skip to Main Content

I’m getting the error Error message "error:0308010C:digital envelope routines::unsupported" when trying to open a .pfx file:

$result = openssl_pkcs12_read($content, $certdata, $pass);
$error = openssl_error_string(); // "error:0308010C:digital envelope routines::unsupported"

In terminal (Ubuntu 22.04):

user@user-tp:~$ php -i | grep -i openssl
SSL Version => OpenSSL/3.0.2
libSSH Version => libssh/0.9.6/openssl/zlib
openssl
OpenSSL support => enabled
OpenSSL Library Version => OpenSSL 3.0.2 15 Mar 2022
OpenSSL Header Version => OpenSSL 3.0.2 15 Mar 2022
Openssl default config => /usr/lib/ssl/openssl.cnf
openssl.cafile => no value => no value
openssl.capath => no value => no value
Native OpenSSL support => enabled

If I try to open the file in terminal I get the same error:

openssl pkcs12 -in file.pfx -nodes

But if I use the -legacy param it works fine.

How can I use it in PHP without errors?

3

Answers


  1. I had the same issue, which was due to OpenSSL upgraded to version 3 in Ubuntu 22.04. The issue occured on Google Calendar API integration using P12 file.

    I tried downgrading it to OpenSSL 1.1 (changing the app itself was not an option), but unsuccessfully.

    At last the solution was to redeploy my app on a new server with Ubuntu 20.04… worked out of the box.

    Login or Signup to reply.
  2. You can enable legacy option for Openssl 3:

    Find and open the file at /etc/ssl/openssl.cnf

    At the [default_sect] section change it to the following:

    [default_sect]
    activate = 1
    [legacy_sect]
    activate = 1
    

    Then find the [provider_sect] and change it to the following:

    [provider_sect]
    default = default_sect
    legacy = legacy_sect
    

    After this save the file and restart your PHP application and it should work fine.

    Login or Signup to reply.
  3. You can handle Marcelo’s solution in few commands (e.g. for Docker building image purpose):

    sed -i '/^default = default_sect/a legacy = legacy_sect' /etc/ssl/openssl.cnf
    sed -i '/^[default_sect]/a activate = 1' /etc/ssl/openssl.cnf
    printf "[legacy_sect]nactivate = 1" >> /etc/ssl/openssl.cnf
    

    Btw. more info about default and legacy providers you can find on the OpenSSL wiki

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search