#1 2025-03-03 21:30:07

ulrichd
Member
Registered: 2018-07-30
Posts: 22

Override default OpenSSL 3.x cipher use

I'm currently generating a PFX file for import in Windows via

icc.SaveToFile(pfxPath, cccCertWithPrivateKey, CERT_PASS, ccfBinary);

This works fine on the latest desktop and server versions of Windows, however I just encountered an issue with Windows Server 2012R2 where the import via certutil aborts with "WIN32: 86 ERROR_INVALID_PASSWORD". One comment to the accepted answer here https://stackoverflow.com/a/69343428 suggests that "What is not supported is password-based AES used in PKCS12/PFX" in the older Windows versions.

The suggested fix is to force the old cipher on the openssl command line via -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -macalg sha1.

My question: is is possible to override which cipher is used by mORMot2 to encrypt the certificate and key when I output in binary format?

Last edited by ulrichd (2025-03-03 21:39:49)

Offline

#2 2025-03-04 17:06:01

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,926
Website

Re: Override default OpenSSL 3.x cipher use

You are right: default algorithm changed to AES-256-CBC with OpenSSL 3.
https://github.com/openssl/openssl/comm … 0bd686c4aa
It is clearly a breaking change.
It affected not only Windows Server 2012 R2 compatibility, but also MacOS / iOS: https://openradar.appspot.com/FB8988319

I have allowed to force a specific algorithm via a password prefix:

icc.SaveToFile(pfxPath, cccCertWithPrivateKey, '3des=' + CERT_PASS, ccfBinary);

See https://github.com/synopse/mORMot2/commit/cac35d70c
and https://github.com/synopse/mORMot2/commit/04448e560

Feedback is welcome!
For instance, maybe a global flag could be used for the whole process?
Like OpenSslDefaultPkcs12 ?

Offline

#3 2025-03-05 21:20:01

ulrichd
Member
Registered: 2018-07-30
Posts: 22

Re: Override default OpenSSL 3.x cipher use

ab,

that's a rather clever idea with the prefix on the password!

I pulled the latest from the repo but for some reason it's giving me an error when I try to build ("[dcc32 Error] mormot.lib.openssl11.pas(10206): E2026 Constant expression expected")...

Offline

#4 2025-03-06 07:59:40

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,926
Website

Re: Override default OpenSSL 3.x cipher use

Should be fixed now.
https://github.com/synopse/mORMot2/commit/af72d53f7

I have tested it and it works with Windows XP (I don't have any Windows Server 2012 VM).
Also made some fixes to the existing internal PFX use for self-signed HTTPS to be compatible with OpenSSL (the previous constant was using RC2 encryption which is legacy and not included in OpenSSL 3.x any more).

Offline

#5 2025-03-06 15:13:17

ulrichd
Member
Registered: 2018-07-30
Posts: 22

Re: Override default OpenSSL 3.x cipher use

Yes, confirmed working perfectly. Tested on both Windows 2012R2 and 2016.

Thanks!

Offline

Board footer

Powered by FluxBB