当前位置: 文江博客话题详情

curl openssl错误错误:0308010C:数字信封例程::不支持

发布于 2025-02-06 19:15:50 字数 915 浏览 2 评论 0原文

我尝试使用Windows上的卷发来发布时间戳请求。需要身份验证,因此我使用p12文件。我收到错误消息,但是P12文件的密码正确。

命令:

curl --insecure --cert-type P12 --cert my.p12:mypassword -X POST -d @mytest.req <myTSURL>

错误消息:

curl:(58)无法解析PKCS12文件,检查密码,OpenSSL错误 错误:0308010C:数字信封例程:: Undpported

curl -v

curl 7.83.1 (x86_64-pc-win32) libcurl/7.83.1 OpenSSL/3.0.2 (Schannel) zlib/1.2.12 brotli/1.0.9 libidn2/2.3.2 libssh2/1.10.0 nghttp2/1.47.0 ngtcp2/0.5.0 nghttp3/0.4.1 libgsasl/1.10.0
Release-Date: 2022-05-11
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli gsasl HSTS HTTP2 HTTP3 HTTPS-proxy IDN IPv6 Kerberos Largefile libz MultiSSL NTLM SPNEGO SSL SSPI TLS-SRP UnixSocket
原文

I try to use curl on Windows to post a timestamp request. Authentication is needed, so I use p12 file. I get error message, but password of p12 file is correct.

Command:

curl --insecure --cert-type P12 --cert my.p12:mypassword -X POST -d @mytest.req <myTSURL>

Error message:

curl: (58) could not parse PKCS12 file, check password, OpenSSL error
error:0308010C:digital envelope routines::unsupported

curl -V

curl 7.83.1 (x86_64-pc-win32) libcurl/7.83.1 OpenSSL/3.0.2 (Schannel) zlib/1.2.12 brotli/1.0.9 libidn2/2.3.2 libssh2/1.10.0 nghttp2/1.47.0 ngtcp2/0.5.0 nghttp3/0.4.1 libgsasl/1.10.0
Release-Date: 2022-05-11
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli gsasl HSTS HTTP2 HTTP3 HTTPS-proxy IDN IPv6 Kerberos Largefile libz MultiSSL NTLM SPNEGO SSL SSPI TLS-SRP UnixSocket

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(4

又爬满兰若 2025-02-13 19:15:50

META:这不是真正的编程或开发,并且在超级用户或安全性上可能会更好。

openssl 3.0.x(and UP)默认情况下不支持旧/不安全算法,但是直到最近,大多数创建PKCS12(包括OpenSSL 1.xx)的软件都使用了Certbag的算法(S) PBE使用40位RC2(通常是缩写的RC2-40) - 默认情况下,有时至少有时仍然会这样做,例如Windows 10 Cert-Export对话框。要检查此操作

openssl pkcs12 -in my.p12 -info -nokeys -nocerts 
# in 3.x.x add -provider legacy -provider default or just -legacy
# to avoid prompt use -password or -passin, see man pages

,我希望输出将包括

PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048

您的curl是否有选项来指定OpenSSL 3.0.x提供商,如果是这样,则指定(固定)“遗产”和“默认”。否则,转换您的PKCS12(例如

# in 3.x.x
openssl pkcs12 -in old -nodes -provider legacy -provider default -out temp && openssl pkcs12 -in temp -export -out new
# or simpler
openssl pkcs12 -in old -nodes -legacy -out temp && openssl pkcs12 -in temp -export -out new

# in 1.x.x
openssl pkcs12 -in old -nodes -out temp && openssl pkcs12 -in temp -export -descert -out new 

# and in either case securely delete temp; on systems with a memory tmpfs, 
# typically /tmp, putting the file there can help assure this

# IFF 'old' was created by software that put the keybag before the certbag,
# which you can infer from the order displayed by pkcs12 -info,
# you can skip the temp file and pipe directly from one openssl to the other
# compare https://stackoverflow.com/q/54469754/95735 found by @PiotrDobrogost

转换)将在现有文件中丢失任何“友好名称”。对于卷曲,可能是大多数其他程序,这并不重要,但是如果您想将同一文件与friendersname 重要的内容相同,请添加-name $ name-Export零件上。

Meta: this isn't really programming or development, and would probably be better on superuser or maybe security.SX, but this is issue is likely to become more common as OpenSSL 3.0 spreads and I wanted to get the answer out.

