OK, did now a first try without checking it since i do miss OpenSSL-3.0 on my system.
Patch looks like this:
--- /srv/web/ipfire/cgi-bin/ovpnmain.cgi_next 2022-05-16 12:47:04.734222143 +0200
+++ /srv/web/ipfire/cgi-bin/ovpnmain.cgi_pkcs_encryption 2022-05-16 12:49:11.715225927 +0200
@@ -4334,6 +4334,8 @@
# Create the pkcs12 file
# The system call is safe, because all arguments are passed as an array.
system('/usr/bin/openssl', 'pkcs12', '-export',
+ '-certpbe', 'AES-256-CBC',
+ '-keypbe', 'AES-256-CBC',
'-inkey', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem",
'-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem",
'-name', $cgiparams{'NAME'},
Result is:
$ openssl pkcs12 -info -in pkcstestfuenf.p12
Enter Import Password:
MAC: sha1, Iteration 2048
MAC length: 20, salt length: 8
PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256
Certificate bag
Bag Attributes
localKeyID: 4A 9F D7 EF 9F C7 10 38 DF 08 1A 02 E1 69 E6 47 7E D2 BF EF
friendlyName: pkcstestfuenf
subject=C = DE, ST = BW, O = ummeegge, CN = pkcstestfuenf
issuer=C = DE, ST = BW, L = Karlsruhe, O = ummeegge, OU = Fzeit, CN = ummeegge CA, emailAddress = ue@ue.org
-----BEGIN CERTIFICATE-----
MIIFhjCCA26gAwIBAgIBEDANBgkqhkiG9w0BAQsFADCBgTELMAkGA1UEBhMCREUx
CzAJBgNVBAgTAkJXMRIwEAYDVQQHEwlLYXJsc3J1aGUxETAPBgNVBAoTCHVtbWVl
Z2dlMQ4wDAYDVQQLEwVGemVpdDEUMBIGA1UEAxMLdW1tZWVnZ2UgQ0ExGDAWBgkq
hkiG9w0BCQEWCXVlQHVlLm9yZzAeFw0yMjA1MTYxMDQxMjlaFw0yMjA1MTgxMDQx
MjlaMEUxCzAJBgNVBAYTAkRFMQswCQYDVQQIEwJCVzERMA8GA1UEChMIdW1tZWVn
Z2UxFjAUBgNVBAMTDXBrY3N0ZXN0ZnVlbmYwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQCsS+JIkAIsX+uDJr/KaJxh7xWKwYsXyHXX3YIChzBwGgz0O/MA
QaaCVIzWSQCZVPM4QpY01I+7b6rcOQ9LaKB0LNTvxXEGH0kjahK8ZTXrP6QkzpwQ
Km9y9VgMCtBx6rpY4/IV6mQr7ACFa0oR9HRTcfd5Jszr56ZNJCmqvf3d61AmniKA
Uc+OCaH5wH4ubfdEigz88VtgbV4XHN8/UjeSDSv+Au1iqBO72rrVRS18F8hbVc5G
dOMpvQD+nzY5KH/KTBwj3iT1u7/jQCany4zzdEz0fn9o6cx5mUHohNTO+DB7oDD/
Paei5ZqNNup92dSY2Xv9vCsgSNSubluY8bpHAgMBAAGjggFCMIIBPjAJBgNVHRME
AjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0
