matching openssl's enc ciphers to php's openssl functions' ciphers: where's "chacha20-poly1305"?
I'm deploying a php app that makes use of php's openssl functions https://www.php.net/manual/en/ref.openssl.php atm, I've php -v PHP 7.4.8 (cli) (built: Jul 9 2020 08:57:23) ( NTS ) openssl version OpenSSL 1.1.1g FIPS 21 Apr 2020 The php app config defaults to an encryption method of $config['cipher_method'] = 'DES-EDE3-CBC'; for encrypting a session pwd, This key is used to encrypt the users imap password which is stored in the session record. I'd like to change that to a CHACHA20 variant. As listed by https://www.php.net/manual/en/function.openssl-get-cipher-methods.php the list of php-supported openssl ciphers includes [92] => chacha20 [93] => chacha20-poly1305 double checking available encryption ciphers @ openssl openssl enc -ciphers only lists -chacha20 not the add'l, -chacha20-poly1305 why is this^^ variant not shown? am I comparing apples & oranges here, looking at the wrong lists? perhaps just aliases for a singular cipher?
Help with Error: data too large for modulus
Hi, I am trying to do a walkthrough of verifying a certificate signing. 1) I have pulled the signature as follows: openssl asn1parse -in cert.pem -out cert.sig -noout -strparse 638 The offset of 638 is because asn1parse of the cert.pem file produces: 625:d=2 hl=2 l= 9 prim: OBJECT:sha256WithRSAEncryption 636:d=2 hl=2 l= 0 prim: NULL 638:d=1 hl=4 l= 257 prim: BIT STRING 2) I have pulled the public key of the CA certificate as follows: openssl x509 -in ca_cert.pem -pubkey -noout > ca_cert.pubkey 3) I am trying to decrypt the signature file to get the hash as follows: openssl rsautl -verify -pubin -inkey ca_cert.pubkey -in cert.sig -asn1parse Unfortunately I get an error in the above step as: 140155781719872:error:04067084:rsa routines:rsa_ossl_public_decrypt:data too large for modulus:crypto/rsa/rsa_ossl.c:548: The size of the cert.sig file is 256 bytes. I am not sure where I am going wrong and would need some assistance. Thanks, Gautam.
Re: NULL ciphers
On 2020-08-13 20:20, Benjamin Kaduk wrote: On Thu, Aug 13, 2020 at 08:19:10PM +0200, Detlef Vollmann wrote: Hello, with the following commands: openssl s_server -accept 18010 -cert srv.crt -key test.key \ -CAfile testca.crt -debug -cipher 'NULL-SHA256' -dtls1_2 openssl s_client -connect localhost:18010 -cert clnt.crt \ -key test.key -CAfile testca.crt -debug \ -cipher 'COMPLEMENTOFALL:eNULL' -dtls1_2 NULL ciphers work fine with OpenSSL 1.0.2g. With OpenSSL 1.1.1g the handshake fails on the server side with 140295725053248:error:14102438:SSL routines:dtls1_read_bytes:tlsv1 \ alert internal error:../ssl/record/rec_layer_d1.c:611:SSL alert number \ 80 Even on OpenSSL 1.1.1g 'openssl ciphers -v NULL' lists NULL-SHA256. I'm only using s_server and s_client as tests, but I have the same problem in my application if I use SSL_CTX_set_cipher_list(sslCtx, "NULL-SHA256"); What can I do to get NULL ciphers for no encryption working? -cipher 'COMPLEMENTOFALL:eNULL@SECLEVEL=0' Wow, great :-) Thanks a lot for this quick reply, it actually works :-) Detlef
Re: NULL ciphers
On Thu, Aug 13, 2020 at 08:19:10PM +0200, Detlef Vollmann wrote: > Hello, > > with the following commands: > > openssl s_server -accept 18010 -cert srv.crt -key test.key \ > -CAfile testca.crt -debug -cipher 'NULL-SHA256' -dtls1_2 > > openssl s_client -connect localhost:18010 -cert clnt.crt \ > -key test.key -CAfile testca.crt -debug \ > -cipher 'COMPLEMENTOFALL:eNULL' -dtls1_2 > > NULL ciphers work fine with OpenSSL 1.0.2g. > > With OpenSSL 1.1.1g the handshake fails on the server side with > 140295725053248:error:14102438:SSL routines:dtls1_read_bytes:tlsv1 \ > alert internal error:../ssl/record/rec_layer_d1.c:611:SSL alert number \ > 80 > > Even on OpenSSL 1.1.1g 'openssl ciphers -v NULL' lists NULL-SHA256. > > I'm only using s_server and s_client as tests, but I have the same > problem in my application if I use > SSL_CTX_set_cipher_list(sslCtx, "NULL-SHA256"); > > What can I do to get NULL ciphers for no encryption working? -cipher 'COMPLEMENTOFALL:eNULL@SECLEVEL=0'
NULL ciphers
Hello, with the following commands: openssl s_server -accept 18010 -cert srv.crt -key test.key \ -CAfile testca.crt -debug -cipher 'NULL-SHA256' -dtls1_2 openssl s_client -connect localhost:18010 -cert clnt.crt \ -key test.key -CAfile testca.crt -debug \ -cipher 'COMPLEMENTOFALL:eNULL' -dtls1_2 NULL ciphers work fine with OpenSSL 1.0.2g. With OpenSSL 1.1.1g the handshake fails on the server side with 140295725053248:error:14102438:SSL routines:dtls1_read_bytes:tlsv1 \ alert internal error:../ssl/record/rec_layer_d1.c:611:SSL alert number \ 80 Even on OpenSSL 1.1.1g 'openssl ciphers -v NULL' lists NULL-SHA256. I'm only using s_server and s_client as tests, but I have the same problem in my application if I use SSL_CTX_set_cipher_list(sslCtx, "NULL-SHA256"); What can I do to get NULL ciphers for no encryption working? Detlef
'OPENSSLDIR' undeclared in openssl 1.1.1g
Hi, I couldn't find where this macro is #defined , previously in 1.0.2 it was defined in opensslconf.h . So , i am getting this error during compilation : openssl/crypto/x509/x509_def.c:17:12: error: 'OPENSSLDIR' undeclared (first use in this function) . This error is resolved if OPENSSLDIR is #defined in opensslconf.h as /usr/local/ssl (default btw). Can someone help me out with this? , why the OPENSSLDIR isn't #defined in any .h files or was i missing something? Used : ./Configure no-threads no-dso no-shared no-zlib no-asm no-engine no-bf no-camellia no-cast no-md2 no-md4 no-mdc2 no-ocsp no-rc2 no-rc5 no-hw no-idea no-srp gcc --with-rand-seed=none Thanks, Prud.
