I have a web server that uses the ECDHE-RSA-AES256-GCM-SHA384 cipher suite. I noticed that when given the "(Pre)-master-secret log" file (generated by the browser), Wireshark is able to decrypt the traffic given the client random and master secret.
I was wondering how that is possible exactly? Or assuming that I have an encrypted HTTP response from the server, how would one decrypt the traffic given this information through the
openssl CLI command? I’m using the
LibreSSL version of
openssl, which supports encryption/decryption using
Example contents of the "Pre-master-secret" log file (generated by the browser):
CLIENT_RANDOM 8a16c5c231d0074f7d1652e66479d8ef90f3e4692c0ea12da51e342d8040c388 b5d95d11fca16b71cdf2a2999e445caff3b379795d18739b79cbae98edbe883e7a28a9ea13aac8902a143f43ab37cf0d
I am trying to understand if it’s possible to configure a private key size for the given curve.
openssl ecparam -name secp256k1 -genkey -----BEGIN EC PARAMETERS----- BgUrgQQACg== -----END EC PARAMETERS----- -----BEGIN EC PRIVATE KEY----- MHQCAQEEIMda3jdFuTnGd2Y9s9lZiQJXKSpxBp6WQWcurn4FnYogoAcGBSuBBAAK oUQDQgAEI272v3lIoVkLZEbsJ/1l6Wfqbk8ZeybzzhtUN60EOhCRsR8rOLAIbbDl ncOT1vtzEj5NZxQEYdopFMb10CfccQ
Was trying to read openssl documentation to see how to configure the length of the private key but failed to find anything regarding it. Could you advise?
The OpenSSL v1.1.1 manual page for the
req command’s Configuration File Format options seems to be missing any mention about whether each option is mandatory or optional. The other OpenSSL command manual pages (
ts) that support configuration file usage do stipulate whether each configuration file option is mandatory or optional.
Does anyone know which
req configuration file options are mandatory and which are optional?
I’m trying to understand how OpenSSL parses its configuration file. In the sample configuration file that is installed with OpenSSL v1.1.1g, its seems to be divided into three main sections – the
[ ca ] section, the
[ req ] section, and the
[ tsa ] section (because of the lines that contain
############# ... that separate these sections). Inside the
[ ca ] and
[ req ] sections there are key/value pairs whose name is a command option and whose value "links" to another section in the configuration file. A good example is the
x509_extensions = usr_cert key/value pair in the
[ ca ] section.
I am under the impression that the OpenSSL config file is processed by the OpenSSL parser starting at the first line of the file and processing the next line in turn (please correct me if that’s not the case). Therefore, I would expect the
[ ca ] section’s
x509_extensions = usr_cert to be linked to a section of the config file that occurrs inside the
[ ca ] section. But it doesn’t – it links to the
[ usr_cert ] section that occurs inside the
[ req ] section, which is outside the
[ ca ] section.
So, what’s happening when the OpenSSL parser processes the configuration file? Is my visual perception of inside and outside wrong when I read the configuration file? Does the parser "call" the linked section, process its key/value pairs, then return parsing of the config file to the next line in the config file? If this is the case, wouldn’t it make it much easier to understand the structure of the config file if "links" to sections that pertained to the command whose section is being parsed were actually present within the command’s section?
I’m using OpenSSL v1.1.1g on a Windows 10 machine (I don’t know Linux – yet). Can Windows CMD/DOS commands be used in the OpenSSL configuration file or is the configuration file limited to the use of OpenSSL commands only? I assume the answer to this question is "No" since OpenSSL uses its own parser to process OpenSSL configuration files, but I’d like to have my assumption confirmed.
Does the OpenSSL
req command have a OpenSSL configuration file equivalent to the
new_certs_dir option? I’d like to establish a default directory for all Certificate Signing Requests ("CSRs") that are created using the
It’s my understanding that the OpenSSL v1.1.1g commands
req require sections to be present in an OpenSSL configuration file in order to operate. Are there any other OpenSSL v1.1.1g commands that require a section to be present in a configuration file in order to operate?
Some of my collegue give me 2 file of private key, one is encrypted and one passphrase. But it seems that’s the wrong passphrase.
Is it even possible to recover the pass phrase with the ecrypted and decrypted private key files?
I downloaded a revoked certificate from the website https://www.ssl.com/sample-valid-revoked-and-expired-ssl-tls-certificates/. Specifically, the revoked certificate of the site https://revoked-rsa-ev.ssl.com/.
To check the verification result in OpenSSL, I downloaded the CRL and ran the command :
openssl verify -untrusted 'SSL.com EV SSL Intermediate CA RSA R3.pem' -CRLfile SSLcom-SubCA-EV-SSL-RSA-4096-R3.crl.pem -show_chain revoked-rsa-ev.ssl.com.pem
However, instead of showing it as revoked, it successfully verifies the certificate. This is the output :
revoked-rsa-ev.ssl.com.pem: OK Chain: depth=0: C = US, ST = Texas, L = Houston, O = SSL Corp, serialNumber = NV20081614243, CN = revoked-rsa-ev.ssl.com, postalCode = 77098, businessCategory = Private Organization, street = 3100 Richmond Ave, jurisdictionST = Nevada, jurisdictionC = US (untrusted) depth=1: C = US, ST = Texas, L = Houston, O = SSL Corp, CN = SSL.com EV SSL Intermediate CA RSA R3 (untrusted) depth=2: C = US, ST = Texas, L = Houston, O = SSL Corporation, CN = SSL.com EV Root Certification Authority RSA R2
Have I used the incorrect command? Moreover, even Chrome shows the certificate as trusted but not Firefox. Why is this happening?
I’m trying to verify an S/MIME signed email with openssl (term tooling) but I’m having a problem. I have the mail and I can extract the chain of certificates but I’m failing at locating the actual signature of the email. I have the public key of the signer (the last certificate) and I have the plaintext, which I got with
openssl smime -verify -in <mail> -noverify -out mail_body.txt
If I understand correctly now I need the signature, decrypt it with the last certifier public key and check that with the hash of mail_body.txt but I can’t find the signature.