ZTAdBgNVHQ4EFgQUrkpDM+9usEbW8zfxA63/zwJi+q4wgcEGA1UdIwSBuTCBtoAU
eFzkyXqg7VrpSAlHMUfbPixOFpihgYekgYQwgYExCzAJBgNVBAYTAkRFMQswCQYD
VQQIEwJCVzESMBAGA1UEBxMJS2FybHNydWhlMREwDwYDVQQKEwh1bW1lZWdnZTEO
MAwGA1UECxMFRnplaXQxFDASBgNVBAMTC3VtbWVlZ2dlIENBMRgwFgYJKoZIhvcN
AQkBFgl1ZUB1ZS5vcmeCFEbVqaE4TQc3pTy0qQ/y2dSDzDSRMBMGA1UdJQQMMAoG
CCsGAQUFBwMCMAsGA1UdDwQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAgEAJBF813Rk
AyU549P6qUUelN+jBMvpqceiSBaD2Bv94pc7rbAjKAQlow9WR9zqM/D72ovRPn1t
pTsefk+yR9eoi1VLZw01mtztKj+iAqomQ+mTP8rSzolFSinD3sdh5OCPfGWCnz9H
GvIsbpY8p1L9TCctJBaYq2BeKV6XBrX9MtXIAmpeQx1pZw7bfRF0mW9NP3vvMEKC
hZWiGpqenQy1mGJgZxAOSdAGHDOuDnLemr/l4YbS+aYAzFuyMQL96SZKqfK++IEa
40jJhjhiqBAG/pBbyuaAm5NiIEMaqbcMPuZzdwiQ8GmFp5FdrhxWw63kAeoPREln
Q2xGd0b2GjWHYGjAZQnrQy3APjiZevn/eW78JexSzIghoWBaQh1M8IKqSgqRIZe4
1kJpsCiPQTkFeYw6zViI8m2hKyz8XhoAQxTrGXtp6hIEWiGQVw7CzPhkMmh5MpdA
rBSdLM9VkLxwKfO0e+RsU1bATxVzxh9Fmsruk9uS5/il6UbRV4UVtcSTEocAAVjC
+3Wqay0xgENwGcGd+T7KkZ35elKEZSqvHerD3bQTPjWAH8MZM+YuiDs4Rwd7w0Nq
La/0DBn42ODfjlJVyH/rZnQb8iGJmQBI8RqslkgAgs0Q9qO/BNGfBlqWKWbwbs9Y
2E0jB7TBl+AvVIVE6DoD4uZC4B38NEkKCP0=
-----END CERTIFICATE-----
Certificate bag
Bag Attributes
friendlyName: ummeegge CA
subject=C = DE, ST = BW, L = Karlsruhe, O = ummeegge, OU = Fzeit, CN = ummeegge CA, emailAddress = ue@ue.org
issuer=C = DE, ST = BW, L = Karlsruhe, O = ummeegge, OU = Fzeit, CN = ummeegge CA, emailAddress = ue@ue.org
-----BEGIN CERTIFICATE-----
MIIGiTCCBHGgAwIBAgIURtWpoThNBzelPLSpD/LZ1IPMNJEwDQYJKoZIhvcNAQEN
BQAwgYExCzAJBgNVBAYTAkRFMQswCQYDVQQIEwJCVzESMBAGA1UEBxMJS2FybHNy
dWhlMREwDwYDVQQKEwh1bW1lZWdnZTEOMAwGA1UECxMFRnplaXQxFDASBgNVBAMT
C3VtbWVlZ2dlIENBMRgwFgYJKoZIhvcNAQkBFgl1ZUB1ZS5vcmcwIBcNMjIwMjAy
MTkzMTU1WhgPNDc1OTEyMzAxOTMxNTVaMIGBMQswCQYDVQQGEwJERTELMAkGA1UE
CBMCQlcxEjAQBgNVBAcTCUthcmxzcnVoZTERMA8GA1UEChMIdW1tZWVnZ2UxDjAM
BgNVBAsTBUZ6ZWl0MRQwEgYDVQQDEwt1bW1lZWdnZSBDQTEYMBYGCSqGSIb3DQEJ
ARYJdWVAdWUub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAsN/9
0E978UTzh9H2NchIRIi39dCrZvglOfOt2kmX+UJTd1Rl3HJX7tgpZGYbc55kSxwf
icDi/J9BR4+maBQQCo1+d4SLDzdBZGzFA7UF0d/z8HAz5Z41oUuyxxnpNmuUzX5Z
