Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
-
So many developer that does not know how to generate a simple .csr file. Here you go:
$DOMAIN=www.yourdomain.com
$STATE=State
$CITY=The city
$COMPANY=Company Name Gmbh
openssl req -utf8 -nameopt multiline,utf8 -new -newkey rsa:2048 -nodes -sha256 -out $DOMAIN.csr -keyout $DOMAIN.key -subj "/C=Your CountryCode/ST=$STATE/L=$CITY/O=${ORG:-$COMPANY}/OU=${ORG:-IT}/CN=$DOMAIN"11 -
Me: I need an SSL certificate.
Support: No problem. Just fire up your command line and generate one via OpenSSL.
Me: I'm on Windows.
Support: Ok, so what you do is code a Linux command line from scratch that will run in Powershell. Next, compile OpenSSL from your favorite of 60,000 versions available. Now, just fire it up and you're all set.
Me: Goodbye everything I've ever enjoyed doing in my free time.16 -
FUCK OPENSSL. I LOVE IT AND HATE IT SO FUCKING MUCH. WORK FASTER AND BE LESS CONFUSING SO I CAN BRAG ABOUT MY PRETTY ENCRYPTION CODE SOONER. FUCK20
-
Don't you just love it when an official Docker image suddenly switches from one base image to another, and they automatically update all existing tags? Oh you've had it locked to v1.2.3, guess what, v1.2.3 now behaves slightly differently because it's been compiled with OpenSSL 3. Yeah, we updated a legacy version of the software just to recompile it with the latest version of OpenSSL, even though the previous version of OpenSSL is still receiving security fixes.
I don't think it's the image maintainers or Docker's fault though. Docker images are expected to be self-contained, and updating the base image is necessary to get the latest security fixes. They had two options: to keep the old base image which has many outdated and vulnerable libraries, or to update the base image and recompile it with OpenSSL 3.
What really bothers me about the whole thing is that this is the exact fucking problem containers were supposed to solve. But even with all the work that goes into developing and maintaining container images, it still isn't possible to do anything about the fact that the entire Linux ecosystem gives exactly zero fucks about backwards compatibility or the ability to run legacy software.15 -
TIL one does not just pacman -Rc openssl.
Most fun way to fuck up arch linux since rm -rf /. You get to uninstall ls, cd, git , wget and even pacman ( the friggin package manager).
I'm not even mad. Amazing3 -
Anyone wanting to improve OpenSSL fulltime?
Understanding of Cryptography or ability to write secure code are not required...
https://openssl.org/blog/blog/...4 -
~# mkdir certs
~# openssl req -newkey.......
*checked certs dir*
hmm.. empty?
*generated certs again*
Certs dir still empty. Reverted to Google for answers. None found. I was using FileZilla to check the Certs directory.
15 minutes and a million tries late, I realized that I forgot to CD into the Certs directory...............2 -
Was just reading some of the OpenVPN scripts to renew a certificate where I forgot to source the vars file first (apparently OpenVPN stores those in a separate file that you always have to source first, and I tend to forget it sometimes).
Reading the revoke-full script that OpenVPN provides, it's just bash so I can read it no problem. But traversing through it and trying to understand it... Horrible! There's a test file in $RT named keys/revoke-test.pem. It's not used anywhere in OpenVPN for anything useful as far as I'm aware. The script however - the script that's running on a production server! - attempts to remove this file. It doesn't exist. Test files do (or at least should) not exist in production. They're not supposed to be there.
It exports empty variables. Some of them are set by the sourced vars file, some aren't. Not entirely sure why it's exporting variables as empty when they're uninitialized, or why it doesn't just unset the ones that are initialized.
And finally it goes ahead and revokes the key file that I'm actually concerned about through regular OpenSSL and verifies it.
Not to mention that the lack of the sourced vars file, which admittedly I should think about in the current status quo, if it *always* needs to be sourced anyway... Why doesn't the script do that itself then? One less thing to go wrong. But hey, proper design?
Gore. I don't have any other words for it.
And before anyone tells me that I should go and fix it if I'm so worried about it. Remember, I am not a developer. That's the job of the developers that made this in the first place.9 -
You know what a fucking good place for 1000s of mp4s, pdfs, doc files, exes and svgs is? Yeah, the bloddy SVN,which mirrors to git.
And how about a ibm websphere install zip with tiny 1.3gb?
And of cause you store your fuckin perl and Shellscripts, that have been written by a plain lunatic and that are responsible for installing the crap in the repo.
What? One repo for one component? Nah, cramp like 150 different projects into on repo.
And the most important scripts have to be kept unversionized ... For reasons.
And this is just the tip of the iceberg of shit.
Btw. websphere ships its own apache2.2 and its own security lib and its own openssl compilation, with ibm java ... Filesystem hierarchy standard? Dafuq? If you want to find something it better be like where is waldo - right, IBM? And command arguements? Man pages, usable documentation, usable deployment? How did any of this ever seem like a good idea to anyone?
