CODEWITHSUNDEEP
c++encryptionopensslnetwork-programming
Victor C
Victor C

Reputation: 41

OpenSSL 3.0.2 PKCS12_parse Failure

We're migrating to Openssl 3.0.2, currently experiencing connection issues between a 3.0.2 server and a 1.1.1g client.

According to the logs collected we seem to be having an issue with the loading of the legacy providers. We are loading both the default and legacy providers programmatically as per the steps outlined in the Wiki for OpenSSL 3.0 - 6.2 Providers without issue.

We are seeing the following error..

error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto\evp\evp_fetch.c:346:Global default library context, Algorithm (RC2-40-CBC : 0), Properties () PKCS12_parse() failed = 183. (Using GetLastError from errhandlingapi.h, the 183 error code is obtained)

Worth mentioning that we are only seeing this issue occur when the server is a Windows 2012 server.

Both default and legacy providers are loaded without issue at start.

Upvotes: 3

Views: 9478

Answers (2)

Jose Manuel Gomez Alvarez
Jose Manuel Gomez Alvarez

Reputation: 2236

As pointed by Liam, OpenSSL 3.0 does not support *by default * legacy algorithm RC2-40-CBC.

Fortunately, the legacy library is included in the bin folder in my distribution (https://slproweb.com/products/Win32OpenSSL.html ; full list https://wiki.openssl.org/index.php/Binaries).

So my steps to resolve were

  1. Set OPENSSL_MODULES
  2. Add -legacy option

Set the variable OPENSSL_MODULES

SET OPENSSL_MODULES=C:\Program Files\OpenSSL-Win64\bin

Without -legacy option:

D:\sources\en.Resilience_Temy\config\certificates>openssl pkcs12 -in server.p12 -out saxserver.crt
Enter Import Password:
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
Error outputting keys and certificates
58630000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto\evp\evp_fetch.c:349:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()

With -legacy option:

D:\sources\en.Resilience_Temy\config\certificates>openssl pkcs12 -in server.p12 -out server.crt -legacy
Enter Import Password:
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

And file is generated successfully.

Upvotes: 8

Liam Kelly
Liam Kelly

Reputation: 3714

This is likely due to RC2-40-CBC more specifically RC2 being disabled by either AD Policy or the OpenSSL library because it is deemed too weak a cipher.

A very simple way to test this:

  • open wordpad and create a file with hello world in it
  • run openssl enc -e -rc4-40 -K 1234567890 -in hellowworld.txt -out hellowworld.txt

Assuming this generates an error then this would be stronger evidence that RC2-40 is disabled. From there you can either:

  • Determine if AD or the OpenSSL library (compile flags) is blocking its use and enable it
  • Use stronger ciphers in your P12 generation (suggested route)

Upvotes: 1

Related Questions