Sit6+4ocOqVhdUF9UwDkDE9zC16RuzfIT6PSJBNyLeYvB8SHeIFysFLpA7H0q1HB
GeKjCEbYsnU9sdJFHvI9ivcWDyt0sN8kCCx77CaJVf5p6bK7NBRaDJYGdrINEeIi
X0XkiX4rELbb/Yku4NbJdHEdUzY9Jj/3mmVXSU8E6gSIXRm1rW7qQm8iXv0VT/Ei
entKk6jMdpa9rPFe/BDi/pCkWyP7SZlLYyXC2gKjg4y4141atHvmp1vgAVMT4DU6
KAm7941Iv7v4l+Az/Bkca7eD7djCgdzUBNaGz8PJn+8MB0TwrkAo4Dk/vzi4fHMC
1jk2dJJBfHFSayqI/m/wF0po3uP9ztg4k1/YhHQB1uo8xJJ5TBLG59RoNVNBpRiR
RiicvEF3fK2dYTSDvPsjlh6dJ/fNvz2y7uuuRziFQaGziu8TzywDJKNgdi1OT0ZD
vilJfCjzvJAR80mIw0ozJpwTDvjBZRQ1ySic6yU0fiVoPIChUUUJNe9+kby4JRDi
F2zbUUfjGHFyV9rX4N7yf2sjV3atBhYxvyqvXKkCAwEAAaOB9DCB8TAdBgNVHQ4E
FgQUeFzkyXqg7VrpSAlHMUfbPixOFpgwgcEGA1UdIwSBuTCBtoAUeFzkyXqg7Vrp
SAlHMUfbPixOFpihgYekgYQwgYExCzAJBgNVBAYTAkRFMQswCQYDVQQIEwJCVzES
MBAGA1UEBxMJS2FybHNydWhlMREwDwYDVQQKEwh1bW1lZWdnZTEOMAwGA1UECxMF
RnplaXQxFDASBgNVBAMTC3VtbWVlZ2dlIENBMRgwFgYJKoZIhvcNAQkBFgl1ZUB1
ZS5vcmeCFEbVqaE4TQc3pTy0qQ/y2dSDzDSRMAwGA1UdEwQFMAMBAf8wDQYJKoZI
hvcNAQENBQADggIBAEf9QCs4NrxL3HfJFEjPwXKMcLDK3DQRIRC1l/neVOC4VMdC
ZZQFyQ5wUM0rDdpw73qcFQ4X/ehniXS3uz0lzDE39HUqtgPU5dH+PUVEuDQeodxO
HJed8eF5ELWsrx/hppzrFZK83aJrqRLDZAlwF07FgYPpPsD/bVmqhSfFlJzPFYwV
nEV87SjN60+0jyfu/t6P7yqHF7Xy0NFDN8eeiaqjaiHzBcZIaYKEk/pCwAsgUyT2
mJqK+XtLu8zTn0K2G2KCLSi4pO/QIIP0sL0Z3/RIqOmRs818/kLE25+sPQirfwKJ
GnmbnX74p+a5QoQ+Rkgy2h3/xv80TpdKTl9FLI+o0CRSzB25iEGwoxdxUXYgl2Gp
DTOx3iDTpchCHqjP+93yKJdoX23l2hW5j/2Vjfx/jf4+zf+iOkkFniSgHYlEF++2
08H+bEfwRJy89bRLRKu704T0grYHpHQ+axJqP1VUE1M7SYEA1usPUL3W2wtJlm4f
oCOVKzrsnfzvdaPse2hxFh01Ntgmt0tKhjUczAHr7baNjbtvtk6pHKa1mtxIOZeV
tj2QUxQRPm2tHfUOJt7BHuz8thoSwZhRPFxDvcBpYZlewhZWfX2JMGRYY+IIo7Bo
DANk5/EfvJ3iVadt5Bwy9hIPV0mUgLXe/bxkVzS4K6IYEb+THb1KE4UYEcef
-----END CERTIFICATE-----
PKCS7 Data
Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256
Bag Attributes
localKeyID: 4A 9F D7 EF 9F C7 10 38 DF 08 1A 02 E1 69 E6 47 7E D2 BF EF
friendlyName: pkcstestfuenf
Key Attributes: <No Attributes>
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFLTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQIq8Ce6w9OKEYCAggA
MAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBB6zl0Rd1Z8h4WFZcyeulM5BIIE
