Generated PFX (.p12) not working with Node v17+ due to RC2 cipher

Question

Generated PFX (.p12) not working with Node v17+ due to RC2 cipher

bgever opened this issue 2 years ago · 1 comments

bgever commented 2 years ago

Environment

Operating system (including version): macOS 13.1
mkcert version (from mkcert -version): v1.4.4
Server (where the certificate is loaded): Node.js v18.12.1
Client (e.g. browser, CLI tool, or script): Node.js CLI (webpack-dev-server@4.11.1)

What you did

I'm using the webpack dev server, and prefer to use the PFX method as it only creates a single file on the filesystem.

Installed CA with mkcert -install
Create new PFX with mkcert -pkcs12 localhost
Run webpack with server config for HTTPS and loading the PFX (.p12) file.

Webpack config:

devServer: {
  server: {
    type: 'https',
    options: {
      pfx: './localhost.p12',
      passphrase: 'changeit'
    }
  }
}

What went wrong

Webpack is unable to serve with the following error:

> webpack serve --color --mode development

<i> [webpack-dev-server] SSL certificate: /Users/bart/myapp/node_modules/.cache/webpack-dev-server/server.pem
[webpack-cli] Error: unsupported
    at configSecureContext (node:internal/tls/secure-context:277:15)
    at Object.createSecureContext (node:_tls_common:117:3)
    at Server.setSecureContext (node:_tls_wrap:1352:27)
    at Server (node:_tls_wrap:1211:8)
    at new Server (node:https:74:3)
    at Object.createServer (node:https:112:10)
    at Server.createServer (/Users/bart/myapp/node_modules/webpack-dev-server/lib/Server.js:2443:57)
    at Server.initialize (/Users/bart/myapp/node_modules/webpack-dev-server/lib/Server.js:1820:10)
    at Server.start (/Users/bart/myapp/node_modules/webpack-dev-server/lib/Server.js:3251:16)
    at async Command.<anonymous> (/Users/bart/myapp/node_modules/@webpack-cli/serve/lib/index.js:159:21)

Searching for the problem led me to this Node.js bug report: nodejs/node#40672

It mentions that RC2 cipher has been disabled since Node 17. The suggested command to list the PFX details confirms the use of the RC2 cipher, see pbeWithSHA1And40BitRC2-CBC below.

$ openssl pkcs12 -info -in localhost.p12 -noout
Enter Import Password:
MAC Iteration 1
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Certificate bag
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048

Is it possible to generate a PFX without using RC2?

In the meantime, I'm using the PEM files approach instead.

Answer 1 · 2023-09-19T22:26:20.000Z

Would the solution to explicitly state the ciphers for openssl also work for mkcert internals?
See homebridge/homebridge-config-ui-x#1428 (comment)