Open Furgas opened 1 week ago
cmb69
commented
1 week ago Isn't that already solved with the configure option --with-openssl-legacy-provider? And I think you don't even need that if you set up support for legacy providers in your openssl.conf, and have the legacy provider build as module (that's possible with PHP on Windows at least).
Furgas
commented
1 week ago Well, I'd rather use prebuild PHP packages that comes with the distribution, than compile it from source. I guess that it's not controversial. And I'm quite sure that enabling legacy provider doesn't force openssl_pkcs12_export to use them, as enabling legacy providers in openssl.conf is not enough - you have to provide -legacy option to openssl pkcs12 -export.
cmb69
commented
1 week ago Maybe @bukka can clarify.
Description
Please consider adding support for forcing legacy mode for
openssl_pkcs12_export. Currently the only workaround I know, is to switch completely to calling command lineopenssl pkcs12 -exportdirectly with-legacyoption, which requires enablingproc_openor other similar functions, which can pose security risk. Unfortunately many systems and applications still understands only legacy algorithms in PKCS#12 files so many are still forced to use them when creating PKCS#12 files.