Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use modern algorithm when generating p12 file. Fixes: #4 #7

Merged
merged 2 commits into from
Jan 2, 2024
Merged

Use modern algorithm when generating p12 file. Fixes: #4 #7

merged 2 commits into from
Jan 2, 2024

Conversation

sarim
Copy link
Contributor

@sarim sarim commented Dec 31, 2023

I updated the code to use the new modern encoder made available in SSLMate/go-pkcs12#48
Previously symfony-cli was using old algorithm, newer nodejs does not support that. It was causing webpack encore (and vite too) to fail if symfony's pfx was used. Main issue: symfony/webpack-encore#1187

After this is merged and a new version is tagged I can open another PR in https://github.com/symfony-cli/symfony-cli to use new version and also update symfony doc to no longer need workaround NODE_OPTIONS=--openssl-legacy-provider

sarim added 2 commits January 1, 2024 01:49
@sarim
update dependencies
f1105d6
@sarim
Use pkcs12.Modern.Encode to use modern algorithm
54d70f8 
- Replaces pkcs12.Encode call with pkcs12.Modern.Encode
- Replaces deprecated pkcs12.ToPEM with pkcs12.DecodeChain
@sarim sarim mentioned this pull request Dec 31, 2023
Closed
@fabpot
Copy link
Contributor

fabpot commented Jan 1, 2024

@tucksaun Can you have a look at this PR? Should fix #4 I suppose

@tucksaun
Copy link
Member

tucksaun commented Jan 2, 2024

@fabpot LGTM (but can't test it at the moment)

@sarim sarim changed the title Use modern algorithm when generating p12 file Use modern algorithm when generating p12 file. Fixes: #4 Jan 2, 2024
@sarim
Copy link
Contributor Author

sarim commented Jan 2, 2024
edited
Loading

@tucksaun Can you have a look at this PR? Should fix #4 I suppose

Yes It fixes #4. I forgot to add it to title.

@fabpot LGTM (but can't test it at the moment)

Thanks for taking a look. If it helps, here how I tested it.

In /home/gittu/symfony-cli's go.mod file I added replace github.com/symfony-cli/cert => /home/gittu/symfony-cli-cert so It uses my fork. Then I deleted ~/.symfony5/certs/default.p12 and run server:start with symfony-cli. I check with openssl command and try to use default.p12 with node. Here's the result of both system one and my one.

Output from system one (installed via apt). 
↪ ...backend (master *) ➤ rm ~/.symfony5/certs/default.p12
rm: remove regular file '/home/gittu/.symfony5/certs/default.p12'? y
↪ ...backend (master *) ➤ symfony server:start

 [WARNING] The local web server is optimized for local development and MUST never be used in a production setup.
                                                                                                                                                                                                                                                                                                                                                      
 [OK] Web server listening
      The Web server is using PHP FPM 8.2.14
      https://127.0.0.1:8005
                                                                                                                                                                                                                                                                                                                                                      Stream the logs via symfony server:log
↪ ...backend (master *) ➤ openssl pkcs12 -info -in ~/.symfony5/certs/default.p12 -noout
Enter Import Password:
MAC: sha1, Iteration 1
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Error outputting keys and certificates
408712696C7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()
↪ ...backend (master *) ➤ yarn dev
yarn run v1.22.19
$ vite
error when starting dev server:
Error: unsupported
    at configSecureContext (node:internal/tls/secure-context:279:15)
    at Object.createSecureContext (node:_tls_common:117:3)
    at Server.setSecureContext (node:_tls_wrap:1354:27)
    at new Server (node:_tls_wrap:1218:8)
    at new Http2SecureServer (node:internal/http2/core:3144:5)
    at createSecureServer (node:internal/http2/core:3323:10)
    at resolveHttpServer (file:///home/gittu/backend/node_modules/.pnpm/[email protected]/node_modules/vite/dist/node/chunks/dep-R0I0XnyH.js:48574:16)
    at async _createServer (file:///home/gittu/backend/node_modules/.pnpm/[email protected]/node_modules/vite/dist/node/chunks/dep-R0I0XnyH.js:59984:11)
    at async CAC.<anonymous> (file:///home/gittu/backend/node_modules/.pnpm/[email protected]/node_modules/vite/dist/node/cli.js:764:24)
error Command failed with exit code 1.
info Visit https://yarnpkg.com/en/docs/cli/run for documentation about this command.
Output from my one. 
↪ ...backend (master *) ➤ rm ~/.symfony5/certs/default.p12
rm: remove regular file '/home/gittu/.symfony5/certs/default.p12'? y
↪ ...backend (master *) ➤ ~/symfony-cli/symfony-cli server:start

