The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 2,953 other followers

Archive for the ‘PKI’ Category

DEFCON 17: More Tricks For Defeating SSL – YouTube

Posted by jpluimers on 2016/07/11

Still relevant after a few years: DEFCON 17: More Tricks For Defeating SSL – YouTube.

I landed there after trying to find out how to verify the Internic root server file is actually pubished by Internic via authentication – Ways to sign gpg public key so it is trusted? – Information Security Stack Exchange.

I remember reading his “if you have to perform any cryptographic operation before verifying the MAC on a message you’ve received, it will somehow inevitably lead to doom” post (Moxie Marlinspike >> Blog >> The Cryptographic Doom Principle), but never noticed his videos.

It is still relevant as there are lots of implementations still vulnerable to these kinds of attacks.

Many more of his blog entries are interesting as well:

Read the rest of this entry »

Posted in Encryption, Hashing, https, OpenSSL, PKI, Power User, Public Key Cryptography, Security, Signing | Leave a Comment »

Index of /materials/haxpo2015ams

Posted by jpluimers on 2015/11/27

It feels like yesterday, but haxpo2015ams was already six months ago!

Session materials index:

Index of /materials/haxpo2015ams

[ICO] Name Last modified Size Description

[PARENTDIR] Parent Directory
[ ] D1 – Frank Breedijk – Help my Security Officer is Allergic to DevOps.pdf 2015-05-28 07:19 6.7M
[ ] D1 – Lisha Sterling – Hacking Humanitarian Project for Fun and Profit.pdf 2015-05-27 18:27 6.1M
[ ] D1 – Marc Newlin – ReDECTed.pdf 2015-05-27 16:56 1.7M
[ ] D1 – P. Mason, K. Flemming A. Gill – All Your Hostnames Are Belong to Us.pdf 2015-05-27 16:03 2.8M
[ ] D1 – Wouter van Rooij – Future Privacy.pdf 2015-05-27 16:16 715K
[ ] D2 – Bob Baxley – Privacy and Security in the Internet of Things.pdf 2015-05-28 17:00 7.1M
[ ] D2 – Edwin Sturrus – Data Security and Privacy in the Age of Cloud.pdf 2015-05-28 15:24 1.2M
[ ] D2 – Jessica Maes – Privacy in Digital Society.pdf 2015-05-28 12:18 4.1M
[ ] D2 – Jimmy Shah – BYOD is Now BYOT – Current Trends in Mobile APT.pdf 2015-05-28 15:55 3.6M
[ ] D3 – Jaya Baloo – Crypto is Dead Long Live Crypto.pdf 2015-05-29 17:17 4.4M
[ ] D3 – Jeroen van der Ham – Responsible Disclosure in The Netherlands.pdf 2015-05-29 16:37 1.7M
[ ] D3 – Oliver Matula and Christopher Scheuring – Evaluating the APT App Armor.pdf 2015-05-29 11:55 3.9M
[ ] D3 – R. Schaefer and J. Salazar – Pentesting in the Age of IPv6.pdf 2015-05-29 16:22 1.8M
[ ] D3 – Ruben van Vreeland – New Attack Vectors for Exploiting Web Platforms.pdf 2015-05-29 11:55 816K
[ ] HAXPO HIGHLIGHT – Andrew Tanenbaum – MINIX3.pdf 2015-05-28 15:19 9.2M
[ ] HAXPO HIGHLIGHT – Eleanor Saitta – Designing Security Outcomes.pdf 2015-05-29 15:15 1.4M
[ ] HAXPO HIGHLIGHT – Reuben Paul – The A-to-Z of CyberSecurity.pdf 2015-05-28 15:19 17M
[ ] HAXPO WELCOME – Richard Thieme – Too Much to Know.pdf 2015-05-27 13:37 6.3M

Apache/2.4.7 (Ubuntu) Server at Port 80


Posted in *nix, *nix-tools, Encryption, Hashing, https, LifeHacker, OpenSSL, PKI, Power User, Public Key Cryptography, Security, Signing | Leave a Comment »

security – How do I view the contents of a PFX file on Windows? – Super User

Posted by jpluimers on 2015/07/27

Dumping any kind of certificate file gives you access to more details than the Windows UI usually shows you.

This is especially handy when checking out errors or issues (which can be very difficult to track down).

