Skip to content

Openssl 3.x and Legacy Providers

    Openssl 3.x and Legacy Providers

    Openssl v 3.0 released in Sept 2021, and one of the major changes was this one:

    Provider based architecture. A replacement for the old “engine” interface that enables much more flexibility and the ability for third party authors to add new crypto algorithms into OpenSSL.

    https://www.openssl.org/blog/blog/2021/06/17/OpenSSL3.0ReleaseCandidate/

    In simpler, practical terms, this means the “old” way, where OpenSSL installed every known algorithm, changes to allow each installation to choose which provider(s) (i.e., set of algorithms) the particular user supports.

    In even more simpler terms, it means if you used Certificates & Key files in PFX or PEM format that were created in versions of OpenSSL 1.1 or before, they might be encoded with algorithms that are no longer supported in OpenSSL 3.0.

    You would see an intimidating looking error message like this one:

    $ openssl pkcs12 -in sam.com.PFX -nodes
    Enter Import Password:
    Error outputting keys and certificates
    805B7CDE0A7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()

    One option is to use the -legacy argument to tell OpenSSL to use the older / legacy algorithms to interpret the given file:

    $ openssl pkcs12 -in sam.com.PFX -legacy -nodes
    Enter Import Password:
    Bag Attributes
    localKeyID: 10 E7 30 27 86 6B 79 2A 7D 73 D7 68 D4 E8 9B 89 70 11 43 93
    subject=C = US, ST = Middle Earth, L = The Shire, O = Hobbits, CN = sam.com
    issuer=C = US, ST = Middle Earth, L = Rivendell, O = White Council, OU = Grey, CN = Gandalf the CA
    —–BEGIN CERTIFICATE—–
    MIIE0TCCArmgAwIBAgIUWnRxP6npEv7jDcayOF1BBWkukv0wDQYJKoZIhvcNAQEL

    If the -legacy argument isn’t accepted, some guides also recommend trying -provider legacy.

    While all that may work, there is a permanent fix you can implement: Telling OpenSSL to use both the new Provider and Legacy Provider in the OpenSSL config file.

    Permanent Fix – always load Legacy providers

    With OpenSSL 3.x, you can use the openssl list -providers command to view activated providers:

    $ openssl list -providers
    Providers:
    default
    name: OpenSSL Default Provider
    version: 3.0.2
    status: active

    The above output is the default for OpenSSL and indicates the legacy providers are NOT enabled.

    To change this, we will make two changes to the OpenSSL configuration file.

    Find OpenSSL Configuration File

    To find the configuration file’s directory, use the openssl version -d command:

    $ openssl version -d
    OPENSSLDIR: “/usr/lib/ssl”

    In the given directory will be the openssl.cnf which stores all the default settings for your installation of OpenSSL.

    $ ls /usr/lib/ssl
    certs misc openssl.cnf private

    There are two sections in this file that you’ll need to change.

    Change 1 — Load Legacy Providers section

    This section lists the providers which will be loaded. Technically, this is pointing to another section (sect) which will actuallly load the provider. It will initially look like this:

    # List of providers to load
    [provider_sect]
    default = default_sect

    Add this line:

    # List of providers to load
    [provider_sect]
    default = default_sect
    legacy = legacy_sect

    This will prompt OpenSSL to load the legacy_sect (legacy section) which you will be adding next.

    Change 2 — Enable both Legacy & Default providers

    Scroll a bit further down in the OpenSSL config file until you see this line:

    [default_sect]
    # activate = 1

    By default, if you are only loading one set of providers, it is automatically activated. Since we are adding another provider, we have to indicate we want them both activated.

    Remove the # sign to un-comment the activate = 1 directive. Then add and activate a legacy_sect:

    [default_sect]
    activate = 1

    [legacy_sect]
    activate = 1

    Verify both Providers are loaded by default

    You can verify the change was succesful using the same openssl list -providers command from before. This time you should see multiple providers are loaded:

    $ openssl list -providers
    Providers:
    default
    name: OpenSSL Default Provider
    version: 3.0.7
    status: active
    legacy
    name: OpenSSL Legacy Provider
    version: 3.0.7
    status: active

    At this point you should be able to inspect/decode files using regular commands and OpenSSL will have access to any algorithm included in either the Legacy or Default 3.0 provider set:

    $ openssl pkcs12 -in sam.com.PFX -nodes
    Enter Import Password:
    Bag Attributes
    localKeyID: 10 E7 30 27 86 6B 79 2A 7D 73 D7 68 D4 E8 9B 89 70 11 43 93
    subject=C = US, ST = Middle Earth, L = The Shire, O = Hobbits, CN = sam.com
    issuer=C = US, ST = Middle Earth, L = Rivendell, O = White Council, OU = Grey, CN = Gandalf the CA
    —–BEGIN CERTIFICATE—–
    MIIE0TCCArmgAwIBAgIUWnRxP6npEv7jDcayOF1BBWkukv0wDQYJKoZIhvcNAQEL

    OpenSSL Cheat Sheet and Training Course

    Do you use OpenSSL frequently? If so, you might be interested in my OpenSSL Cheat Sheet and OpenSSL Training Course:

    The Cheat Sheet is free (direct link), and the course steps through each section of the cheat sheet and describes and demonstrates each set of commands. The course also provides lab files for you to practice the commands yourself.

    Alternatively, you might be interested in my Practical TLS course, it is a deep dive into the world of SSL and TLS. As a bonus, it includes the OpenSSL Training Course.

    4.8 10 votes
    Article Rating
    Subscribe
    Notify of

    6 Comments
    Oldest
    Newest Most Voted
    Inline Feedbacks
    View all comments

    thanks so much for writing this.
    I had an issue with openbakery packaging, so I couldn’t modify the openssl call directly with “-legacy”…
    I’d been trying to figure out how to do this for hours. And within 10 mins of finding this page it was all working.
    you really explained it all very clearly. really liked this article.

    Hi,

    Thanks for the article. It wasn’t working at first but I found that I had to enable this line too:

    [openssl_init]
    providers = provider_sect

    Best regards,
    Meerijn

    Another huge thanks for taking the time to provide this information.

    hmmph. When I added the legacy section and enabled it, it never shows in the provider list. It’s as if nothing changed.

    VERY useful thank you!

    very helpfully thanks