OpenSSL 1.1.0 introduced some incompatible changes for symetric encryption. I use it for some code repos to store secrets in lieu of other options. It works just fine for a single developer, but obviously doesn’t work very well beyond that.
Recently those projects started breaking and I wasn’t sure why. The commands I used to encrypt and decrypt were, respectively, as follows:
The error message I got on decrypt was as follows:
1 2 3 4
*** WARNING : deprecated key derivation used. Using -iter or -pbkdf2 would be better. bad decrypt 140437176114024:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:crypto/evp/evp_enc.c:570:
Hunting around I learned that
openssl changed the message
digest algorithm from md5 to sha256. In order to avoid the error
I just needed to change the decrypt command (first) and in the future
I could use this encryption command to override the default and put the
message digest back to md5:
However I figured the default was changed for a reason. So I recreated all the encypted certs and then encrypted / decrypted like so:
I didn’t explicitly set the default so that it will fail again in the future if they change the defaults. I don’t obsessively stay up with the latest advice on encryption algorithms so I’m inclined to take on the experience of those who are far more informed.
It is interesting that the
openssl release notes say 1.1.0
was released all the way back in 2016 and it only percolated down to
the alpine distro this year. Or at least the version of alpine used
docker docker container.