Questions tagged [openssl]
OpenSSL is an open-source implementation of basic cryptographic primitives, X.509 certificate utilities, and SSL and TLS protocols.
1,317 questions
2votes
1answer
127views
Extract CRT and KEY from signed PEM file without the openssl tool
Is there any way to extract a private key from a PEM file without the openssl tool on Windows? Windows MMC won't do the trick as I cannot export to PKCS#12 due to my work laptop security restrictions ...
2votes
0answers
21views
Openssl salt option useless for file encryption? [duplicate]
Is the -salt option useful when you are doing file encryption? From what I understand, the salt protects from rainbow table attack, but such tables are used against passwords, which are usually 10-20-...
- 693
1vote
1answer
214views
Trouble Extracting Hash from PKCS#8 Encrypted Private Key for Cracking - OpenSSH
I have an encrypted private key for OpenSSH that I need to crack the passphrase for. However, tools like ssh2john.py and openssl2john.py fail to parse the key. Here’s what I’ve tried so far: Key ...
1vote
3answers
122views
Why does PEM Base64 created by `openssl pkey` not match the DER file passed in?
In experimenting with openssl on the Linux command line with elliptic curve secp256k1 I encountered a strange situation where on converting a DER private key file to PEM format using openssl pkey the ...
1vote
0answers
127views
How do I get openssl s_client to output all information needed to analyze a TLS session in wireshark?
I'm trying to figure out why I'm seeing an ssl3_read_n:unexpected eof while reading:/var/jenkins/workspace/pfSense-CE-snapshots-2_7_2-main/sources/FreeBSD-src-RELENG_2_7_2/crypto/openssl/ssl/record/...
- 11
2votes
0answers
126views
Does the Simplified Handshake in TLS 1.3 Increase Susceptibility to SSL/TLS Flood Attacks?
While analyzing the handshake process in TLS 1.3 and comparing it to TLS 1.2, I began to wonder if the simplified handshake structure in TLS 1.3 introduces new vulnerabilities. This concern is ...
- 21
1vote
0answers
100views
Intermediate issuer field didn't match its CA subject field
While debugging yesterday's Cloudflare incident, I found out their intermediate certificate issuer field differ from its signing CA subject, despite the AKI/SKI were correct. Here's the relevant CA ...
- 139
0votes
0answers
311views
OpenSSL "method" picking between TLS 1.2 and 1.3 [duplicate]
To summarize my question: How can a client support both TLS 1.2 and 1.3 ? I have looked at How browsers pick TLS... Which summarized is: if a client connects to a server, it negotiates the handshake ...
1vote
0answers
149views
Why in this TLS handshake, the ClientHello,ServerHello, etc are not Piggybacked in the ACKs packets? [closed]
In the TLS handshake, I noticed that key messages like ClientHello and ServerHello aren't piggybacked onto ACK packets and are instead sent as separate packets. From a networking perspective, this ...
- 325
0votes
0answers
38views
exfiltred .rnd file exploitation
Context During a CTF, as www-data, I managed to exfiltrate an .rnd file used by phpseclib on a PHP app (I exfiltrated the entire app). Since SSHD is configured with PubkeyAuthentication yes and ...
- 111
1vote
0answers
91views
What should be optimal basis of choosing specific curve in Openssl Elliptic operations
While trying to generate SSL certificate using openssl ec and openssl ecparam utilities, I see a big list of Elliptic curves as output of command openssl ecparam -list_curves I'm confused which ...
- 11
4votes
2answers
581views
Is missing SAN in certificate a security issue?
I am running testssl scan on an http port, after running the scan I got some errors highlighted in red. The main one that I noticed is that certificate does not have SAN. testlssl output: ...
- 465
0votes
0answers
112views
Subject alternative name missing from certificate signed by own CA [duplicate]
A while ago, I created self-signed certificates for my internal domains with openssl: openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:secp384r1 -days 3650 -nodes -keyout mysite.eden.internal....
- 125
0votes
1answer
106views
What Server Temp Key algorithms are allowed in each SECLEVEL?
I found that I can print information about the cipher suites allowed in each SECLEVEL with openssl ciphers -v -s -tls1_2 'EECDH+AESGCM @SECLEVEL=2' ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=...
- 101
0votes
0answers
105views
Using the server hostname as a variable in openssl.cnf for the CN?
Is there a variable I can use to fill the openssl.cnf file with the Linux server hostname? I know you can use -subj fields, but I specifically want to prefill the openssl.cnf if possible as I can then ...
