mirror of
https://github.com/openssl/openssl.git
synced 2024-11-27 05:21:51 +08:00
apps: Change default cipher to aes-256-cbc for req, cms and smime apps
Update `CHANGES.md` and `NEWS.md`; remove `no-des` guard from req, cms, and smime apps Update MAN pages for default cipher; fix styling by removing braces around single statements Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25839)
This commit is contained in:
parent
1d160dbf39
commit
539b17b658
@ -30,6 +30,13 @@ OpenSSL 3.4
|
|||||||
|
|
||||||
### Changes between 3.4 and 3.5 [xx XXX xxxx]
|
### Changes between 3.4 and 3.5 [xx XXX xxxx]
|
||||||
|
|
||||||
|
* Updated the default encryption cipher for the `req`, `cms`, and `smime` applications
|
||||||
|
from `des-ede3-cbc` to `aes-256-cbc`.
|
||||||
|
|
||||||
|
AES-256 provides a stronger 256-bit key encryption than legacy 3DES.
|
||||||
|
|
||||||
|
*Aditya*
|
||||||
|
|
||||||
* Enhanced PKCS#7 inner contents verification.
|
* Enhanced PKCS#7 inner contents verification.
|
||||||
In the PKCS7_verify() function, the BIO *indata parameter refers to the
|
In the PKCS7_verify() function, the BIO *indata parameter refers to the
|
||||||
signed data if the content is detached from p7. Otherwise, indata should be
|
signed data if the content is detached from p7. Otherwise, indata should be
|
||||||
|
3
NEWS.md
3
NEWS.md
@ -33,7 +33,8 @@ This release is in development.
|
|||||||
This release incorporates the following potentially significant or incompatible
|
This release incorporates the following potentially significant or incompatible
|
||||||
changes:
|
changes:
|
||||||
|
|
||||||
* none yet
|
* Default encryption cipher for the `req`, `cms`, and `smime` applications
|
||||||
|
changed from `des-ede3-cbc` to `aes-256-cbc`.
|
||||||
|
|
||||||
This release adds the following new features:
|
This release adds the following new features:
|
||||||
|
|
||||||
|
11
apps/cms.c
11
apps/cms.c
@ -822,15 +822,8 @@ int cms_main(int argc, char **argv)
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (operation == SMIME_ENCRYPT) {
|
if (operation == SMIME_ENCRYPT) {
|
||||||
if (!cipher) {
|
if (!cipher)
|
||||||
#ifndef OPENSSL_NO_DES
|
cipher = (EVP_CIPHER *)EVP_aes_256_cbc();
|
||||||
cipher = (EVP_CIPHER *)EVP_des_ede3_cbc();
|
|
||||||
#else
|
|
||||||
BIO_printf(bio_err, "No cipher selected\n");
|
|
||||||
goto end;
|
|
||||||
#endif
|
|
||||||
}
|
|
||||||
|
|
||||||
if (secret_key && !secret_keyid) {
|
if (secret_key && !secret_keyid) {
|
||||||
BIO_printf(bio_err, "No secret key id\n");
|
BIO_printf(bio_err, "No secret key id\n");
|
||||||
goto end;
|
goto end;
|
||||||
|
@ -275,9 +275,7 @@ int req_main(int argc, char **argv)
|
|||||||
long newkey_len = -1;
|
long newkey_len = -1;
|
||||||
unsigned long chtype = MBSTRING_ASC, reqflag = 0;
|
unsigned long chtype = MBSTRING_ASC, reqflag = 0;
|
||||||
|
|
||||||
#ifndef OPENSSL_NO_DES
|
cipher = (EVP_CIPHER *)EVP_aes_256_cbc();
|
||||||
cipher = (EVP_CIPHER *)EVP_des_ede3_cbc();
|
|
||||||
#endif
|
|
||||||
|
|
||||||
opt_set_unknown_name("digest");
|
opt_set_unknown_name("digest");
|
||||||
prog = opt_init(argc, argv, req_options);
|
prog = opt_init(argc, argv, req_options);
|
||||||
|
10
apps/smime.c
10
apps/smime.c
@ -471,14 +471,8 @@ int smime_main(int argc, char **argv)
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (operation == SMIME_ENCRYPT) {
|
if (operation == SMIME_ENCRYPT) {
|
||||||
if (cipher == NULL) {
|
if (cipher == NULL)
|
||||||
#ifndef OPENSSL_NO_DES
|
cipher = (EVP_CIPHER *)EVP_aes_256_cbc();
|
||||||
cipher = (EVP_CIPHER *)EVP_des_ede3_cbc();
|
|
||||||
#else
|
|
||||||
BIO_printf(bio_err, "No cipher selected\n");
|
|
||||||
goto end;
|
|
||||||
#endif
|
|
||||||
}
|
|
||||||
encerts = sk_X509_new_null();
|
encerts = sk_X509_new_null();
|
||||||
if (encerts == NULL)
|
if (encerts == NULL)
|
||||||
goto end;
|
goto end;
|
||||||
|
@ -406,16 +406,16 @@ One or more certificate filenames may be given.
