Openssl Puns

So.. I've been working in IT for almost a decade now and in all these years I only met 1 single engineer who remembered openssl commands and flags from the top of his head.

Unlike many other commonly used Linux commands, the syntax for openssl seems extremely hard to remember for most. I was wondering if there is a logical explanation for this? Is this just lack of knowledge or is there something done wrong from the maintainers and creators of the package/application?

Personally, whenever I have to troubleshoot anything with openssl I have to spend at least 10 minutes researching how to do X or Y. Although I haven't had the need to do this often, every time I have to, I don't remember anything from it.

According to the man pages on the official website, the latest version still uses OpenSSL instead of a more modern alternative like LibreSSL. Is there a reason for that?

I know Ledger has all the instructions to verify that the ledger live download is genuine on their website, but correct me if I am wrong, if you are downloading a fake ledger live from a fake ledger.com, then surely all the keys on https://www.ledger.com/ledger-live/lld-signatures would be fake too to match the fake download and fool the user into thinking the download is genuine.

To mitigate against this risk, I want to get Ledger's public key from a 3rd party website like keybase.io and verify the download using that. However I was only able to find Nicolas Bacca's public pgp key from keybase.io and am trying to figure out how to verify the ledger live download using it.

Is there a way to use a pgp key to verify an openSSL signature? Is there another website where I can download ledger's openssl public key?

On a side note, say I did download a malicious ledger live application - what are the risks exactly? It wouldn't be able to extract my private key would it? What about sending false addresses to the device when receiving?

Changelog 2.6.1 - 2021-12-16

[NEW] Shortcuts to enable/disable AntiTracker and Custom DNS
[IMPROVED] New implementation for OpenVPN Multi-Hop
[IMPROVED] Improved VoiceOver (Accessibility) for the main screen
[IMPROVED] Minor UI improvements
[IMPROVED] OpenVPN and OpenSSL libraries upgraded to the latest version
[FIXED] Not possible to set DNS over HTTPS/TLS when AntiTracker is enabled

I have a client who uses SSL certificate to "sign" xml files.

They have a legacy generator they lost the source code to, and they want me to make them a new SSL generator. Their generator uses LUA files to generate the data, and the lua has a custom object, defined in the generator, which has a function named addValue which adds value which gets put in the X509v3.

Basically, they simply need to embed in an SSL certificate a short XML file (about 3 to 6 values), in the X509v3 extensions.

Whee viewing the text output of their current one, it shows up like this:

  Subject: C=US ST=NY, L= , O=[Client Name]/emailAddress=[email of client] , CN=[name of file]
    Subject Public Key Info:
        Public Key Algorithm: rsaEncryption
            Public-Key: (2048 bit)
            Modulus:
                00:c8:14:10:89:f1:f8:d2:f0:9c:c9:ac:c2:90:4c:
                [... Redacted...]
                aa:c1:b9:ae:5b:8d:49:85:8c:53:d1:f2:ba:2f:1b:
                31:82:01:9a:8f:9a:ce:60:09:4c:95:a9:80:41:f2:
                95:f7
            Exponent: 65537 (0x10001)
    X509v3 extensions:
        1.3.6.1.4.1.[REDACTED]:
           <?xml version="1.0"?>
<message>
  <property>
    <key>/Value1</key>
    <value>1</value>
  </property>
  <property>
    <key>/Value2</key>
    <value>this is text</value>
   </property>
</license>

Signature Algorithm: sha1WithRSAEncryption
     2c:70:e4:67:77:63:14:c1:11:8a:63:98:27:8a:83:b7:08:ef:
     [... Redacted...]
     6b:e8:7d:b5:db:6b:2d:45:09:3f:c3:df:7f:82:c6:0b:55:45:
     b9:af:17:d1

They also sign that certificate with their own CA, but I had to make a new one, since theirs is about to expire (the reason I was hired), and their system signs the SSL with their old cert.

Here what I get:

 X509v3 extensions:
        X509v3 Subject Key Identifier:
            A6:[REDACTED]:EA
        X509v3 Authority Key Identifier:
            keyid:A6:[REDACTED]:EA

        X509v3 Basic Constraints:
            CA:TRUE

I tried many methods, this one is made via PHP:

$dn = array(
"countryName" => "US",
"stateOrProvinceName" => "NY",
"localityName" => "New York",
"organizationName" => "[REDACTED]",
"organizationalUnitName" => "[REDACTED]",
"commonName" => "[REDA

I'm tyring to create an app. When i do

npx create-react-app .

