PHP openssl_pkcs12_read "error:0308010C:digital envelope routines::unsupported"

Question

I'm getting the error Error message "error:0308010C:digital envelope routines::unsupported" when trying to open a .pfx file:

$result = openssl_pkcs12_read($content, $certdata, $pass);
$error = openssl_error_string(); // "error:0308010C:digital envelope routines::unsupported"

In terminal (Ubuntu 22.04):

user@user-tp:~$ php -i | grep -i openssl
SSL Version => OpenSSL/3.0.2
libSSH Version => libssh/0.9.6/openssl/zlib
openssl
OpenSSL support => enabled
OpenSSL Library Version => OpenSSL 3.0.2 15 Mar 2022
OpenSSL Header Version => OpenSSL 3.0.2 15 Mar 2022
Openssl default config => /usr/lib/ssl/openssl.cnf
openssl.cafile => no value => no value
openssl.capath => no value => no value
Native OpenSSL support => enabled

If I try to open the file in terminal I get the same error:

openssl pkcs12 -in file.pfx -nodes

But if I use the -legacy param it works fine.

How can I use it in PHP without errors?

Answer 1

You can enable legacy option for Openssl 3:

Find and open the file at /etc/ssl/openssl.cnf

At the [default_sect] section change it to the following:

[default_sect]
activate = 1
[legacy_sect]
activate = 1

Then find the [provider_sect] and change it to the following:

[provider_sect]
default = default_sect
legacy = legacy_sect

After this save the file and restart your PHP application and it should work fine.

Answer 2

You can handle Marcelo's solution in few commands (e.g. for Docker building image purpose):

sed -i '/^default = default_sect/a legacy = legacy_sect' /etc/ssl/openssl.cnf
sed -i '/^\[default_sect\]/a activate = 1' /etc/ssl/openssl.cnf
printf "[legacy_sect]\nactivate = 1" >> /etc/ssl/openssl.cnf

Btw. more info about default and legacy providers you can find on the OpenSSL wiki