search

Kong / insomnia

The open-source, cross-platform API client for GraphQL, REST, WebSockets, SSE and gRPC. With Cloud, Local and Git storage.
https://insomnia.rest
Apache License 2.0
34.36k stars 1.93k forks source link

could not parse PKCS12 file, check password, OpenSSL error error:0308010C:digital envelope routines::unsupported #5059

Open haijunsu opened 2 years ago

haijunsu commented 2 years ago

Expected Behavior

Return response body without errors

Actual Behavior

Cannot connect to the server because there is an error while parses the PKCS12 file.

Reproduction Steps

  1. Document settings
  2. Client Certificates tab
  3. New Certificate
  4. Add a p12 certificate for a domain
  5. Create request and send to the domain which is created in step 4.

Is there an existing issue for this?

Additional Information

Timeline logs:

* Preparing request to https://mytest_domainname
* Current time is 2022-08-08T16:53:18.142Z
* Using libcurl/7.79.1-DEV OpenSSL/3.0.0 zlib/1.2.11 brotli/1.0.9 WinIDN libssh2/1.9.0_DEV nghttp2/1.45.1
* Using default HTTP version
* Disable timeout
* Enable automatic URL encoding
* Disable SSL validation
* Enable cookie sending with jar of 4 cookies
* Adding SSL P12 certificate
*   Trying xxx.xxx.xxx.xxx:443...
* Connected to apigatewayb2b.test.bnymellon.com (10.8.77.4) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* could not parse PKCS12 file, check password, OpenSSL error error:0308010C:digital envelope routines::unsupported
* Closing connection 0

Insomnia Version

2022.1.1 and newer versions

What operating system are you using?

Environment: Windows 10 21H2

Installation method

Download from website and click the executable file.

Last known Working Insomnia version

2021.7.2

filfreire commented 2 years ago

Hi @haijunsu, could you double check if you can also reproduce this issue in our latest stable release (2022.5.0)?

We had a similar issue (#4543) a while back related to one of the dependencies we use (node-libcurl) and it might have something to do with the PKCS12 file being in a format not supported by recent curl/node-libcurl versions (other different example).

haijunsu commented 2 years ago

Hi @filfreire, I tried the latest stable release (2022.5.0) first and it didn't work. Then I tried every stable version backward until I found the version 2021.7.2 which worked.

haijunsu commented 2 years ago

Hi @filfreire, I think I have the same issue as the example. my certificate does have the information PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048. Since the certificate was generated by security team and protected by password and PEM pass phrase, I cannot convert it to new format to verify the result.

filfreire commented 2 years ago

@johnwchadwick looking for your expertise on this: any ideas if there is something we can do on our side, maybe on node-libcurl so that this kind of legacy certificates/encryption would be supported in the future, or not really feasible in long term for us to try and accommodate for?

johnwchadwick commented 2 years ago

Support for the RC2 cipher was moved into the OpenSSL legacy module in OpenSSL 3.x; I believe enabling this module would resolve the problem. It's something we'll have to look into.

lmpampaletakis commented 2 years ago

What is the workaround? Same problem here.

petter-veni commented 1 year ago

The Windows and Linux version does NOT support using PFX, only CRT File (Cert) together with a Key File. The Key File has to be in PEM-format.

I had exatcly the same issue on my Windows computer using Windows 10 and Insomnia 2022.6.0.

Here is the documentation that states that PFX is not supported: https://docs.insomnia.rest/insomnia/client-certificates

It is mentioned twice on this help page.

The procedure to extract the crt-file and key-file is:

Use an openssl prior to openssl 3.x or it will throw an error due to the older insecure PFX-format that is not supported.

I used my Git Bash commandline which has OpenSSL 1.1.1q:

winpty openssl pkcs12 -in the-pfx-file.pfx -clcerts -nokeys -out the-crt-file.crt winpty openssl pkcs12 -in the-pfx-file.pfx -nocerts -out the-key-file.key winpty openssl rsa -in the-key-file.key -outform PEM .out the-pem-key-file.pem

(the winpty is used only in the Git Bash because the openssl command will freeze if not used. If you use openssl command in other shells it might not be necessary to prefix the openssl command with winpty).

the-crt-file.crt is obviously the crt/cert file to point to and the-pem-key-file.pem is the key-file to point to. The the-key-file.key is not necessary for Insomnia.

groja commented 1 year ago

Support for the RC2 cipher was moved into the OpenSSL legacy module in OpenSSL 3.x; I believe enabling this module would resolve the problem. It's something we'll have to look into.

Thanks for this, this got me to the answer - I just needed to add the -legacy command line option to make it work.

dmytrokosiachenko commented 1 year ago

The Windows and Linux version does NOT support using PFX, only CRT File (Cert) together with a Key File. The Key File has to be in PEM-format.

I had exatcly the same issue on my Windows computer using Windows 10 and Insomnia 2022.6.0.

Here is the documentation that states that PFX is not supported: https://docs.insomnia.rest/insomnia/client-certificates

It is mentioned twice on this help page.

The procedure to extract the crt-file and key-file is:

Use an openssl prior to openssl 3.x or it will throw an error due to the older insecure PFX-format that is not supported.

I used my Git Bash commandline which has OpenSSL 1.1.1q:

winpty openssl pkcs12 -in the-pfx-file.pfx -clcerts -nokeys -out the-crt-file.crt winpty openssl pkcs12 -in the-pfx-file.pfx -nocerts -out the-key-file.key winpty openssl rsa -in the-key-file.key -outform PEM .out the-pem-key-file.pem

(the winpty is used only in the Git Bash because the openssl command will freeze if not used. If you use openssl command in other shells it might not be necessary to prefix the openssl command with winpty).

the-crt-file.crt is obviously the crt/cert file to point to and the-pem-key-file.pem is the key-file to point to. The the-key-file.key is not necessary for Insomnia.

Support for the RC2 cipher was moved into the OpenSSL legacy module in OpenSSL 3.x; I believe enabling this module would resolve the problem. It's something we'll have to look into.

Thanks for this, this got me to the answer - I just needed to add the -legacy command line option to make it work.

Thanks for tips, combining this 2 answers - this what is working for me on Mac:

openssl pkcs12 -in cert.pfx -clcerts -nokeys -out the-crt-file.crt -legacy && \
openssl pkcs12 -in cert.pfx -nocerts -out the-key-file.key -legacy && \
openssl rsa -in the-key-file.key -outform PEM -out the-pem-key-file.pem
haijunsu commented 1 year ago

Thanks @dmytrokosiachenko and @petter-veni. Let's put their solutions together here.

For Windows

winpty openssl pkcs12 -in the-pfx-file.pfx -clcerts -nokeys -out the-crt-file.crt
winpty openssl pkcs12 -in the-pfx-file.pfx -nocerts -out the-key-file.key
winpty openssl rsa -in the-key-file.key -outform PEM .out the-pem-key-file.pem

For Mac

openssl pkcs12 -in cert.pfx -clcerts -nokeys -out the-crt-file.crt -legacy && \
openssl pkcs12 -in cert.pfx -nocerts -out the-key-file.key -legacy && \
openssl rsa -in the-key-file.key -outform PEM -out the-pem-key-file.pem
tomorrow-s commented 8 months ago

I have found a good solution to this problem. Install the PFX format certificate through Windows, then export the certificate containing the key. Choose AES256 for the encryption method of export, and export the relevant certificate using OpenSSL.

filfreire commented 3 weeks ago

Reopening, this could be interesting to try to solve again