|
|||||||
|
|
||||||
=item B<-I<cipher>>
|
=item B<-I<cipher>>
|
||||||
|
|
||||||
The encryption algorithm to use. For example triple DES (168 bits) - B<-des3>
|
The encryption algorithm to use. For example, AES (256 bits) - B<-aes256>
|
||||||
or 256 bit AES - B<-aes256>. Any standard algorithm name (as used by the
|
or triple DES (168 bits) - B<-des3>. Any standard algorithm name (as used by the
|
||||||
EVP_get_cipherbyname() function) can also be used preceded by a dash, for
|
EVP_get_cipherbyname() function) can also be used preceded by a dash, for
|
||||||
example B<-aes-128-cbc>. See L<openssl-enc(1)> for a list of ciphers
|
example B<-aes-128-cbc>. See L<openssl-enc(1)> for a list of ciphers
|
||||||
supported by your version of OpenSSL.
|
supported by your version of OpenSSL.
|
||||||
|
|
||||||
Currently the AES variants with GCM mode are the only supported AEAD
|
Currently, the AES variants with GCM mode are the only supported AEAD
|
||||||
algorithms.
|
algorithms.
|
||||||
|
|
||||||
If not specified triple DES is used. Only used with B<-encrypt> and
|
If not specified, AES-256-CBC is used as the default. Only used with B<-encrypt> and
|
||||||
B<-EncryptedData_create> commands.
|
B<-EncryptedData_create> commands.
|
||||||
|
|
||||||
=item B<-wrap> I<cipher>
|
=item B<-wrap> I<cipher>
|
||||||
@ -896,6 +896,8 @@ L<ossl_store-file(7)>
|
|||||||
|
|
||||||
=head1 HISTORY
|
=head1 HISTORY
|
||||||
|
|
||||||
|
The default encryption cipher was changed from 3DES to AES-256 in OpenSSL 3.5.
|
||||||
|
|
||||||
The use of multiple B<-signer> options and the B<-resign> command were first
|
The use of multiple B<-signer> options and the B<-resign> command were first
|
||||||
added in OpenSSL 1.0.0.
|
added in OpenSSL 1.0.0.
|
||||||
|
|
||||||
|
@ -90,8 +90,7 @@ The data is a PKCS#10 object.
|
|||||||
=item B<-cipher> I<name>
|
=item B<-cipher> I<name>
|
||||||
|
|
||||||
Specify the cipher to be used for encrypting the private key.
|
Specify the cipher to be used for encrypting the private key.
|
||||||
The default cipher is 3DES (DES-EDE3-CBC).
|
If no cipher is specified, AES-256-CBC will be used by default.
|
||||||
If no cipher is specified, 3DES will be used by default.
|
|
||||||
You can override this by providing any valid OpenSSL cipher name.
|
You can override this by providing any valid OpenSSL cipher name.
|
||||||
|
|
||||||
=item B<-in> I<filename>
|
=item B<-in> I<filename>
|
||||||
@ -836,6 +835,8 @@ L<x509v3_config(5)>
|
|||||||
|
|
||||||
=head1 HISTORY
|
=head1 HISTORY
|
||||||
|
|
||||||
|
The default encryption cipher was changed from 3DES to AES-256 in OpenSSL 3.5.
|
||||||
|
|
||||||
The B<-section> option was added in OpenSSL 3.0.0.
|
The B<-section> option was added in OpenSSL 3.0.0.
|
||||||
|
|
||||||
The B<-multivalue-rdn> option has become obsolete in OpenSSL 3.0.0 and
|
The B<-multivalue-rdn> option has become obsolete in OpenSSL 3.0.0 and
|
||||||
|
@ -167,13 +167,13 @@ default digest algorithm for the signing key will be used (usually SHA1).
|
|||||||
|
|
||||||
=item B<-I<cipher>>
|
=item B<-I<cipher>>
|
||||||
|
|
||||||
The encryption algorithm to use. For example DES (56 bits) - B<-des>,
|
The encryption algorithm to use. For example, DES (56 bits) - B<-des>,
|
||||||
triple DES (168 bits) - B<-des3>,
|
triple DES (168 bits) - B<-des3>, or AES (256 bits) - B<-aes256>.
|
||||||
EVP_get_cipherbyname() function) can also be used preceded by a dash, for
|
Any standard algorithm name (as used by the EVP_get_cipherbyname() function)
|
||||||
example B<-aes-128-cbc>. See L<openssl-enc(1)> for list of ciphers
|
can also be used, preceded by a dash, for example B<-aes-128-cbc>.
|
||||||
supported by your version of OpenSSL.
|
See L<openssl-enc(1)> for a list of ciphers supported by your version of OpenSSL.
|
||||||
|
|
||||||
If not specified triple DES is used. Only used with B<-encrypt>.
|
If not specified, AES-256-CBC is used as the default. Only used with B<-encrypt>.
|
||||||
|
|
||||||
=item B<-nointern>
|
=item B<-nointern>
|
||||||
|
|
||||||
@ -468,6 +468,8 @@ L<ossl_store-file(7)>
|
|||||||
|
|
||||||
=head1 HISTORY
|
=head1 HISTORY
|
||||||
|
|
||||||
|
The default encryption cipher was changed from 3DES to AES-256 in OpenSSL 3.5.
|
||||||
|
|
||||||
The use of multiple B<-signer> options and the B<-resign> command were first
|
The use of multiple B<-signer> options and the B<-resign> command were first
|
||||||
added in OpenSSL 1.0.0
|
added in OpenSSL 1.0.0
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user