How do I configure OpenSSL to allow the use of legacy cryptographic algorithms

Issue

After upgrading my app to Heroku-22, OpenSSL 3 no longer allows the use of older hashing algorithms, symmetric ciphers, or key derivation functions.

For example, loading a PKCS12 file that uses the RC2-40-CBC cipher for encryption results in an error such as OpenSSL::PKCS12::PKCS12Error PKCS12_parse: unsupported.

Resolution

OpenSSL 3.0 moved several deprecated or insecure algorithms into an internal library module called legacy provider. It is not loaded by default, so apps (or their language runtimes) that use OpenSSL for cryptographic operations cannot use such algorithms when loading certificates, creating message digests, etc.

For security reasons, it is strongly recommended to retire the use of these legacy algorithms.

If your application utilizes client certificates stored in a file encrypted with a legacy cipher such as RC2-40-CBC, it is possible to "modernize" the certificate file by re-encrypting it using the openssl program.

For example, if you have a client.p12 (or client.pfx) certificate file on your local computer:

$ openssl pkcs12 -legacy -in client.p12 -nodes -out cert-decrypted.tmp
(enter passphrases if prompted)
$ openssl pkcs12 -in cert-decrypted.tmp -export -out client-new.p12
(enter passphrases if prompted)
$ rm cert-decrypted.tmp

The exported client-new.p12 certificate file now contains the same keys, but encrypted using AES-256-CBC.


In rare cases where this is not possible, you may override the configuration used by OpenSSL using the OPENSSL_CONF environment variable.

Be advised that this approach enables outdated or potentially insecure algorithms for all cryptographic operations performed by OpenSSL.

As the OpenSSL configuration file format allows the inclusion of other files, you can .include the default openssl.cnf config file (which resides in /usr/lib/ssl), and then specify config directives to load the legacy provider module.

For example, if you create an openssl_legacy.cnf file in your project with the following contents:

.include = /usr/lib/ssl/openssl.cnf

[provider_sect]
default = default_sect
legacy = legacy_sect

[default_sect]
activate = 1

[legacy_sect]
activate = 1

You can then set OPENSSL_CONF to point to this file:

$ heroku config:set OPENSSL_CONF=/app/openssl_legacy.cnf

Ask on Stack Overflow

Engage with a community of passionate experts to get the answers you need

Ask on Stack Overflow

Heroku Support

Create a support ticket and our support experts will get back to you

Contact Heroku Support