You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
While investigating #7065 I noticed that creating a PKCS12 truststore using openssl uses different parameters compared to serialization.BestAvailableEncryption of cryptography:
OpenSSL 1.1.1n 15 Mar 2022:
MAC: sha1, Iteration 2048
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
cryptography 37.0.0 dev (serialization.BestAvailableEncryption):
MAC: sha1, Iteration 1
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 20000
keytool java-18-openjdk 18.0.1.u10:
MAC: sha256, Iteration 10000
MAC length: 32, salt length: 20
PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 10000, PRF hmacWithSHA256
keytool java-8-openjdk 8.332.u04:
MAC: sha1, Iteration 100000
MAC length: 20, salt length: 20
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 50000
This is covered by #7043, although we appreciate the additional data 😄 Closing in favor of that issue, but we can continue discussion there. In general we're in favor of ratcheting up the encryption quality but we need to do some work to enable it.
Not sure if this is of relevance.
While investigating #7065 I noticed that creating a PKCS12 truststore using openssl uses different parameters compared to
serialization.BestAvailableEncryption
of cryptography:OpenSSL 1.1.1n 15 Mar 2022:
cryptography 37.0.0 dev (serialization.BestAvailableEncryption):
keytool java-18-openjdk 18.0.1.u10:
keytool java-8-openjdk 8.332.u04:
Relevant code:
cryptography/src/cryptography/hazmat/backends/openssl/backend.py
Lines 2202 to 2212 in d295365
Commit that changed defaults in OpenSSL 3.0.2:
openssl/openssl@762970b
The text was updated successfully, but these errors were encountered: