[PATCH] use all available openssl algorithms

Jouni Malinen j
Fri Jan 8 14:47:47 PST 2010

On Thu, Jan 07, 2010 at 08:02:07AM -0800, Dan Williams wrote:

> PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
> Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048

> Does that mean we need both RC2-40-CBC and 3DES-CBC enabled?  Or should
> this guy just re-encrypt his key?

3DES-CBC is enabled automatically (it is needed for SSL). RC2-40-CBC is
the problem one and that behavior changed in OpenSSL 1.0.0 (at least as
of the current beta4). PKCS12_PBE_add() used to add this cipher to allow
PKCS#12 files to be used. I'm a bit surprised of that type of change
without clearer documentation stating that and do not know whether it
really was even intentional. It remains to be seen, how the actual
OpenSSL 1.0.0 release will behave.

Anyway, at least for now, I fixed this particular issue with one of the
most common ciphers used in PKCS#12 for certificates with following


Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list