OpenSSL 3.0.x (and up) by default doesn't support old/insecure algorithms, but until recently most software that creates PKCS12 (including OpenSSL 1.x.x) used such an algorithm for the certbag(s), namely a PKCS12-defined PBE using 40-bit RC2, usually abbreviated RC2-40 – and some still does at least sometimes, like the Windows 10 cert-export dialog by default. To check this do

openssl pkcs12 -in my.p12 -info -nokeys -nocerts 
# in 3.x.x add -provider legacy -provider default or just -legacy
# to avoid prompt use -password or -passin, see man pages

and I expect the output will include

PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048

See if your curl has an option to specify the OpenSSL 3.0.x providers and if so specify (fixed) both 'legacy' and 'default'. Otherwise, convert your pkcs12 like

# in 3.x.x
openssl pkcs12 -in old -nodes -provider legacy -provider default -out temp && openssl pkcs12 -in temp -export -out new
# or simpler
openssl pkcs12 -in old -nodes -legacy -out temp && openssl pkcs12 -in temp -export -out new

# in 1.x.x
openssl pkcs12 -in old -nodes -out temp && openssl pkcs12 -in temp -export -descert -out new 

# and in either case securely delete temp; on systems with a memory tmpfs, 
# typically /tmp, putting the file there can help assure this

# IFF 'old' was created by software that put the keybag before the certbag,
# which you can infer from the order displayed by pkcs12 -info,
# you can skip the temp file and pipe directly from one openssl to the other
# compare https://stackoverflow.com/q/54469754/95735 found by @PiotrDobrogost

Conversion loses any 'friendlyname' set in the existing file. For curl, and probably most other programs, this doesn't matter, but if you want to use this same file with something where friendlyname does matter, add -name $name on the -export part.

回复 原文
梦里°也失望 2025-02-13 19:15:50

使用OpenVPN,我遇到了相同的错误。我能够通过在/etc/ssl/openssl.cnf配置文件中添加或删除以下几行来对其进行修复:

openssl_conf = openssl_init

[openssl_init]
providers = provider_sect

[provider_sect]
default = default_sect
legacy = legacy_sect

[default_sect]
activate = 1

[legacy_sect]
activate = 1

这是基于

I was getting the same error using OpenVPN. I was able to fix it by adding or uncommenting the following lines in the /etc/ssl/openssl.cnf configuration file:

openssl_conf = openssl_init

[openssl_init]
providers = provider_sect

[provider_sect]
default = default_sect
legacy = legacy_sect

[default_sect]
activate = 1

[legacy_sect]
activate = 1

This is based on the information at OpenSSL WIKI

回复 原文
梦魇绽荼蘼 2025-02-13 19:15:50

试图检查我的Mac上的P12,我正在

Error outputting keys and certificates
400FD10702000000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:341:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()
Could not read certificate from <stdin>

为我工​​作
openssl pkcs12 -in devcertificates.p12 -info -nodes -legacy
因此,您需要添加-nodes -nodes -legacy

https://www.iclarified.com/92617/how-to-foc-fix-error-0308010c-digital-envelope-envelope-routines-unsuported-unsuported

Trying to inspect a p12 on my mac I was getting

Error outputting keys and certificates
400FD10702000000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:341:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()
Could not read certificate from <stdin>

This worked for me
openssl pkcs12 -in DEVCertificates.p12 -info -nodes -legacy
So you I need to add -nodes -legacy

https://www.iclarified.com/92617/how-to-fix-error-0308010c-digital-envelope-routines-unsupported

回复 原文
美人骨 2025-02-13 19:15:50

在类似Unix(Linux,MacOS,Git Bash等)上:

export NODE_OPTIONS=--openssl-legacy-provider

这可以解决我的问题
https://github.com/webpack/webpack/issues/14532#issuecomment- 947012063

On Unix-like (Linux, macOS, Git bash, etc.):

export NODE_OPTIONS=--openssl-legacy-provider

This fix my problem
https://github.com/webpack/webpack/issues/14532#issuecomment-947012063

回复 原文
~没有更多了~

关于作者

原来是傀儡

暂无简介

文章
评论
29 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

李珊平

文章 0 评论 0

Quxin

文章 0 评论 0

范无咎

文章 0 评论 0

github_ZOJ2N8YxBm

文章 0 评论 0

若言

文章 0 评论 0

南…巷孤猫

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文