[PATCH] use all available openssl algorithms

Jouni Malinen j at w1.fi
Fri Jan 8 17:47:47 EST 2010


On Thu, Jan 07, 2010 at 08:02:07AM -0800, Dan Williams wrote:

> PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
> Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048

> Does that mean we need both RC2-40-CBC and 3DES-CBC enabled?  Or should
> this guy just re-encrypt his key?

3DES-CBC is enabled automatically (it is needed for SSL). RC2-40-CBC is
the problem one and that behavior changed in OpenSSL 1.0.0 (at least as
of the current beta4). PKCS12_PBE_add() used to add this cipher to allow
PKCS#12 files to be used. I'm a bit surprised of that type of change
without clearer documentation stating that and do not know whether it
really was even intentional. It remains to be seen, how the actual
OpenSSL 1.0.0 release will behave.

Anyway, at least for now, I fixed this particular issue with one of the
most common ciphers used in PKCS#12 for certificates with following
commits:

http://w1.fi/gitweb/gitweb.cgi?p=hostap.git;a=commitdiff;h=1056dad796e78509604c0aa836803c8425b4ba37
http://w1.fi/gitweb/gitweb.cgi?p=hostap-06.git;a=commitdiff;h=b99094dafb488e7c71739e47f52f54158ae4ff99

-- 
Jouni Malinen                                            PGP id EFC895FA


More information about the HostAP mailing list