Open sunmy2019 opened 4 months ago
PKCS#12 format required by openssl 1.1.1 and openssl 3.0 (PKCS12_parse) is different. https://github.com/openssl/openssl/issues/6698
openssl 1.1.1
openssl 3.0
PKCS12_parse
Format 1: openssl 1.1 required: CN = Leaf CN = Root CN = CA #2 CN = CA #1
openssl 1.1
Format 2: openssl 3.0 required: CN = Leaf CN = CA #1 CN = CA #2 CN = Root
This causes compatibility issues in rust-native-rls. https://github.com/sfackler/rust-native-tls/issues/281
rust-native-rls
rust-native-tls officially supports Format 2, when used with openssl 1.1. And in practice, it also supports Format 1, when used with openssl 3.0.
rust-native-tls
Luckily, in our use cases, we only have Leaf and Root. Format 1 and Format 2 are the same. Our users are less likely to be affected.
This is a kind note for users with compatibility issues for PKCS#12.
PKCS#12 format required by
openssl 1.1.1
andopenssl 3.0
(PKCS12_parse
) is different. https://github.com/openssl/openssl/issues/6698Format 1:
openssl 1.1
required: CN = Leaf CN = Root CN = CA #2 CN = CA #1Format 2:
openssl 3.0
required: CN = Leaf CN = CA #1 CN = CA #2 CN = RootThis causes compatibility issues in
rust-native-rls
. https://github.com/sfackler/rust-native-tls/issues/281rust-native-tls
officially supports Format 2, when used withopenssl 1.1
. And in practice, it also supports Format 1, when used withopenssl 3.0
.Luckily, in our use cases, we only have Leaf and Root. Format 1 and Format 2 are the same. Our users are less likely to be affected.
This is a kind note for users with compatibility issues for PKCS#12.