I get the following:

OpenSSL configuration error:
804C0000:error:80000003:system library:BIO_new_file:No such process:c:\ws\deps\openssl\openssl\crypto\bio\bss_file.c:67:calling fopen(C:\Program Files\PostgreSQL\psqlODBC\etc\openssl.cnf, rb)
804C0000:error:10000080:BIO routines:BIO_new_file:no such file:c:\ws\deps\openssl\openssl\crypto\bio\bss_file.c:75:
804C0000:error:07000072:configuration file routines:def_load:no such file:c:\ws\deps\openssl\openssl\crypto\conf\conf_def.c:179:
OpenSSL configuration error:
FC320000:error:80000003:system library:BIO_new_file:No such process:c:\ws\deps\openssl\openssl\crypto\bio\bss_file.c:67:calling fopen(C:\Program Files\PostgreSQL\psqlODBC\etc\openssl.cnf, rb)
FC320000:error:10000080:BIO routines:BIO_new_file:no such file:c:\ws\deps\openssl\openssl\crypto\bio\bss_file.c:75:
FC320000:error:07000072:configuration file routines:def_load:no such file:c:\ws\deps\openssl\openssl\crypto\conf\conf_def.c:179:

I deleted all the postgresql folders and files but it still tries to search there. Why is it trying to find postgresql openssl? Thanks

Hello,

after installing Arco today i noticed that the helperscript.sh is using

until openssl s_client -ssl3 -connect :${port} <<< Q > /dev/null 2>&1; do

at line 20.
This won't work anymore and will make the defined timeout of 5m fall in place.
The openssl s_client doesn't support -ssl3 on version 1.1+ anymore, you will have to change the line to:

until openssl s_client -tls1_3 -connect :${port} <<< Q > /dev/null 2>&1; do

Have a great day.

Have a .dat wallet from my old android tablet for dogecoin, decrypted it using openssl but opening up the decrypted .dat file using hex editor, i only have the word 'salted' and nothing else?

Anyone else come across this issue? Below are the steps I took:

• Backed up my wallet on my android tablet (via the dogecoin app) and emailed the .dat wallet to my myself
• Downloaded the .dat file to my pc
• Loaded up openssl (version 1.1.1l)
• used the following cmd:

​

openssl enc -d -aes-256-cbc -md md5 -a -in <file> -out <file>

That gave me an error below:-

** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
bad decrypt
12180:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:crypto\evp\evp_enc.c:610: 

• so did some more research and then it was suggested i use this:-

​

openssl enc -aes-256-cbc -md sha512 -pbkdf2 -iter 100000 -salt -in <file> -out <file>

• This seemed to work as it asked for my password twice and there were no errors displayed after
• The new .dat/.txt file was generated but when i opened it up using a 'hex' editor or viewing it in VS code, the only word displayed is 'salted' and nothing else.

So was wondering if there was anything i did wrong or what can i do next to extract my 12 word phrases? I've read a number of threads and just going round in circles.. any help would be appreciated.

I am setting up my Splunk environment and don't remember much about encryption... it's been years since I had to deal with any of this. Why does this step #2 remove the password from the private key?

https://docs.splunk.com/Documentation/Splunk/8.2.3/Security/Getthird-partycertificatesforSplunkWeb

# Step 1

### generate the private key

`$SPLUNK_HOME/bin/splunk cmd openssl genrsa -aes256 -out mySplunkWebPrivateKey.key 2048`

# Step 2

### Removes the password

`$SPLUNK_HOME/bin/splunk cmd openssl rsa -in mySplunkWebPrivateKey.key -out mySplunkWebPrivateKey.key`

I am trying to make a vaccine passport validation for my country using the ESP32 for my micro controller. I have gotten the std rust library to compile using (esp-rs)[https://github.com/esp-rs/rust], but the actual validation library that I use needs openssl which refuses to compile.

