doc:appunti:linux:sa:openvpn_openssl_problem
Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
| doc:appunti:linux:sa:openvpn_openssl_problem [2025/04/15 12:35] – [Extracting certificates an keys from the old .p12 file] niccolo | doc:appunti:linux:sa:openvpn_openssl_problem [2025/04/15 12:53] (current) – [OpenVPN problem with obsolete pkcs12 files] niccolo | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== OpenVPN problem with obsolete | + | ====== OpenVPN problem with obsolete |
| If you are migrating a configuration from an old **OpenVPN 2.5.x** to a new **2.6**, you may face a problem with the **PKCS12** file, which was created with a legacy encryption. The error message is as follow: | If you are migrating a configuration from an old **OpenVPN 2.5.x** to a new **2.6**, you may face a problem with the **PKCS12** file, which was created with a legacy encryption. The error message is as follow: | ||
| Line 9: | Line 9: | ||
| </ | </ | ||
| - | Generally the pkcs12 file contains also the Certification Authority certificate, | + | Generally the pkcs12 file contains also the Certification Authority certificate, |
| < | < | ||
| Line 17: | Line 17: | ||
| </ | </ | ||
| - | ===== Extracting certificates an keys from the old .p12 file ===== | + | ====== Inspecting |
| - | To solve the problem you can repack the .p12 file with a modern encryption. The extraction of the content must be performed on an the old host, **supporting the legacy encryption**. | + | To inspect the PKCS12 certificate and the encryption is uses: |
| + | |||
| + | < | ||
| + | openssl pkcs12 -info -in file.p12 | ||
| + | </ | ||
| + | |||
| + | the command must be run on an host supporting the SSL encryption used to create the file. | ||
| + | |||
| + | A file created with a legacy encryption may be like this: | ||
| + | |||
| + | < | ||
| + | ... | ||
| + | MAC: sha1, Iteration 1 | ||
| + | MAC length: 20, salt length: 8 | ||
| + | PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, | ||
| + | ... | ||
| + | PKCS7 Data | ||
| + | Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, | ||
| + | ... | ||
| + | </ | ||
| + | |||
| + | indeed a newer certificate will be: | ||
| + | |||
| + | < | ||
| + | ... | ||
| + | MAC: sha256, Iteration 2048 | ||
| + | MAC length: 32, salt length: 8 | ||
| + | PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, | ||
| + | ... | ||
| + | PKCS7 Data | ||
| + | Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, | ||
| + | ... | ||
| + | </ | ||
| + | |||
| + | |||
| + | ===== Extracting certificates and keys from the old .p12 file ===== | ||
| + | |||
| + | To solve the problem you can repack the .p12 file with a modern encryption. The extraction of the content must be performed on an the old host, **supporting the legacy encryption**: | ||
| < | < | ||
doc/appunti/linux/sa/openvpn_openssl_problem.1744713321.txt.gz · Last modified: 2025/04/15 12:35 by niccolo