# # This was developed in house. The change is internal to Solaris, and # it will not be contributed upstream. # # This patch will change the default cipher used to encrypt certificate # to 3DES as RC2 is considered weak cipher. The default cipher for 1.1 will # become 3DES. # --- openssl/apps/pkcs12.c Tue May 3 06:44:42 2016 +++ openssl/apps/pkcs12.c.new Wed May 4 15:11:00 2016 @@ -142,12 +142,7 @@ if (!load_config(bio_err, NULL)) goto end; -# ifdef OPENSSL_FIPS - if (FIPS_mode()) - cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; - else -# endif - cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC; + cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; args = argv + 1; @@ -379,9 +374,9 @@ BIO_printf(bio_err, "-twopass separate MAC, encryption passwords\n"); BIO_printf(bio_err, - "-descert encrypt PKCS#12 certificates with triple DES (default RC2-40)\n"); + "-descert encrypt PKCS#12 certificates with triple DES (default)\n"); BIO_printf(bio_err, - "-certpbe alg specify certificate PBE algorithm (default RC2-40)\n"); + "-certpbe alg specify certificate PBE algorithm (default 3DES)\n"); BIO_printf(bio_err, "-keypbe alg specify private key PBE algorithm (default 3DES)\n"); BIO_printf(bio_err, --- openssl/doc/crypto/PKCS12_create.pod Fri May 6 09:10:00 2016 +++ openssl/doc/crypto/PKCS12_create.pod Fri May 6 09:14:16 2016 @@ -30,9 +30,9 @@ The parameters B, B, B, B and B can all be set to zero and sensible defaults will be used. -These defaults are: 40 bit RC2 encryption for certificates, triple DES -encryption for private keys, a key iteration count of PKCS12_DEFAULT_ITER -(currently 2048) and a MAC iteration count of 1. +These defaults are: triple DES encryption for certificates and private keys, +a key iteration count of PKCS12_DEFAULT_ITER (currently 2048) and a MAC +iteration count of 1. The default MAC iteration count is 1 in order to retain compatibility with old software which did not interpret MAC iteration counts. If such compatibility