Posted by jpluimers on 2016/12/30
When you ship OpenSSL DLLs, you should provide an update mechanism outside of your regular product cycle that updates these shortly after vulnerabilities are fixed.
Few if any products do that. So I made an overview from products and OpenSSL DLL versions I had installed on various systems.
I’m a developer, so the list is biased towards tools I use often.
All of them are vulnerable: [WayBack ] https://www.openssl.org/news/vulnerabilities.html
1.0.2.h by ContinuaCI 1.8.1.185 PostgreSQL and Avast 12.3
1.0.2.g by SourceTree 1.9.x embedded git_local
1.0.2d by Git for Windows 2.6.1
1.0.2a by SQLite browser 3.7.0
1.0.1m by Delphi 10.0 Seattle
1.0.1l by Ruby 2.3
1.0.1f by SlikSvn 1.8.5
1.0.1g by Delphi XE8, Delphi XE7, VMware Workstation OVF tool and Adobe Creative Cloud 2.8.1
1.0.0g by Delphi XE6, Delphi XE5, Delphi XE4, Delphi XE3, Appmethod 1.13 and CollabNet SVN Client 1.7.5
1.00d by MarkdownPad 2
1.0.0 by FinalBuider 7 XE2 and FinalBuilder 7 EE
0.9.8za by VMware Remote Console Plug-in 5.1 and VMware Virtual Infrastructure Client 5.1
0.9.8y by VMware VIX Workstation 10
0.9.8t by Veaam Backup and Replication
0.9.8r by ContinuaCI 1.8.1.185 hg support, VMware VIX and VMware Workstation 8.0.2
0.9.8q by Veeam Backup Transport, Veaam Backup, xampp 1.7.4 and Replication and VMware Virtual Infrastructure Client 5.0
0.9.8o by xampp 1.7.4
0.9.8l by xampp 1.7.4
0.9.8n by Delphi XE2, Delphi XE and VMware VIX Workstation 7.1.0
0.9.8m by VMware VMRC Plug-in, VMware VIX and VMware Workstation 8.0.2
0.9.8i by VMware Virtual Infrastructure Client 4.1
0.9.8d by Database Workbench Pro 4.4.3, Database Workbench Pro 5.2.4 and VMware vSphere CLI Perl
0.9.8b by Adobe Creative Suite 5
0.9.7m by VMware VIX server 1.0.9
0.9.7l by VMware VIX VIServer 2
N/A by Adobe Create Suite 5 and VMware VIX server 1
–jeroen
via: [WayBack ] Does Delphi installer install OpenSSL dll’s?
PS: Below some Software Archeology related links in the comments.
Posted in .NET , CollabNet , Delphi , Development , DVCS - Distributed Version Control , git , OpenSSL , Power User , Ruby , Security , Software Development , Source Code Management , SourceTree , Subversion/SVN | 7 Comments »
Posted by jpluimers on 2016/10/24
This Plain Text Offenders site lists email screenshots of organisations sending back plain-text passwords they kept on file (According to Robert Love , Idera/Embarcadero should be on the list as well).
It is one of the most horrible things that can be done for a password.
Business and IT do many horrible things, so I really hope someone will start a similar site about SSL Labs F-rated domains. The ones that are so broken that they degraded their https to virtually plain-text http quality.
In the past, a notorious example of this was Embarcadero, who in the past managed to get F-rating or had wrong configurations on the below domains, therefore preventing me from logging in and getting new products from them (which is far worse than them not cleaning up their bug database ):
Read the rest of this entry »
Posted in Delphi , Development , Hashing , https , OpenSSL , Power User , Public Key Cryptography , QC , Security , Signing , Software Development | 3 Comments »
Posted by jpluimers on 2016/08/29
The canonical answer on extensions and formats like csr, pem, key, pkcs12, pfx, p12, der, cet, cer, crt, p7b, crl, PEM, PKCS7, PKCS12, PKCS10, DER, text, binary, ASN1: certificate – What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats? – Server Fault .
Oh and it contains some openssl conversion tips as well, though this link has more: DER vs. CRT vs. CER vs. PEM Certificates and How To Convert Them .
–jeroen
Posted in Encryption , OpenSSL , Power User , Security | Leave a Comment »
Posted by jpluimers on 2016/08/26
There are quite a few pages on Webserver Cypher Hardening. This is yet another one born because I didn’t know how to compare these lists and why they were so different.
Apparently, OpenSSL has various ways of naming (groups of) cyphers. OpenSSL also disregards any cyphers it doesn’t have.
Basically there are two far ends for cypher lists:
Fully name all cyphers and their order: long list fine grained control
Name groups including group order and let OpenSSL expand the groups: short list but coarse grained control.
