Use modern PBES2 for private keys in PFX (fixes #446) #447
Conversation
|
My fear with making this the new default is that it will unintentionally break folks who might still be using OpenSSL 1.0.x for some reason. Might need to add support behind a flag associated with the order at least until the next major module version (at which point it can become the new default and the flag can revert to legacy mode). |
Debian buster was the last version of Debian to ship 1.0.x, and the LTS support for that ended in June. I think the only major Linux distro still shipping 1.0.x is RHEL 7, which is two major versions behind. Given that 1.0.x is EOL from upstream as well, whoever is still relying on it might deserve a bit of a wake up call 😉 That being said, it's your call to decide :) |
…Set-PAOrder to make the option opt-in
|
I really do appreciate the work on figuring this out, @ChlorideCull. But out of an abundance of caution, I'm going to gate it behind a per-order opt-in flag until the next major version of the module. With the changes I just pushed, you can do any of the following: # Enable on new cert
New-PACertificate 'example.com' -UseModernPfxEncryption
# Enable on new order
New-PAOrder 'example.com' -UseModernPfxEncryption
# Enable on existing order. This will also re-write existing PFX files.
Set-PAOrder -UseModernPfxEncryption
# Disable on an existing order. This will also re-write existing PFX files.
Set-PAOrder -UseModernPfxEncryption:$falseLike most other order properties, Let me know how this works for you and I'll get it merged. |
|
Can confirm this works with your changes! |
Fixes #446
This raises security a bit, allows OpenSSL 3.x to read it without legacy mode, and in general is just a good idea.
As for compatibility, it should be well supported. OpenSSL, as far as I know, supports it since 1.1.1, and all earlier versions are out of support upstream. Windows also has no issues with it.