You are not logged in.
Pages: 1
I'm currently generating a PFX file for import in Windows via
icc.SaveToFile(pfxPath, cccCertWithPrivateKey, CERT_PASS, ccfBinary);
This works fine on the latest desktop and server versions of Windows, however I just encountered an issue with Windows Server 2012R2 where the import via certutil aborts with "WIN32: 86 ERROR_INVALID_PASSWORD". One comment to the accepted answer here https://stackoverflow.com/a/69343428 suggests that "What is not supported is password-based AES used in PKCS12/PFX" in the older Windows versions.
The suggested fix is to force the old cipher on the openssl command line via -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -macalg sha1.
My question: is is possible to override which cipher is used by mORMot2 to encrypt the certificate and key when I output in binary format?
Last edited by ulrichd (2025-03-03 21:39:49)
Offline
You are right: default algorithm changed to AES-256-CBC with OpenSSL 3.
https://github.com/openssl/openssl/comm … 0bd686c4aa
It is clearly a breaking change.
It affected not only Windows Server 2012 R2 compatibility, but also MacOS / iOS: https://openradar.appspot.com/FB8988319
I have allowed to force a specific algorithm via a password prefix:
icc.SaveToFile(pfxPath, cccCertWithPrivateKey, '3des=' + CERT_PASS, ccfBinary);
See https://github.com/synopse/mORMot2/commit/cac35d70c
and https://github.com/synopse/mORMot2/commit/04448e560
Feedback is welcome!
For instance, maybe a global flag could be used for the whole process?
Like OpenSslDefaultPkcs12 ?
Offline
ab,
that's a rather clever idea with the prefix on the password!
I pulled the latest from the repo but for some reason it's giving me an error when I try to build ("[dcc32 Error] mormot.lib.openssl11.pas(10206): E2026 Constant expression expected")...
Offline
Should be fixed now.
https://github.com/synopse/mORMot2/commit/af72d53f7
I have tested it and it works with Windows XP (I don't have any Windows Server 2012 VM).
Also made some fixes to the existing internal PFX use for self-signed HTTPS to be compatible with OpenSSL (the previous constant was using RC2 encryption which is legacy and not included in OpenSSL 3.x any more).
Offline
Yes, confirmed working perfectly. Tested on both Windows 2012R2 and 2016.
Thanks!
Offline
Pages: 1