OpenSSL P12 Certificates

OpenSSL 3.0 moved several deprecated or insecure algorithms into an internal library module called legacy provider. It is not loaded by default, so apps (or their language runtimes) that use OpenSSL for cryptographic operations cannot use such algorithms when loading certificates, creating message digests ...

 

For security reasons, it is strongly recommended to retire the use of these legacy algorithms.

 

If your application utilizes client certificates stored in a file encrypted with a legacy cipher such as RC2-40-CBC, it is possible to "modernize" the certificate file by re-encrypting it using the openssl program.

 

For example, if you have a client.p12 (or client.pfx) certificate file on your local computer:

 

$ openssl pkcs12 -legacy -in client.p12 -nodes -out cert-decrypted.tmp
(enter passphrases if prompted)

$ openssl pkcs12 -in cert-decrypted.tmp -export -out client-new.p12
(enter passphrases if prompted)

$ rm cert-decrypted.tmp

 

The exported client-new.p12 certificate file now contains the same keys, but encrypted using AES-256-CBC.

 

Check below the configuration for sgcWebSockets and sgcIndy packages:

 

sgcWebSockets

• Set the property OpenSSL_Options.Legacy.Enabled to True.
• Set the location of the Legacy library. 
  • OpenSSL_Options.Legacy.LibPath: here you can configure where is located the legacy library
    • oslpNone: this is the default, the legacy library should be in the same folder where is the binary or in a known path.
    • oslpDefaultFolder: sets automatically the legacy library path where the libraries should be located for all IDE personalities.
    • oslpCustomFolder: if this is the option selected, define the full path in the property LibPathCustom.
  • OpenSSL_Options.Legacy.LibPathCustom: when LibPath = oslpCustomFolder define here the full path where are located the legacy library.

 

 

sgcIndy

 

• Set the property SSLOptions.Legacy to True.
• Before start the server or client, set the path where the legacy.dll library it's located. Use the function IdOpenSSLSetOSSLPath and pass the path as argument.