For binary PFX files, the certutil and openssl commands come in very handy:

Some options to view PFX file details:Open a command prompt and type: certutil -dump Install OpenSSL and use the commands to view the details, such as: openssl pkcs12 -info -in unverified.

OpenSSL is a separate download (from my OpenSSL category of articles, see Some command-line tips for OpenSSL and file format pfx, p12, cer, crt, key, etc. conversion of certificates, keys) to get it.

CertUtil now ships with Windows by default (it wasn’t in the Windows XP era, I’m not sure about Windows Server 2003).

Here is the CertUtil help for dumping certificate information;

Dump certificate file information CertUtil [Options] [-dump] [File] Options: [-f] [-silent] [-split] [-p Password] [-t Timeout]


  • the [-v] option is not listed, but does work; it will give a more verbose dump.
  • [-dump] also works other certificate file extensions like .p7b files.

Here is the OpenSSL help for dumping pkcs12 information:

openssl pkcs12 [-export] [-chain] [-inkey filename] [-certfile filename] [-name name] [-caname name] [-in filename] [-out filename] [-noout] [-nomacver] [-nocerts] [-clcerts] [-cacerts] [-nokeys] [-info] [-des | -des3 | -idea | -aes128 | -aes192 | -aes256 | -camellia128 | -camellia192 | -camellia256 | -nodes] [-noiter] [-maciter | -nomaciter | -nomac] [-twopass] [-descert] [-certpbe cipher] [-keypbe cipher] [-macalg digest] [-keyex] [-keysig] [-password arg] [-passin arg] [-passout arg] [-rand files] [-CAfile file] [-CApath dir] [-CSP name]


The pkcs12 command allows PKCS#12 files sometimes referred to as PFX files to be created and parsed. PKCS#12 files are used by several programs including Netscape, MSIE and MS Outlook.


There are a lot of options the meaning of some depends of whether a PKCS#12 file is being created or parsed. By default a PKCS#12 file is parsed. A PKCS#12 file can be created by using the -export option see below.


-in filenameThis specifies filename of the PKCS#12 file to be parsed. Standard input is used by default.

-infooutput additional information about the PKCS#12 file structure, algorithms used and iteration counts.

and the OpenSSL help for dumping pkcs7 information:

openssl pkcs7 [-inform PEM|DER] [-outform PEM|DER] [-in filename] [-out filename] [-print_certs] [-text] [-noout] [-engine id]


The pkcs7 command processes PKCS#7 files in DER or PEM format.


-inform DER|PEM; This specifies the input format. DER format is DER encoded PKCS#7 v1.5 structure.PEM the default is a base64 encoded version of the DER form with header and footer lines.

-print_certs; prints out any certificates or CRLs contained in the file. They are preceded by their subject and issuer names in one line format.

-text; prints out certificates details in full rather than just subject and issuer names.


  • do not forget the -inform DER option to specify a binary .p7b file.
  • the -text option gives you more verbose information

via OpenSSL: Documents, pkcs71.



Posted in CertUtil, OpenSSL, PKI, Power User, Public Key Cryptography, Security, Windows | Leave a Comment »

Enabling GIT_CURL_VERBOSE to research “unable to get local issuer certificate”

Posted by jpluimers on 2015/05/28

A while ago, I was fighting a corporate web proxy playing Man-in-the-Middle on all https sessions.

Though playing MitM on your employees is a debatable thing to do (especially without informing the employees, and illegal in certain countries, I had to get a GIT connection to the outside world working.

This helped tracking it down: GIT_CURL_VERBOSE “unable to get local issuer certificate”.

What I finally did was this:

  1. obtain the CA certificate that issues the MitM certificate in base-64 CRT form (which is the same as the PEM form):
  2. added it at the top of either of these files:
    • "%ProgramFiles%\Git\bin\curl-ca-bundle.crt"
    • "%ProgramFiles(x86)%\Git\bin\curl-ca-bundle.crt"
  3. added it to the top of either of these files:
    • "%ProgramFiles%\Mercurial\cacert.pem"
    • "%ProgramFiles(x86)%\Mercurial\cacert.pem"


PS: These were the failures I was getting:

Read the rest of this entry »

Posted in *nix, cURL, Development, DVCS - Distributed Version Control, git, PKI, Power User, Security, Source Code Management | Leave a Comment »

%d bloggers like this: