|
1 # |
|
2 # This was developed in house. The change is internal to Solaris, and |
|
3 # it will not be contributed upstream. |
|
4 # |
|
5 # This patch will change the default cipher used to encrypt certificate |
|
6 # to 3DES as RC2 is considered weak cipher. The default cipher for 1.1 will |
|
7 # become 3DES. |
|
8 # |
|
9 --- openssl/apps/pkcs12.c Tue May 3 06:44:42 2016 |
|
10 +++ openssl/apps/pkcs12.c.new Wed May 4 15:11:00 2016 |
|
11 @@ -142,12 +142,7 @@ |
|
12 if (!load_config(bio_err, NULL)) |
|
13 goto end; |
|
14 |
|
15 -# ifdef OPENSSL_FIPS |
|
16 - if (FIPS_mode()) |
|
17 - cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; |
|
18 - else |
|
19 -# endif |
|
20 - cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC; |
|
21 + cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; |
|
22 |
|
23 args = argv + 1; |
|
24 |
|
25 @@ -379,9 +374,9 @@ |
|
26 BIO_printf(bio_err, |
|
27 "-twopass separate MAC, encryption passwords\n"); |
|
28 BIO_printf(bio_err, |
|
29 - "-descert encrypt PKCS#12 certificates with triple DES (default RC2-40)\n"); |
|
30 + "-descert encrypt PKCS#12 certificates with triple DES (default)\n"); |
|
31 BIO_printf(bio_err, |
|
32 - "-certpbe alg specify certificate PBE algorithm (default RC2-40)\n"); |
|
33 + "-certpbe alg specify certificate PBE algorithm (default 3DES)\n"); |
|
34 BIO_printf(bio_err, |
|
35 "-keypbe alg specify private key PBE algorithm (default 3DES)\n"); |
|
36 BIO_printf(bio_err, |
|
37 --- openssl/doc/crypto/PKCS12_create.pod Fri May 6 09:10:00 2016 |
|
38 +++ openssl/doc/crypto/PKCS12_create.pod Fri May 6 09:14:16 2016 |
|
39 @@ -30,9 +30,9 @@ |
|
40 The parameters B<nid_key>, B<nid_cert>, B<iter>, B<mac_iter> and B<keytype> |
|
41 can all be set to zero and sensible defaults will be used. |
|
42 |
|
43 -These defaults are: 40 bit RC2 encryption for certificates, triple DES |
|
44 -encryption for private keys, a key iteration count of PKCS12_DEFAULT_ITER |
|
45 -(currently 2048) and a MAC iteration count of 1. |
|
46 +These defaults are: triple DES encryption for certificates and private keys, |
|
47 +a key iteration count of PKCS12_DEFAULT_ITER (currently 2048) and a MAC |
|
48 +iteration count of 1. |
|
49 |
|
50 The default MAC iteration count is 1 in order to retain compatibility with |
|
51 old software which did not interpret MAC iteration counts. If such compatibility |