A way to compere them using openssl ciphers -V is answered at ssl – Hardening web server cyphers: which cypher list to choose, or how to map between Mozilla and Hynek – Server Fault .
Some of the cypher lists I found:
There are two great SSL tests I found out. The first one is online, the second one from the shell.
SSL Labs:
shell based SSL/TLS tester: testssl.sh .
–jeroen
Posted in *nix , OpenSSL , Power User , Security | Leave a Comment »
Posted by jpluimers on 2016/08/17
A while ago, testssl.sh [WayBack ] needed Darwin binaries (for OS X ): Supply Darwin binaries + install documentation · Issue #127 · drwetter/testssl.sh [WayBack ]
So I created the small Bourne shell (sh ) script below to deliver them.
It allows me to update these gists:
The build script itself is in a gist as well: https://gist.github.com/f4de3937630b87753133.git [WayBack ]
It helped me to contribute to these testssl.sh issues:
Not all of these binaries are in https://github.com/drwetter/testssl.sh/tree/master/bin [WayBack ] as it makes the testssl.sh repository too bloated. Some (including non-OSX builds made by others) are here:
Eventually the script might get merged into https://github.com/drwetter/testssl.sh/blob/master/utils/make-openssl.sh [WayBack ] as there is a Darwin switch in this commit: https://github.com/drwetter/testssl.sh/commit/6efc3e90f52e5926b0853d3b2fb221b631dcf452 [WayBack ]
Read the rest of this entry »
Posted in Apple , Development , Mac , Mac OS X / OS X / MacOS , Mac OS X 10.4 Tiger , Mac OS X 10.5 Leopard , Mac OS X 10.6 Snow Leopard , Mac OS X 10.7 Lion , MacBook , MacBook Retina , MacBook-Air , MacBook-Pro , MacMini , OpenSSL , OS X 10.10 Yosemite , OS X 10.8 Mountain Lion , OS X 10.9 Mavericks , Power User , Security , Software Development , xCode/Mac/iPad/iPhone/iOS/cocoa | Leave a Comment »
Posted by jpluimers on 2016/07/25
Interesting:
just for completeness:
testssl.sh is a nice, console-based tool to check ssl-setups of any ssl/ts – enabled servers, in oposite to ssllabs
It helped me solving this:
Host: http://www.beginend.net
Reason: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
Within the testssl.sh directory, you can use this to test with many cyphers:
OPENSSL=./openssl-bins/openssl-1.0.2-chacha.pm/openssl32-1.0.2pm-krb5.chacha+poly ./testssl.sh www.example.com
–jeroen
via
Posted in *nix , https , OpenSSL , Power User , Security | Leave a Comment »
Posted by jpluimers on 2016/07/20
Great explanation of Diffie-Hellman Key Exchange – YouTube .
It is based on mixing colors and some colors of the mix being private.
Brilliant!
–jeroen
VIDEO
Posted in Algorithms , Development , Encryption , Hashing , https , OpenSSL , Power User , Public Key Cryptography , Security , Software Development | Leave a Comment »
Posted by jpluimers on 2016/07/11
Still relevant after a few years: DEFCON 17: More Tricks For Defeating SSL – YouTube .
VIDEO
I landed there after trying to find out how to verify the Internic root server file is actually pubished by Internic via authentication – Ways to sign gpg public key so it is trusted? – Information Security Stack Exchange .
I remember reading his “if you have to perform any cryptographic operation before verifying the MAC on a message you’ve received, it will somehow inevitably lead to doom” post (Moxie Marlinspike >> Blog >> The Cryptographic Doom Principle ), but never noticed his videos .
It is still relevant as there are lots of implementations still vulnerable to these kinds of attacks.
Many more of his blog entries are interesting as well:
Read the rest of this entry »
Posted in Encryption , Hashing , https , OpenSSL , PKI , Power User , Public Key Cryptography , Security , Signing | Leave a Comment »
Posted by jpluimers on 2015/11/27
It feels like yesterday, but haxpo2015ams was already six months ago!
Session materials index:
Apache/2.4.7 (Ubuntu) Server at haxpo.nl Port 80
–jeroen
Posted in *nix , *nix-tools , Encryption , Hashing , https , LifeHacker , OpenSSL , PKI , Power User , Public Key Cryptography , Security , Signing | Leave a Comment »
![[ICO]](https://wiert.me/wp-content/uploads/2015/10/blank.gif)
![[PARENTDIR]](https://wiert.me/wp-content/uploads/2015/10/back.gif)
![[ ]](https://wiert.me/wp-content/uploads/2015/10/layout.gif)
The Wiert Corner - irregular stream of stuff 