OpenSSL PBKDF2 Default Iterations

I’m digging into OpenSSL for quite a while to find a decent encryption method to double the security of some critical GnuPG already encrypted files.
The one I came up with that seemed to satisfy my confidentiality requirements is as follows:

aes () {
  openssl enc -aes-256-cbc -in $1 -out ${1}.aes -a -pbkdf2
}

Now, a friend of mine, whose crypto is a field of expertise, told me that the CBC mode was unsecure because of possible attacks, and that I should use GCM.
While searching on the subject, I also read this interesting thread which also rose the CBC vs GCM question, finally stating that the latter is not a silver bullet and that CBC used with HMAC would be a reasonable choice. Which suits me well as I actually use the -pbkdf2 parameter which seems to do just that.

Now on the subject, I read pretty much on every related post that the number of iterations done by the pbkdf2 function was critical, and could make a password discovery time much higher, and OpenSSL’s help says:

-pbkdf2
    Use PBKDF2 algorithm with default iteration count unless otherwise specified.

But not a world about this default iteration count.

I spent a ridiculous amount of time searching over the web and asking here and there only to read wrong answers. I finally RTFS, and found the answer in OpenSSL’s source code:

case OPT_ITER:
    if (!opt_int(opt_arg(), &iter))
        goto opthelp;
    pbkdf2 = 1;
    break;
case OPT_PBKDF2:
    pbkdf2 = 1;
    if (iter == 0)    /* do not overwrite a chosen value */
        iter = 10000;
    break;

So here we have it, openssl’s default pbkdf2 iterations value is 10000. You’re welcome.