 | Lars Fosdal on Security alarm provider Woonve… |
 | Thomas Mueller on Question got closed in May 202… |
 | Thaddy de Koning on Formulier voor bewindvoerders… |
| Thaddy de Koning on Formulier voor bewindvoerders… |
| Thaddy de Koning on Formulier voor bewindvoerders… |
Posted by jpluimers on 2015/03/16
Hmm, I missed this earlier. So: watch your TLS stack (OpenSSL and others), then
Patch soon and be careful.
After that read A Few Thoughts on Cryptographic Engineering: Attack of the week: FREAK (or ‘factoring the NSA for fun and profit’).
Thanks Kristian Köhntopp for sharing.
–jeroen
Posted in OpenSSL, Power User, Security | Leave a Comment »
Posted by jpluimers on 2015/03/10
Stuff I found out myself:
Some links I found useful: Read the rest of this entry »
Posted in Delphi, Development, OpenSSL, Power User, Security, Software Development | 3 Comments »
Posted by jpluimers on 2015/03/05
If you are running OpenSSL as a regular user, or cannot perform “RunAs Administrator”, and you get this error message:
unable to write 'random state'
then make sure you have set your environment variables correctly before running OpenSSL:
RANDFILE=%LOCALAPPDATA%\.rnd
A full batch file front-end for OpenSSL.exe is this one:
Posted in Batch-Files, Development, OpenSSL, Power User, Scripting, Security, Software Development, Windows | Leave a Comment »
Posted by jpluimers on 2015/02/27
OpenSSL is really nice, but remembering all these command-line switches is difficult, especially when you do not use them often enough.
I don’t, and when I do there are a few common tasks I perform, and I was glad to find a few links with great information:
I’ve converted them to batch files that run fine when copied to the directory where you put the x86 or x64 Windows version of OpenSSL (they assume %~dp0openssl.exe for the location of the OpenSSL.exe binary, just in case it is not on the path, or you have various tools that scattered around incompatible copies of OpenSSL binaries).
OpenSSL defaults to PEM format (that has text base64 strings), so if you get DER format (binary) you need to convert them.
Error decrypting PKCS#7 structure
5216:error:21070073:PKCS7 routines:PKCS7_dataDecode:no recipient matches certificate:.\crypto\pkcs7\pk7_doit.c:538:
5216:error:21072077:PKCS7 routines:PKCS7_decrypt:decrypt error:.\crypto\pkcs7\pk7_smime.c:557:
This error means that the recipient of the email does not match the certificate you pass in. What happens is that OpenSSL tries to decrypt the mail, it cannot match the certificate to the mail, and barfs. It usually happens when you have From/To reversed by accident.
Error decrypting PKCS#7 structure
4948:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:.\crypto\x509\x509_cmp.c:330:
4948:error:2107207F:PKCS7 routines:PKCS7_decrypt:private key does not match certificate:.\crypto\pkcs7\pk7_smime.c:552:
This means somewhere you mixed up a private and public key in the certificate files.
Use something like the OpenSSL wrapper verify-private-key-matches-certificate-x509-pem-cer.bat to verify them.
Error reading S/MIME message
6900:error:0D06B08E:asn1 encoding routines:ASN1_D2I_READ_BIO:not enough data:.\crypto\asn1\a_d2i_fp.c:251:
6900:error:0D0D106E:asn1 encoding routines:B64_READ_ASN1:decode error:.\crypto\asn1\asn_mime.c:193:
6900:error:0D0D40CB:asn1 encoding routines:SMIME_read_ASN1:asn1 parse error:.\crypto\asn1\asn_mime.c:528:
OpenSSL does not like .EML files to end with a period (. which SMTP needs to process when sending an .EML file).
See https://gist.github.com/anonymous/7233372 and https://gist.github.com/anonymous/7233329
The former throws this error, the latter not. This is not caused the width of the base64 encoding (not yet archived at the WayBack machine), which I initially thought, but the terminating period.
Verification failure
8228:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error:.\crypto\pkcs7\pk7_smime.c:342:Verify error:self signed certificate in certificate chai
n
–jeroen
Posted in base64, Development, Encoding, MIME, OpenSSL, Power User, Security, Software Development, Windows, Windows 7, Windows 8, Windows Server 2000, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Vista, Windows XP | Leave a Comment »
Posted by jpluimers on 2015/02/20
The quickest way to get Win64 and Win32 binary builds of the youngest OpenSSL, you should get them from Shining Light Productions – Win32 OpenSSL.
Despite the link name, you can get the Win64 binaries from there too..
Besides binaries, they also have the source to build them from, and any other redistributable you’d need.
They run on virtually any Windows version, though I only used them on NT based Windows versions of XP/2003 and younger.
Two notes:
–jeroen
via: Shining Light Productions – Win32 OpenSSL.
Posted in OpenSSL, Power User, Security, Windows, Windows 7, Windows 8, Windows Server 2000, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Vista, Windows XP | 1 Comment »
Posted by jpluimers on 2014/11/07
Great! And it is open source at https://github.com/google/nogotofail:
The Android Security Team has built a tool, called nogotofail, that provides an easy way to confirm that the devices or applications you are using are safe against known TLS/SSL vulnerabilities and misconfigurations. Nogotofail works for Android, iOS, Linux, Windows, Chrome OS, OSX, in fact any device you use to connect to the Internet.
There’s an easy-to-use client to configure the settings and get notifications on Android and Linux, as well as the attack engine itself which can be deployed as a router, VPN server, or proxy.
–jeroen
via Google Online Security Blog: Introducing nogotofail—a network traffic security testing tool.
Posted in *nix, Android Devices, Chrome, Google, iOS, Mac OS X / OS X / MacOS, OpenSSL, Power User, Security, Windows | Leave a Comment »
Posted by jpluimers on 2014/08/22
openssl s_client -connect localhost:443
I don’t have a Linux machine here, but this might work too:
gnutls www.somesite
And note that when using telnet, the hostnames must match:
$ openssl s_client -connect XXX.XX.XX.XXX:443
... connection information will be displayed …
GET / HTTP/1.1
host: XXX.XX.XX.XXXor
$ openssl s_client -connect www.example.com:443
... connection information will be displayed …
GET / HTTP/1.1
host: www.example.comDon’t MIX
Now I need to research how it works with a proxy… simulate a “connect http/1.1 443” proxy – Google Search.
–jeroen
via:
Posted in OpenSSL, Power User, Security, Windows, Windows-Http-Proxy | Leave a Comment »
Posted by jpluimers on 2014/04/21
Thanks Kristian Köhntopp for sharing a link to Fighting Cargo Cult – The Incomplete SSL/TLS Bookmark Collection | Danimo’s blog.
–jeroen
Posted in OpenSSL, Power User, Security | Leave a Comment »
Posted by jpluimers on 2014/04/15
Yesterday WinSCP 5.5.3 got released. Among other fixes, the most imporant one is this:
They upgraded to OpenSSL 1.0.1g, so the infamous Heartbleed vulnerability is solved.
–jeroen
via: WinSCP :: Free SFTP and FTP client for Windows.
Posted in OpenSSL, Power User, Security | Leave a Comment »
Posted by jpluimers on 2014/04/15
As a continuation of More OpenSSL and certificate things (in the aftermath of Heartbleed): on resetting passwords.
On other news:
–jeroen
Posted in OpenSSL, Power User, Security | Leave a Comment »
The Wiert Corner - irregular stream of stuff 