https://bugzilla.suse.com/show_bug.cgi?id=1208400 https://bugzilla.suse.com/show_bug.cgi?id=1208400#c1 --- Comment #1 from Miguel Rozsas <miguel@rozsas.eng.br> --- I think it is related to openssl-3-3.0.7-3.1.x86_64 package that replaced the old package openssl-1_1-1.1.1t-1.1.x86_64. On a computer not updated, openssl-1_1-1.1.1t-1.1.x86_64: cat /path/to/certificate/file.p12 | openssl pkcs12 -info Enter Import Password: MAC: sha1, Iteration 2048 MAC length: 20, salt length: 8 PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048 ... On a computer updated, openssl-3-3.0.7-3.1.x86_64: cat /path/to/certificate/file.p12 | openssl pkcs12 -info Enter Import Password: MAC: sha1, Iteration 2048 MAC length: 20, salt length: 8 PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048 Error outputting keys and certificates 404794E1E17F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:373:Global default library context, Algorithm (RC2-40-CBC : 0), Properties () On a updated system, both packages co-exist, but the older one has the binary changed from /usr/bin/openssl to /usr/bin/openssl-1_1 (and the current /usr/bin/openssl belongs to openssl-3-3.0.7-3.1.x86_64) I don't know if this helps. -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1208400 Chenzi Cao <chcao@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |vcizek@suse.com Assignee|screening-team-bugs@suse.de |songchuan.kang@suse.com -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1208400 https://bugzilla.suse.com/show_bug.cgi?id=1208400#c4 Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |meissner@suse.com, | |pmonrealgonzalez@suse.com Assignee|pmonrealgonzalez@suse.com |otto.hollmann@suse.com --- Comment #4 from Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com> --- Hi, certificates signed using SHA1 are no longer allowed at security level 1 and above in openssl-3 so its failing as expected. You may want to re-create them and use the default SHA256 for signing. Note that, there is an ongoing issue open upstream to add a configure option to enable SHA1 but its not yet implemented in the 3.0 version series or in 3.1 which is planned to be released today, see: * https://github.com/openssl/openssl/issues/17662 There is also a downstream working patch in Fedora that adds this: * https://gitlab.com/redhat/centos-stream/rpms/openssl/-/blob/c9s/0049-Selecti... T think, we can explore this option. I'm assigning the bug to Otto and adding Marcus in CC. -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1208400 https://bugzilla.suse.com/show_bug.cgi?id=1208400#c6 --- Comment #6 from Miguel Rozsas <miguel@rozsas.eng.br> --- I want just add to this how such change was inconvenient at same time I want to make clear that I understand it was a needed change as SHA1 is insecure nowadays. It is not a rant ! I don't have control over the generation of certificate, it was generated by the company that I work for and they can not change either, as they use a appliance that for now there is no updates in this regard. To be able to work for them I had to setup a Win11 VM on my linux box and on that virtual windows I run openvpn with the certificate that they provide. Than I may open ssh sessions to machines inside their network. It works, but far from ideal. There is a extra layer, as you can see. So a workaround, as mentioned, is needed to preserve backward compatibility. -- You are receiving this mail because: You are on the CC list for the bug.