diff --git a/ChangeLog b/ChangeLog
index 56d5c81f3..9584e9868 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -3,9 +3,10 @@ Easy-RSA 3 ChangeLog
 3.2.0 (TBD)
 
    PENDING: Branch-merge: v3.2.0-beta2 (#1055)
-   * export-p12: New command option 'legacy'
+   * export-p12: New command option 'legacy'. OpenSSL V3 Only (f8514de)
+     Fallback to encryption algorithm RC2_CBC or 3DES_CBC
    * export-p12: Always set 'friendlyName' to file-name-base (da9e594)
-   * Update OpenSSL to 3.2.0
+   * Update OpenSSL to 3.2.0 (03e4829)
 
    Branch-merge: v3.2.0-beta1 (#1046) 2023/12/15 Commit: 7120876
 
diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index 917cfca67..7b548a7f2 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -337,7 +337,8 @@ cmd_help() {
       * nokey   - Do not include the private key in the PKCS12 output
       * nofn    - Do not set 'freindlyName'
                   For more, see: 'easyrsa help friendly'
-      * legacy  - Use legacy mode of operation"
+      * legacy  - Use legacy encryption algorithm RC2_CBC or 3DES_CBC
+                  OpenSSL V3 ONLY: Default algorithm is AES-256-CBC"
 	;;
 	friendly)
 		text_only=1
@@ -3285,6 +3286,8 @@ Run easyrsa without commands for usage and command help."
 				unset friendly_name
 			;;
 			legacy)
+				[ "$openssl_v3" ] || \
+					user_error "Option 'legacy' requires SSL version 3"
 				legacy=-legacy
 			;;
 			*)
@@ -3401,6 +3404,9 @@ Missing User Certificate, expected at:
 	p12)
 		pkcs_out="$EASYRSA_PKI/private/$file_name_base.p12"
 
+		[ "$legacy" ] && \
+			error_info="SSL library may not support -legacy mode"
+
 		# export the p12:
 		easyrsa_openssl pkcs12 -export \
 			-in "$crt_in" \