Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

export-p12: use OpenSSLv3-compatible ciphers (AES-256-CBC & SHA256) with OpenSSL 1.1 #1081

Closed
wants to merge 1 commit into from
Closed

export-p12: use OpenSSLv3-compatible ciphers (AES-256-CBC & SHA256) with OpenSSL 1.1 #1081

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions ChangeLog
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@ Easy-RSA 3 ChangeLog
* Windows: Introduce 'Non-Admin' mode (c2823c4) (#1073)
* LibreSSL: Add fix for missing 'x509' option '-ext' (96dd959) (#1068)
* Variable heredoc expansion for SSL/Safe Config file (9c5d423) (#1064)
* export-p12: Use OpenSSL V3-compatible ciphers under 1.1 when 'legacy'
is not used (#nnn)

Branch-merge: v3.2.0-beta2 (#1055) 2024/01/13 Commit: d51d79b

Expand Down
19 changes: 13 additions & 6 deletions easyrsa3/easyrsa
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -333,10 +333,10 @@ Usage: easyrsa [ OPTIONS.. ] <COMMAND> <TARGET> [ cmd-opts.. ]"
(Equivalent to global option '--nopass|--no-pass')
* noca - Do not include the ca.crt file in the PKCS12 output
* nokey - Do not include the private key in the PKCS12 output
* nofn - Do not set 'freindlyName'
* nofn - Do not set 'friendlyName'
For more, see: 'easyrsa help friendly'
* legacy - Use legacy encryption algorithm RC2_CBC or 3DES_CBC
OpenSSL V3 ONLY: Default algorithm is AES-256-CBC"
(Default algorithm is AES-256-CBC)"
;;
friendly)
text_only=1
Expand Down Expand Up @@ -3273,7 +3273,11 @@ Run easyrsa without commands for usage and command help."
cipher=-aes256
want_ca=1
want_key=1
unset -v nokeys legacy
unset -v nokeys legacy p12_cipher_opts
# Under OpenSSL 1.1, use the PBE/MAC algorithms OpenSSL 3.0 uses,
# unless "legacy" is set. This makes the .p12 files readable by
# OpenSSL 3.0 without needing '-legacy'.
[ "$openssl_v3" ] || p12_cipher_opts="-keypbe AES-256-CBC -certpbe AES-256-CBC -macalg sha256"
while [ "$1" ]; do
case "$1" in
noca)
Expand All @@ -3293,9 +3297,11 @@ Run easyrsa without commands for usage and command help."
unset friendly_name
;;
legacy)
[ "$openssl_v3" ] || \
user_error "Option 'legacy' requires SSL version 3"
legacy=-legacy
if [ "$openssl_v3" ]; then
legacy=-legacy
else
unset -v p12_cipher_opts
fi
;;
*)
warn "Ignoring unknown option: '$1'"
Expand Down Expand Up @@ -3421,6 +3427,7 @@ Missing User Certificate, expected at:
-inkey "$key_in" \
${nokeys} \
${legacy} \
${p12_cipher_opts} \
${friendly_name:+ -name "$friendly_name"} \
${want_ca:+ -certfile "$crt_ca"} \
${EASYRSA_PASSIN:+ -passin "$EASYRSA_PASSIN"} \
Expand Down