Openssl v 3.0 released in Sept 2021, and one of the major changes was this one:
Provider based architecture. A replacement for the old “engine” interface that enables much more flexibility and the ability for third party authors to add new crypto algorithms into OpenSSL.
https://www.openssl.org/blog/blog/2021/06/17/OpenSSL3.0ReleaseCandidate/
In simpler, practical terms, this means the “old” way, where OpenSSL installed every known algorithm, changes to allow each installation to choose which provider(s) (i.e., set of algorithms) the particular user supports.
In even more simpler terms, it means if you used Certificates & Key files in PFX or PEM format that were created in versions of OpenSSL 1.1 or before, they might be encoded with algorithms that are no longer supported in OpenSSL 3.0.
You would see an intimidating looking error message like this one:
$ openssl pkcs12 -in sam.com.PFX -nodes
Enter Import Password:
Error outputting keys and certificates
805B7CDE0A7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()
One option is to use the -legacy
argument to tell OpenSSL to use the older / legacy algorithms to interpret the given file:
$ openssl pkcs12 -in sam.com.PFX -legacy -nodes
Enter Import Password:
Bag Attributes
localKeyID: 10 E7 30 27 86 6B 79 2A 7D 73 D7 68 D4 E8 9B 89 70 11 43 93
subject=C = US, ST = Middle Earth, L = The Shire, O = Hobbits, CN = sam.com
issuer=C = US, ST = Middle Earth, L = Rivendell, O = White Council, OU = Grey, CN = Gandalf the CA
—–BEGIN CERTIFICATE—–
MIIE0TCCArmgAwIBAgIUWnRxP6npEv7jDcayOF1BBWkukv0wDQYJKoZIhvcNAQEL
…
If the -legacy
argument isn’t accepted, some guides also recommend trying -provider legacy
.
While all that may work, there is a permanent fix you can implement: Telling OpenSSL to use both the new Provider and Legacy Provider in the OpenSSL config file.
Permanent Fix – always load Legacy providers
With OpenSSL 3.x, you can use the openssl list -providers
command to view activated providers:
$ openssl list -providers
Providers:
default
name: OpenSSL Default Provider
version: 3.0.2
status: active
The above output is the default for OpenSSL and indicates the legacy providers are NOT enabled.
To change this, we will make two changes to the OpenSSL configuration file.
Find OpenSSL Configuration File
To find the configuration file’s directory, use the openssl version -d
command:
$ openssl version -d
OPENSSLDIR: “/usr/lib/ssl”
In the given directory will be the openssl.cnf
which stores all the default settings for your installation of OpenSSL.
$ ls /usr/lib/ssl
certs misc openssl.cnf private
There are two sections in this file that you’ll need to change.
Change 1 — Load Legacy Providers section
This section lists the providers which will be loaded. Technically, this is pointing to another section (sect) which will actuallly load the provider. It will initially look like this:
# List of providers to load
[provider_sect]
default = default_sect
Add this line:
# List of providers to load
[provider_sect]
default = default_sect
legacy = legacy_sect
This will prompt OpenSSL to load the legacy_sect
(legacy section) which you will be adding next.
Change 2 — Enable both Legacy & Default providers
Scroll a bit further down in the OpenSSL config file until you see this line:
[default_sect]
# activate = 1
By default, if you are only loading one set of providers, it is automatically activated. Since we are adding another provider, we have to indicate we want them both activated.
Remove the #
sign to un-comment the activate = 1
directive. Then add and activate a legacy_sect
:
[default_sect]
activate = 1
[legacy_sect]
activate = 1
Verify both Providers are loaded by default
You can verify the change was succesful using the same openssl list -providers
command from before. This time you should see multiple providers are loaded:
$ openssl list -providers
Providers:
default
name: OpenSSL Default Provider
version: 3.0.7
status: active
legacy
name: OpenSSL Legacy Provider
version: 3.0.7
status: active
At this point you should be able to inspect/decode files using regular commands and OpenSSL will have access to any algorithm included in either the Legacy or Default 3.0 provider set:
$ openssl pkcs12 -in sam.com.PFX -nodes
Enter Import Password:
Bag Attributes
localKeyID: 10 E7 30 27 86 6B 79 2A 7D 73 D7 68 D4 E8 9B 89 70 11 43 93
subject=C = US, ST = Middle Earth, L = The Shire, O = Hobbits, CN = sam.com
issuer=C = US, ST = Middle Earth, L = Rivendell, O = White Council, OU = Grey, CN = Gandalf the CA
—–BEGIN CERTIFICATE—–
MIIE0TCCArmgAwIBAgIUWnRxP6npEv7jDcayOF1BBWkukv0wDQYJKoZIhvcNAQEL
…
OpenSSL Cheat Sheet and Training Course
Do you use OpenSSL frequently? If so, you might be interested in my OpenSSL Cheat Sheet and OpenSSL Training Course:
The Cheat Sheet is free (direct link), and the course steps through each section of the cheat sheet and describes and demonstrates each set of commands. The course also provides lab files for you to practice the commands yourself.
Alternatively, you might be interested in my Practical TLS course, it is a deep dive into the world of SSL and TLS. As a bonus, it includes the OpenSSL Training Course.
thanks so much for writing this.
I had an issue with openbakery packaging, so I couldn’t modify the openssl call directly with “-legacy”…
I’d been trying to figure out how to do this for hours. And within 10 mins of finding this page it was all working.
you really explained it all very clearly. really liked this article.
Hi,
Thanks for the article. It wasn’t working at first but I found that I had to enable this line too:
[openssl_init]
providers = provider_sect
Best regards,
Meerijn
Another huge thanks for taking the time to provide this information.
hmmph. When I added the legacy section and enabled it, it never shows in the provider list. It’s as if nothing changed.
VERY useful thank you!
very helpfully thanks
good explain