 [WARNING] The local web server is optimized for local development and MUST never be used in a production setup.
                                                                                                                                                                                                                                                                                                                                                      
 [OK] Web server listening
      The Web server is using PHP FPM 8.2.14
      https://127.0.0.1:8005
                                                                                                                                                                                                                                                                                                                                                      Stream the logs via symfony-cli server:log
↪ ...backend (master *) ➤ openssl pkcs12 -info -in ~/.symfony5/certs/default.p12 -noout
Enter Import Password:
MAC: sha256, Iteration 2048
MAC length: 32, salt length: 16
PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256
Certificate bag
Certificate bag
PKCS7 Data
Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256
↪ ...backend (master *) ➤ yarn dev
yarn run v1.22.19
$ vite
Forced re-optimization of dependencies
Port 5173 is in use, trying another one...

  VITE v5.0.10  ready in 219 ms                                                                                                                                                                                                                                                                                                                         ➜  Local:   https://localhost:5174/build/
  ➜  Network: use --host to expose
  ➜  Vite ⚡️Symfony: vite-plugin-symfony: v6.3.2, pentatrion/vite-bundle: vv6.3.2
  ➜  press h + enter to show help

Check the openssl output of line "PKCS7 Encrypted data:". Also node server fails vs successfully starts https.

@fabpot fabpot merged commit 256b4c7 into symfony-cli:main Jan 2, 2024
5 checks passed
@fabpot
Copy link
Contributor

fabpot commented Jan 2, 2024

I've released a new version of Symfony CLI, can you double-check that it works well for you?

@sarim
Copy link
Contributor Author

sarim commented Jan 2, 2024

@fabpot Yes, I just upgraded via apt. The new version is generating the modern p12 file :)

@fabpot
Copy link
Contributor

fabpot commented Jan 2, 2024

Maybe we need some docs about how to upgrade an existing p12?

@sarim
Copy link
Contributor Author

sarim commented Jan 2, 2024

Yes, there's already a note at
https://github.com/symfony/symfony-docs/blob/50a296fc648774e3cab0c60331f664727424fcb7/frontend/encore/dev-server.rst?plain=1#L78-L85
Should I open a PR there informing users to upgrade to latest version of symfony-cli and delete old ~/.symfony5/certs/default.p12?

@sarim sarim mentioned this pull request Jan 2, 2024
Merged
@fabpot
Copy link
Contributor

fabpot commented Jan 2, 2024

Yes, there's already a note at https://github.com/symfony/symfony-docs/blob/50a296fc648774e3cab0c60331f664727424fcb7/frontend/encore/dev-server.rst?plain=1#L78-L85 Should I open a PR there informing users to upgrade to latest version of symfony-cli and delete old ~/.symfony5/certs/default.p12?

Let's update the recommendation to use the latest CLI version and remove the old p12 file. Can you submit a PR there? Thank you for your help on this topic.

@sarim
Copy link
Contributor Author

sarim commented Jan 2, 2024

Yes I opened a PR in docs repo. symfony/symfony-docs#19369

OskarStark added a commit to symfony/symfony-docs that referenced this pull request Jan 3, 2024
@OskarStark
minor #19369 [Encore] Update note instructing users to upgrade symfon…
8c4ec21 
…y-cli for node.js 17+ tls compatibility (sarim)

This PR was merged into the 5.4 branch.

Discussion
----------

[Encore] Update note instructing users to upgrade symfony-cli for node.js 17+ tls compatibility

This note telling users to use `--openssl-legacy-provider` flag is no longer needed with certificate generated by latest symfony-cli.

Context:
symfony-cli/cert#4
symfony-cli/cert#7
symfony/webpack-encore#1187

Commits
-------

dd092c7 [Encore] Update note instructing users to upgrade symfony-cli for node.js 17+ tls compatibility
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@sarim @fabpot @tucksaun