I have installed the espressif toolchain and set OPENSSL_DIR to where the openssl library provided by the toolchain is, but I keep getting:

error: failed to run custom build command for `openssl-sys v0.9.71`

Caused by:
  process didn't exit successfully: `/home/laspruca/Dev/easypass/target/debug/build/openssl-sys-20285031ce7326f2/build-script-main` (exit status: 101)
  --- stdout
  cargo:rustc-cfg=const_fn
  cargo:rerun-if-env-changed=XTENSA_ESP32_ESPIDF_OPENSSL_LIB_DIR
  XTENSA_ESP32_ESPIDF_OPENSSL_LIB_DIR unset
  cargo:rerun-if-env-changed=OPENSSL_LIB_DIR
  OPENSSL_LIB_DIR unset
  cargo:rerun-if-env-changed=XTENSA_ESP32_ESPIDF_OPENSSL_INCLUDE_DIR
  XTENSA_ESP32_ESPIDF_OPENSSL_INCLUDE_DIR unset
  cargo:rerun-if-env-changed=OPENSSL_INCLUDE_DIR
  OPENSSL_INCLUDE_DIR unset
  cargo:rerun-if-env-changed=XTENSA_ESP32_ESPIDF_OPENSSL_DIR
  XTENSA_ESP32_ESPIDF_OPENSSL_DIR unset
  cargo:rerun-if-env-changed=OPENSSL_DIR
  OPENSSL_DIR = /home/laspruca/.espressif/esp-idf/components/openssl/

  --- stderr
  error[E0463]: can't find crate for `std`
    |
    = note: the `xtensa-esp32-espidf` target may not be installed
    = help: consider downloading the target with `rustup target add xtensa-esp32-espidf`
    = help: consider building the standard library from source with `cargo build -Zbuild-std`

  error: aborting due to previous error

  For more information about this error, try `rustc --explain E0463`.
  error[E0463]: can't find crate for `core`
    |
    = note: the `xtensa-esp32-espidf` target may not be installed
    = help: consider downloading the target with `rustup target add xtensa-esp32-espidf`
    = help: consider building the standard library from source with `cargo build -Zbuild-std`

  error: aborting due to previous error

  For more information about this error, try `rustc --explain E0463`.
  warning: autocfg could not probe for `std`
  thread 'main' panicked at 'OpenSSL library directory does not exist: /home/laspruca/.espressif/esp-idf/components/openssl/lib', /home/laspruca/.cargo/registry/src/github.com-1ecc6299db9ec823/openssl-sys-0.9.71/build/main.rs:68:9
  note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
warning: build failed,

I am learning about hash functions and I just read about XOF (namely shake and cShake).

I will like to test this functions out by myself but I can't seem to find how to use it via the OpenSSL CLI or using a JavaScript library.

The JavaScript library I am using is https://github.com/paulmillr/noble-hashes but it does not seem to support XOF.

So how do I use XOF (SHAKE and cSHAKE) in openssl CLI and JavaScript?

Anyone else get this?

ERROR: The Python ssl extension was not compiled. Missing the OpenSSL lib?

I have pyenv installed via linuxbrew and tried various workarounds such as

CPPFLAGS="-I$(brew --prefix openssl)/include" LDFLAGS="-L$(brew --prefix openssl)/lib" pyenv install 3.10.0

to no avail.

I currently have 3.9.0 installed via pyenv and don't remember having this issue back then. I do remember some Windows update (latest in 10, haven't been offered 11 yet) messing up pyenv and needing to add some init commands back into my .zprofile.

Wondering if someone can interpret how the openssl implementation differs between centos7 and centos8? I'm looking for the 'engines' directory in centos8. In centos 7, it was‍ here: /usr/lib64/openssl/engines - I must be missing something really obvious? Using a standard/default install off the 8.2 ISO. Appreciate the help.

I installed League earlier today and it ran fine. It was refusing to open the client later today so I decided to reinstall it. Now, installing via Lutris as before, a different installation message pops up telling me that openssl needs to be installed first. First time I've ever seen that, and I've installed/reinstalled quite a few times.

I went down a large number of rabbit holes attempting to install it unsuccessfully, but then found this. That seemed straightforward so I tried it, but look what I get.

Essentially it's just a stuck loop with instructions on installing it, then how to check it, then informing me there's nothing there.

Any thoughts?

I've loaded up the securesocketclient example, and I'm seeing the error message from main "this system did not support TLS" and the application debug window is showing "qt network ask: no functional TLS backend was found". Clearly I'm missing something, has anyone configured qt on Windows 10 to use openssl and what did you do to get it working? Thanks

I am trying to compile Pennmush from source. The directive at Pennmush.org says that it is a requirement and takes at least 0.97 development libraries. At this point I have tried the make process with four different SSL libs (installing and removing each, going to earlier versions).

I always get the same error when compiling myssl.c:

myssl.c:447:5 error dereferencing pointer to incomplete type ‘DH {aka struct dh_st} dh->p = BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL)’

I have tried to trace down the right data types in this struct and I am not sure where to go next.