OpenSSL v3.0.0 and PMS.
For those using their own domains and certificates with PMS ,
PMS 1.32.0.6865 and above updates OpenSSL from v1.1.1 to v3.0.0 .
(changed the numbering scheme in the process)
The consequence of this is OpenSSL v3 removed several “less secure” encryption methods.
The impact on you, if you’re using an older distributions where openssl v3 is not the default, if not already doing so, you will need pay special attention to how your certificates are generated
As example, upgrade (specify) a better encryption
PREVIOUS
# Generate p12 (Acme LE is valid until 2025)
openssl pkcs12 -export -out my-fdqn-tld.p12 \
-inkey my-fqdn-tld.key -in my-fqdn-tld.crt \
-certfile CertAuth.crt \
-password pass:PASSWORD_HERE
IMPROVED
# Generate new p12 (Acme LE is valid until 2025)
openssl pkcs12 -export -out my-fdqn-tld.p12 \
-certpbe AES-256-CBC -keypbe AES-256-CBC -macalg SHA256 \
-inkey my-fqdn-tld.key -in my-fqdn-tld.crt \
-certfile CertAuth.crt \
-password pass:PASSWORD_HERE
The key change is to select a better encryption:
-certpbe AES-256-CBC -keypbe AES-256-CBC -macalg SHA256 \
To implement
- Update certificate creation scripting to include AES-256 (or better) as shown above.
- Regenerate P12 file and store where PMS expects it
- Restart PMS after updated cert installation ( PMS loads certs at startup only)
The reason for this change is the inevitability of the current libraries being EOL.
Observe:
REF:
