:56Z

From https://www.openssl.org/news/cl32.txt:

The implementation of older EVP ciphers related to CAST, IDEA, SEED, RC2, RC4,
RC5, DESX and DES have been moved to the legacy provider.

In practice, this means that trying to open an encrypted PKCS#12 bundle generated by p12::EncryptedData::from_safe_bags using OpenSSL will fail:

$ openssl pkcs12 -in truststore.p12 
Enter Import Password:
Error outputting keys and certificates
40976AB7AB730000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:373:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()

This can be worked around by using the -legacy flag:

$ openssl pkcs12 -in truststore.p12 -legacy | head -n5
Enter Import Password:
Bag Attributes
    2.16.840.1.113894.746875.1.1: <No Values>
subject=CN = secret-operator self-signed
issuer=CN = secret-operator self-signed
-----BEGIN CERTIFICATE-----
[snip]

However, it would still be good to switch to a more modern algorithm.

The text was updated successfully, but these errors were encountered:

nightkr · 2024-01-25T18:57:57Z

Modern OpenSSL defaults to AES-256-CBC and PBKDF2, that seems like a good lead to follow.

nightkr mentioned this issue Jan 25, 2024

PKCS#12 bundles use deprecated RC2 encryption algorithm stackabletech/secret-operator#349

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

RC2 is deprecated by OpenSSL 3.2.0 #14

RC2 is deprecated by OpenSSL 3.2.0 #14

nightkr commented Jan 25, 2024

nightkr commented Jan 25, 2024

RC2 is deprecated by OpenSSL 3.2.0 #14

RC2 is deprecated by OpenSSL 3.2.0 #14

Comments

nightkr commented Jan 25, 2024

nightkr commented Jan 25, 2024