Upcoming PKCS#12 compatibility issue warning

[hlavaatch]

Recent changes in OpenSSL moved RC2 cipher into a "legacy" provider, some PKCS#12 files using the old cipher suite pbeWithSHA1And40BitRC2-CBC will fail to load, resulting in this error:

error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:373:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()

It would maybe be good to mention in the docs for native_tls::Identity::from_pkcs12() that when you run into this error you need to re-create the PKCS#12 file in a more modern format. In my case, I have used openssl pkcs12 -legacy to dump the certs and key and re-created the file with openssl pkcs12 -export:

openssl pkcs12 -legacy --password pass:changeit -in bad.p12 -noenc -out fixme.pem
openssl pkcs12 -export --password pass:changeit -inkey fixme.pem -in fixme.pem -out fixed.p12

This probem so far manifests itself on Arch linux, but will spread to other distros with the new openssl version.

Alternatively, you could provide the users with a way to enable the legacy openssl provider (didn't find any)

[sfackler]

Now that we support Identity construction directly via PEM files, I'd probably just recommend people not use PKCS#12 anymore.