Issue
After upgrading my app to Heroku-22, OpenSSL 3 no longer allows the use of older hashing algorithms, symmetric ciphers, or key derivation functions.
For example, loading a PKCS12 file that uses the RC2-40-CBC cipher for encryption results in an error such as OpenSSL::PKCS12::PKCS12Error PKCS12_parse: unsupported
.
Resolution
OpenSSL 3.0 moved several deprecated or insecure algorithms into an internal library module called legacy provider. It is not loaded by default, so apps (or their language runtimes) that use OpenSSL for cryptographic operations cannot use such algorithms when loading certificates, creating message digests, etc.
For security reasons, it is strongly recommended to retire the use of these legacy algorithms.
If your application utilizes client certificates stored in a file encrypted with a legacy cipher such as RC2-40-CBC, it is possible to "modernize" the certificate file by re-encrypting it using the openssl
program.
For example, if you have a client.p12
(or client.pfx
) certificate file on your local computer:
$ openssl pkcs12 -legacy -in client.p12 -nodes -out cert-decrypted.tmp
(enter passphrases if prompted)
$ openssl pkcs12 -in cert-decrypted.tmp -export -out client-new.p12
(enter passphrases if prompted)
$ rm cert-decrypted.tmp
The exported client-new.p12
certificate file now contains the same keys, but encrypted using AES-256-CBC.
In rare cases where this is not possible, you may override the configuration used by OpenSSL using the OPENSSL_CONF
environment variable.
Be advised that this approach enables outdated or potentially insecure algorithms for all cryptographic operations performed by OpenSSL.
As the OpenSSL configuration file format allows the inclusion of other files, you can .include
the default openssl.cnf
config file (which resides in /usr/lib/ssl
), and then specify config directives to load the legacy provider module.
For example, if you create an openssl_legacy.cnf
file in your project with the following contents:
.include = /usr/lib/ssl/openssl.cnf
[provider_sect]
default = default_sect
legacy = legacy_sect
[default_sect]
activate = 1
[legacy_sect]
activate = 1
You can then set OPENSSL_CONF
to point to this file:
$ heroku config:set OPENSSL_CONF=/app/openssl_legacy.cnf