0LT4TCUq3WXYUjKlTgEP0LhgCKlptISw5n6EnVg6IAEaP9sT3mQe4HPhHQ5es2Bx
Em3pOsU64D4/xw70yOIYr2h+KPmfAvoM91SYOUv6wCRgkkrFWM4KlWI48LqLhqGl
ZDlnREqV00ruD7cmIk4JpOX6mUqUX+dESKMhPp5xgdLZYA3sXLA19ro0s98VM9VK
yb5+T9Jx8u4CZ/u/1IV9pIH1bo4cECZtBqcio1lijBMow1zPedevqZEqzX0jelHX
V6hi6VnJrTIjfSdjplRMZsYy8cQpXubBFnEi/EX6r34M9za3yQbXlg0ScZ0v8B5j
TeNsjfnJO9C36Oy+EkrS/xZPJ4vV20W1dqS+U/rXuJkv3y7G6DwxOj3VG10priyQ
DfisLD2LXhdF0DWn3gCKPL3N9brxdqI+ZjPKsOr52lncTodcS6XU7xZl2I/cGAMb
1nIXfKV9vCqxaY2LI8ZHtftNmlictkxf2WcTTd5pi3zB9IVH9+vGACtDakIQzKs8
Vjicoq5hiuqvpCvn9rkzKtt2pfv8XSf37KLrPKLT5sz0ueC80d5sZYzqDwKxgtwm
a8TOiiBvpDETYCe3lArLHxI7vBgdLIDMWAsLsz94hgEGhsSci3y5MIkiwIIvQD+Q
40OwumKh/NO+rxefCFbHxxEfzVKjgd6OWbEc2HFtee0qEICWo885Y/x5p5uKxovE
CRGMGTGRUN2TeH3IbNi+9jiLP7CX2GutIwm7CIWlv8xQOqLNmipb9suV0GyvN7cz
4NXBgtlg0mtvwo8Xxn8X5RsNEWCT276yF9DHwn/oJXGgBARYyg14qAjNLlbAxo3A
6/K0IoJSNqAiFd+7+IQm/NukGQ2d3m9gLwjZTtk+2NuSyO90tEzHd7sgAqIz7gfn
IiDZ6SwEgKNkhPMhZQ3l1VjSOnUsiokz7d31w+cs42F0+vrtPcot7rOUPYuu7nUk
dkf/jFNrq8/c4dUO0h4yjtf6UcMB/shhVeHKzvDcRaBgwV5Sj0R85Msaj8Wlcc8D
xvqPVqo7BtLjRDj7NwgvPCNlBYmH4ngvnGcD1BOdudK5tY/qvA46gY4pxE2/5KaI
PpliWJA/KQH4asUvsaNPY6TfeWxz/ClCuD/6fbdMmId/6smRzfOozXv+R1rqT6Z9
blKHZQDjSaK5xDIC17l9evoKExfrlYwUszU52SEat3cDqdq2U1eF2K8Fe/Xf5eg6
Km1Vt9EHh0PEJ/OTGnHYzAvddLwhLeuv/La9qnvcF+UkjB8eNcD/djaj8r9G3ffM
4EwYlRbGhgfQO/xunYyJZLfBYC5bgaVfx07D61nQQEcoPxXef5fgOMiZv1/GqEem
j+HD2ECTz984WvhwHhZA5rKldOaeDwdLxcY8+M4dNX17b0Q+Jgvy9p0k8URzKd0z
dmTTB9Yit7ked6GHLOCLPMlM6c7nq1l61IWuVYr6mdXuIwr8ygAHLm+zvvSgCgWm
f4jcybX02q1l22Iks8YXpKvJ4PHoldXe9gy6G+0gNKlta2v5HlnCdbLTyKGzxd0s
ObRMetISb39/wDqk0tUMXvnLzUFXOgCGyn9ZCLuu22KgM6/XvQckIxOAcgZ9KUHT
eYGTSADQbd+uHCHjJ6m/B0b49d2OcvybBucMA0W4NXvN
-----END ENCRYPTED PRIVATE KEY-----
If you want to go for a checkout ? Might be great.
Best,
Erik
P.S.: GCM might be nicer but a list -cipher-algorithms lists only ‘id-aes128|192|256-GCM’ and am not sure about the needed various compatibility for this algorithm…
’ -macalg digest’ currently does not takes affect since SHA1 will nevertheless be used, tried it with SHA512 !!!