Mind Dump, Tech And Life Blog
written by Ivan Alenko
published under license CC4-BY
posted in category Systems Software / OpenSSL
posted at 18. Jun '23

Howto Activate Legacy Provider In OpenSSL 3 (for MD4 and others)

I use a project which generates NTLM passwords (“Windows Sharing” feature) for users with https://github.com/krissi/ruby-smbhash, so they can log into a Samba server. OpenSSL with version 3 moved old cryptographic algorithms into a legacy provider which needs to be loaded explicitly.

OpenSSL 3 is in distros now (like Debian 12) and also in rbenv build - https://github.com/rbenv/ruby-build/pull/2000/files for Ruby 3.x.

The project is written in Ruby and there should be two options:

  1. edit /etc/ssl/openssl.cnf and load legacy provider there
  2. activate legacy provider in Ruby code - not possible yet - https://github.com/ruby/openssl/pull/635

I’ll do 1. and change the configuration file.

Check If Legacy Provider Is Already Activated

echo -n "aaa" | openssl md4
Error setting digest
40073CB3CE7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:373:Global default library context, Algorithm (MD4 : 88), Properties ()
40073CB3CE7F0000:error:03000086:digital envelope routines:evp_md_init_internal:initialization error:../crypto/evp/digest.c:254:

OpenSSL::Digest::MD4.new('aaa')
/home/damon/.rbenv/versions/3.2.2/lib/ruby/3.2.0/openssl/digest.rb:35:in `initialize': Digest initialization failed: initialization error (OpenSSL::Digest::DigestError)

openssl list -providers
Providers:
  default
    name: OpenSSL Default Provider
    version: 3.0.9
    status: active

It is not.

echo -n "aaa" | openssl md4 -provider legacy
MD4(stdin)= 918d7099b77c7a06634c62ccaf5ebac7

But it is at least compiled.

Change The Configuration File

As root:

vim /etc/ssl/openssl.cnf

Replace

[openssl_init]
# providers = provider_sect

# List of providers to load
# [provider_sect]
# default = default_sect
# The fips section name should match the section name inside the
# included fipsmodule.cnf.
# fips = fips_sect

# If no providers are activated explicitly, the default one is activated implicitly.
# See man 7 OSSL_PROVIDER-default for more details.
#
# If you add a section explicitly activating any other provider(s), you most
# probably need to explicitly activate the default provider, otherwise it
# becomes unavailable in openssl.  As a consequence applications depending on
# OpenSSL may not work correctly which could lead to significant system
# problems including inability to remotely access the system.
# [default_sect]
# activate = 1

With

[openssl_init]
providers = provider_sect

# List of providers to load
[provider_sect]
default = default_sect
legacy = legacy_sect

# The fips section name should match the section name inside the
# included fipsmodule.cnf.
# fips = fips_sect

# If no providers are activated explicitly, the default one is activated implicitly.
# See man 7 OSSL_PROVIDER-default for more details.
#
# If you add a section explicitly activating any other provider(s), you most
# probably need to explicitly activate the default provider, otherwise it
# becomes unavailable in openssl.  As a consequence applications depending on
# OpenSSL may not work correctly which could lead to significant system
# problems including inability to remotely access the system.
[default_sect]
activate = 1

[legacy_sect]
activate = 1

Test Newly Activated Legacy Provider

echo -n "aaa" | openssl md4
MD4(stdin)= 918d7099b77c7a06634c62ccaf5ebac7

OpenSSL::Digest::MD4.new('aaa').hexdigest
=> "918d7099b77c7a06634c62ccaf5ebac7"

openssl list -providers
Providers:
  default
    name: OpenSSL Default Provider
    version: 3.0.9
    status: active
  legacy
    name: OpenSSL Legacy Provider
    version: 3.0.9
    status: active

And that’s it. Legacy provider is loaded, I can use MD4 and tests pass.

References:

Add Comment

Comments (1)

xHire
2024-01-13 22:49:51 UTC
Hey! Thank you so much for this post, you saved me hours and hours of troubleshooting! My error was `Neither PUB key nor PRIV key: bad decrypt (OpenSSL::PKey::RSAError)` – who would have thought that the cause is a missing provider, becase RSA is legacy now or something… Anyway, I’ve put more info about my use case to my blog: https://www.semirocket.science/noteblog/2024/01/ruby-openssl-3.0-neither-pub-key-nor-priv-key-bad-decrypt-openssl-pkey-rsaerror/ Thanks!