curl – OpenSSL error error:0308010C:digital envelope routines::unsupported

Issue

I try to use curl on Windows to post a timestamp request. Authentication is needed, so I use p12 file. I get error message, but password of p12 file is correct.

Command:

curl --insecure --cert-type P12 --cert my.p12:mypassword -X POST -d @mytest.req <myTSURL>

Error message:

curl: (58) could not parse PKCS12 file, check password, OpenSSL error
error:0308010C:digital envelope routines::unsupported

curl -V

curl 7.83.1 (x86_64-pc-win32) libcurl/7.83.1 OpenSSL/3.0.2 (Schannel) zlib/1.2.12 brotli/1.0.9 libidn2/2.3.2 libssh2/1.10.0 nghttp2/1.47.0 ngtcp2/0.5.0 nghttp3/0.4.1 libgsasl/1.10.0
Release-Date: 2022-05-11
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli gsasl HSTS HTTP2 HTTP3 HTTPS-proxy IDN IPv6 Kerberos Largefile libz MultiSSL NTLM SPNEGO SSL SSPI TLS-SRP UnixSocket

Solution

Meta: this isn’t really programming or development, and would probably be better on superuser or maybe security.SX, but this is issue is likely to become more common as OpenSSL 3.0 spreads and I wanted to get the answer out.

OpenSSL 3.0.x by default doesn’t support old/insecure algorithms, but until recently most software that creates PKCS12 (including OpenSSL 1.x.x) used such an algorithm for the certbag(s), namely a PKCS12-defined PBE using RC2-40 — and some still does at least sometimes, like the Windows 10 cert-export dialog by default. To check this do

openssl pkcs12 -in my.p12 -info -nokeys -nocerts 
# in 3.0.x add -provider legacy or just -legacy
# to avoid prompt use -password or -passin, see man pages

and I expect the output will include

PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048

See if your curl has an option to specify the OpenSSL 3.0.x provider and if so specify ‘legacy’. Otherwise, convert your pkcs12 like

# 3.0.x
openssl pkcs12 -in old -nodes -provider legacy | openssl pkcs12 -export -out new
# or slightly simpler
openssl pkcs12 -in old -nodes -legacy | openssl pkcs12 -export -out new

# 1.x.x
openssl pkcs12 -in old -nodes | openssl pkcs12 -export -descert -out new 

Conversion loses any ‘friendlyname’ set in the existing file. For curl, and probably most other programs, this doesn’t matter, but if you want to use this same file with something where friendlyname does matter, add -name $name on the -export part.

Answered By – dave_thompson_085

This Answer collected from stackoverflow, is licensed under cc by-sa 2.5 , cc by-sa 3.0 and cc by-sa 4.0

Leave a Reply

(*) Required, Your email will not be published