Default cipher that OpenSSL used to encrypt a PEM file



Tags : openssl cipher

Having generated couple of PEM files with OpenSSL for testing and writing tutorial purpose. Sometimes I wonder if OpenSSL has a default cipher selected just in case there is no cipher given as parameter.

For example, running this command below

 openssl req -x509 -days 365 -newkey rsa:2048 -keyout key.pem -out cert.pem

will prompt me for password to be used for encrypting the key.pem files... but with which type of encryption cipher ?

One way to find out is to look into the generated key.pem file.

more key.pem

 -----BEGIN RSA PRIVATE KEY----- 
 Proc-Type: 4,ENCRYPTED 
 DEK-Info: DES-EDE3-CBC,D00B327DC8F6FEF4

From the information, it seems that the default cipher is DES-EDE3-CBC and this is confirmed to be true after digging through the OpenSSL's source code at https://github.com/openssl/openssl/blob/master/apps/req.c

line 198 to 199 :

 #ifndef OPENSSL_NO_DES
 cipher=EVP_des_ede3_cbc(); 

Depending on what you are trying to achieve... you can change the encryption cipher by processing the key.pem file and produce a new file encrypted with different cipher.

For example :

 openssl pkcs8 -in key.pem -topk8 -v2 aes-256-cbc -out aes256key.pem

will produce a AES-256 encrypted pem file. (See more examples at https://www.openssl.org/docs/apps/pkcs8.html)

  See also : nginx: [emerg] unknown directive "ssl"



Tags : openssl cipher

By Adam Ng

IF you gain some knowledge or the information here solved your programming problem. Please consider donating to the less fortunate or some charities that you like. Apart from donation, planting trees, volunteering or reducing your carbon footprint will be great too.


Advertisement