Is it possible to decrypt TLS traffic through OpenSSL?

I have a web server that uses the ECDHE-RSA-AES256-GCM-SHA384 cipher suite. I noticed that when given the "(Pre)-master-secret log" file (generated by the browser), Wireshark is able to decrypt the traffic given the client random and master secret.

I was wondering how that is possible exactly? Or assuming that I have an encrypted HTTP response from the server, how would one decrypt the traffic given this information through the openssl CLI command? I’m using the LibreSSL version of openssl, which supports encryption/decryption using aes-256-gcm.

Example contents of the "Pre-master-secret" log file (generated by the browser):

CLIENT_RANDOM 8a16c5c231d0074f7d1652e66479d8ef90f3e4692c0ea12da51e342d8040c388 b5d95d11fca16b71cdf2a2999e445caff3b379795d18739b79cbae98edbe883e7a28a9ea13aac8902a143f43ab37cf0d 

openssl: How to configure private key size for secp256k1

I am trying to understand if it’s possible to configure a private key size for the given curve.

openssl ecparam -name secp256k1 -genkey  -----BEGIN EC PARAMETERS----- BgUrgQQACg== -----END EC PARAMETERS----- -----BEGIN EC PRIVATE KEY----- MHQCAQEEIMda3jdFuTnGd2Y9s9lZiQJXKSpxBp6WQWcurn4FnYogoAcGBSuBBAAK oUQDQgAEI272v3lIoVkLZEbsJ/1l6Wfqbk8ZeybzzhtUN60EOhCRsR8rOLAIbbDl ncOT1vtzEj5NZxQEYdopFMb10CfccQ 

Was trying to read openssl documentation to see how to configure the length of the private key but failed to find anything regarding it. Could you advise?

Optional/Mandatory Requirement For ‘req’ Command Configuration File Options Missing In OpenSSL v1.1.1g Manual Pages?

The OpenSSL v1.1.1 manual page for the req command’s Configuration File Format options seems to be missing any mention about whether each option is mandatory or optional. The other OpenSSL command manual pages (ca and ts) that support configuration file usage do stipulate whether each configuration file option is mandatory or optional.

Does anyone know which req configuration file options are mandatory and which are optional?

How Is The OpenSSL Configuration File Parsed?

I’m trying to understand how OpenSSL parses its configuration file. In the sample configuration file that is installed with OpenSSL v1.1.1g, its seems to be divided into three main sections – the [ ca ] section, the [ req ] section, and the [ tsa ] section (because of the lines that contain ############# ... that separate these sections). Inside the [ ca ] and [ req ] sections there are key/value pairs whose name is a command option and whose value "links" to another section in the configuration file. A good example is the x509_extensions = usr_cert key/value pair in the [ ca ] section.

I am under the impression that the OpenSSL config file is processed by the OpenSSL parser starting at the first line of the file and processing the next line in turn (please correct me if that’s not the case). Therefore, I would expect the [ ca ] section’s x509_extensions = usr_cert to be linked to a section of the config file that occurrs inside the [ ca ] section. But it doesn’t – it links to the [ usr_cert ] section that occurs inside the [ req ] section, which is outside the [ ca ] section.

So, what’s happening when the OpenSSL parser processes the configuration file? Is my visual perception of inside and outside wrong when I read the configuration file? Does the parser "call" the linked section, process its key/value pairs, then return parsing of the config file to the next line in the config file? If this is the case, wouldn’t it make it much easier to understand the structure of the config file if "links" to sections that pertained to the command whose section is being parsed were actually present within the command’s section?

Can Windows CMD/DOS Commands Be Used In An OpenSSL Configuration File On Windows 10? [migrated]

I’m using OpenSSL v1.1.1g on a Windows 10 machine (I don’t know Linux – yet). Can Windows CMD/DOS commands be used in the OpenSSL configuration file or is the configuration file limited to the use of OpenSSL commands only? I assume the answer to this question is "No" since OpenSSL uses its own parser to process OpenSSL configuration files, but I’d like to have my assumption confirmed.

openSSL shows a revoked certificate as secure

I downloaded a revoked certificate from the website https://www.ssl.com/sample-valid-revoked-and-expired-ssl-tls-certificates/. Specifically, the revoked certificate of the site https://revoked-rsa-ev.ssl.com/.

To check the verification result in OpenSSL, I downloaded the CRL and ran the command :

openssl verify -untrusted 'SSL.com EV SSL Intermediate CA RSA R3.pem' -CRLfile SSLcom-SubCA-EV-SSL-RSA-4096-R3.crl.pem -show_chain revoked-rsa-ev.ssl.com.pem

However, instead of showing it as revoked, it successfully verifies the certificate. This is the output :

revoked-rsa-ev.ssl.com.pem: OK Chain: depth=0: C = US, ST = Texas, L = Houston, O = SSL Corp, serialNumber = NV20081614243, CN = revoked-rsa-ev.ssl.com, postalCode = 77098, businessCategory = Private Organization, street = 3100 Richmond Ave, jurisdictionST = Nevada, jurisdictionC = US (untrusted) depth=1: C = US, ST = Texas, L = Houston, O = SSL Corp, CN = SSL.com EV SSL Intermediate CA RSA R3 (untrusted) depth=2: C = US, ST = Texas, L = Houston, O = SSL Corporation, CN = SSL.com EV Root Certification Authority RSA R2 

Have I used the incorrect command? Moreover, even Chrome shows the certificate as trusted but not Firefox. Why is this happening?

Verifying S/MIME mail with openssl

I’m trying to verify an S/MIME signed email with openssl (term tooling) but I’m having a problem. I have the mail and I can extract the chain of certificates but I’m failing at locating the actual signature of the email. I have the public key of the signer (the last certificate) and I have the plaintext, which I got with

openssl smime -verify -in <mail> -noverify -out mail_body.txt 

If I understand correctly now I need the signature, decrypt it with the last certifier public key and check that with the hash of mail_body.txt but I can’t find the signature.