Hide Forgot
Produce a PKCS #12 file using (for example) AES-256-CBC (PBES2) in RHEL 7.3 (nss-3.21.0-17.el7). Then try to import it using pk12util on RHEL 7.4 (nss-3.28.4-8.el7). It will fail. This is a compatibility problem. This breaks (at least) FreeIPA and Dogtag KRA replica creation on RHEL 7.4 from a RHEL 7.3 master (likewise Fedora). Key backups created on the earlier version cannot be restored on the newer versions. And so on. nss-3.28.4-2.el7 seems to be the RHEL package version that first has this problem. There has been some investigation on this issue, and the following potential patch has been shown to resolve the issue: https://github.com/ueno/nss/commit/4c55304e80126659e08dc5fb7ef244162514fba9
The problem is a bit bigger - NSS 3.21.0 will create PKCS#12 files that cannot be processed by OpenSSL-1.1.1-dev in many cases. When key (-c option to pk12util) is encrypted with following mechanisms: RC2-CBC DES-EDE3-CBC PKCS #12 V2 PBE With SHA-1 And 128 Bit RC4 PKCS #12 V2 PBE With SHA-1 And 40 Bit RC4 PKCS #12 V2 PBE With SHA-1 And 3KEY Triple DES-CBC PKCS #12 V2 PBE With SHA-1 And 128 Bit RC2 CBC PKCS #12 V2 PBE With SHA-1 And 40 Bit RC2 CBC it is decryptable with OpenSSL When it is encrypted with following mechanisms: DES-ECB DES-CBC PKCS #5 Password Based Encryption with MD2 and DES-CBC PKCS #5 Password Based Encryption with MD5 and DES-CBC PKCS #5 Password Based Encryption with SHA-1 and DES-CBC AES-128-ECB AES-128-CBC AES-192-ECB AES-192-CBC AES-256-ECB AES-256-CBC CAMELLIA-128-CBC CAMELLIA-192-CBC CAMELLIA-256-CBC SEED-CBC it is not decryptable with OpenSSL. With nss-3.32.0-1.1.fc25, the following are decryptable by OpenSSL: RC2-CBC DES-EDE3-CBC PKCS #12 V2 PBE With SHA-1 And 128 Bit RC4 PKCS #12 V2 PBE With SHA-1 And 40 Bit RC4 PKCS #12 V2 PBE With SHA-1 And 3KEY Triple DES-CBC PKCS #12 V2 PBE With SHA-1 And 128 Bit RC2 CBC PKCS #12 V2 PBE With SHA-1 And 40 Bit RC2 CBC AES-128-CBC AES-192-CBC AES-256-CBC CAMELLIA-256-CBC SEED-CBC While following are not: DES-ECB DES-CBC PKCS #5 Password Based Encryption with MD2 and DES-CBC PKCS #5 Password Based Encryption with MD5 and DES-CBC PKCS #5 Password Based Encryption with SHA-1 and DES-CBC AES-128-ECB AES-192-ECB AES-256-ECB CAMELLIA-128-CBC CAMELLIA-192-CBC For certificates (-C) encryption both versions create undecryptable files with following ciphers: DES-CBC PKCS #5 Password Based Encryption with MD2 and DES-CBC PKCS #5 Password Based Encryption with MD5 and DES-CBC PKCS #5 Password Based Encryption with SHA-1 and DES-CBC
(In reply to Hubert Kario from comment #8) > The problem is a bit bigger - NSS 3.21.0 will create PKCS#12 files that > cannot be processed by OpenSSL-1.1.1-dev in many cases. Unless it is also the case with NSS (i.e. such files created with NSS 3.21 can be read by NSS 3.21, but not with NSS 3.28 any more), could you file a separate bug with a lower priority, please?
man page fix postponed to RHEL 7.5: bug 1498182
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2018:0679