After upgrading my app to Heroku-22, OpenSSL 3 no longer allows the use of older hashing algorithms, symmetric ciphers, or key derivation functions.
For example, loading a PKCS12 file that uses the RC2-40-CBC cipher for encryption results in an error such as
OpenSSL::PKCS12::PKCS12Error PKCS12_parse: unsupported.
OpenSSL 3.0 moved several deprecated or insecure algorithms into an internal library module called legacy provider. It is not loaded by default, so apps (or their language runtimes) that use OpenSSL for cryptographic operations cannot use such algorithms when loading certificates, creating message digests, etc.
For security reasons, it is strongly recommended to retire the use of these legacy algorithms.
If your application utilizes client certificates stored in a file encrypted with a legacy cipher such as RC2-40-CBC, it is possible to "modernize" the certificate file by re-encrypting it using the
For example, if you have a
client.pfx) certificate file on your local computer:
$ openssl pkcs12 -legacy -in client.p12 -nodes -out cert-decrypted.tmp (enter passphrases if prompted) $ openssl pkcs12 -in cert-decrypted.tmp -export -out client-new.p12 (enter passphrases if prompted) $ rm cert-decrypted.tmp
client-new.p12 certificate file now contains the same keys, but encrypted using AES-256-CBC.
In rare cases where this is not possible, you may override the configuration used by OpenSSL using the
OPENSSL_CONF environment variable.
Be advised that this approach enables outdated or potentially insecure algorithms for all cryptographic operations performed by OpenSSL.
As the OpenSSL configuration file format allows the inclusion of other files, you can
.include the default
openssl.cnf config file (which resides in
/usr/lib/ssl), and then specify config directives to load the legacy provider module.
For example, if you create an
openssl_legacy.cnf file in your project with the following contents:
.include = /usr/lib/ssl/openssl.cnf [provider_sect] default = default_sect legacy = legacy_sect [default_sect] activate = 1 [legacy_sect] activate = 1
You can then set
OPENSSL_CONF to point to this file:
$ heroku config:set OPENSSL_CONF=/app/openssl_legacy.cnf