Go get a koloscopy with a submarine periscope, IBM. -
My company provides its services as web pages and web services to our customers.
Once a year we update the certificate used for the https connections.
I notified the update to the clients that use the web services.
One of them asked me a copy of the public key.
No problem. Open the web site with the browser, save the key and send by email.
One day later the client asked me the public key in a zip file because the anti virus blocked my attachment.
Why the client hates the Chain of Trust ?
He could obtain the public key by them self from the browser or openssl.1 -
You know what's the worst in doing software?
being assigned that dreadful project, that's doomed and cursed just from the start. Nobody dared to try or touch it for 7 years, because it's destined to fail. You will never get the resources to do it properly, all the constrains are just against you. Even as the requirements bars are lowered and lowered you barely make it. You keep testing that shit with QA for like 8 months past schedule. Then before release some core changes need to be done. It passes QA, but you somehow now it's just a ticking time bomb. It will just crumble and fall somewhere out there, if somebody dares to use that shit for real.
And so it goes.
Bug reports coming in.1 -
...It relies on the BouncyCastle cryptography library instead of OpenSSL, yet replicates OpenSSL bugs to guarantee compatibility.2
-
With a recent HAProxy update on our reverse proxy VM I decided to enable http/2, disable TLS 1.0 and drop support for non forward-secrecy ciphers.
Tested our sites in Chrome and Firefox, all was well, went to bed.
Next morning a medium-critical havock went loose. Our ERP system couldn't create tickets in our ticket system anymore, the ticket systems Outlook AddIn refused to connect, the mobile app we use to access our anti-spam appliance wouldn't connect although our internal blackboard app still connected over the same load balancer without any issues.
So i declared a 10min maintenance window and disabled HTTP/2, thinking that this was the culprit.
Nope. No dice.
Okay, i thought, enable TLS 1.0 again.
Suddenly the ticket system related stuff starts to work again.
So since both the ERP system and the AddIn run on .NET i dug through the .NET documentation and found out that for some fucking reason even in the newest .NET framework version (4.7.2) you have to explicitly enable TLS 1.1 and 1.2 or else you just get a 'socket reset' error. Why the fuck?!
Okay, now that i had the ticket system out of the way i enabled HTTP/2 and verified that everything still works.
It did, nice.
The anti-spam appliance app still did not work however, so i enabled one non-pfs cipher in the OpenSSL config and tested the app.
Behold, it worked.
I'm currently creating a ticket with them asking politely why the fuck their app has pfs-ciphers disabled.
And I thought disabling DEPRECEATED tech wouldn't be an issue... Wrong... -
Another day, another critical vulnerability due to an out of bounds write that could never have occurred in Rust
https://github.com/openssl/openssl/...31 -
FINALLY got Chrome to accept my self signed ssl certificate on OSX!!!!
F*ck this has taken waaay to long....
For anyone seeking advice, look here:
https://alexanderzeitler.com/articl...9 -
Crypto. I've seen some horrible RC4 thrown around and heard of 3DES also being used, but luckily didn't lay my eyes upon it.
Now to my current crypto adventure.
Rule no.1: Never roll your own crypto.
They said.
So let's encrypt a file for upload. OK, there doesn't seem to be a clear standard, but ya'know combine asymmetric cipher to crypt the key with a symmetric. Should be easy. Take RSA and whatnot from some libraries. But let's obfuscate it a bit so nobody can reuse it. - Until today I thought the crypto was alright, but then there was something off. On two layers there were added hashes, timestamps or length fields, which enlarges the data to encrypt. Now it doesn't add up any more: Through padding and hash verification RSA from OpenSSL throws an error, because the data is too long (about 240 bytes possible, but 264 pumped in). Probably the lib used just didn't notify, silently truncating stuff or resorting to other means. Still investigation needed. - but apart from that: why the fuck add own hash verification, with weak non-cryptographic hashes(!) if the chosen RSA variant already has that with SHA-256. Why this sick generation of key material with some md5 artistic stunts - is there no cryptographically safe random source on Windows? Why directly pump some structs (with no padding and magic numbers) into the file? Just so it's a bit more fucked up?
Thanks, that worked.3 -
Crypto! I've always thought of crypto as some complicated black box! How does it work, but then I did the cryptopals challenge and learned to exploit cryptography. What to do with this new found knowledge? Write new libraries and ransomware of course! So I present two projects that taught me a lot!
Pydhe, possibly the first(!!!) Open source diffie Hellman library for python. (Yea I know openssl, but they don't let you do diffie hellman without TLS. I do!) https://github.com/deadPix3l/pyDHE
And Cryptsky! One of the first ever fully python, opensource ransomware! (Again caveat, most open source python ransomware isn't truely licensed as OSS or uses some lower functions written in C)
https://github.com/deadPix3l/... -
Found another gem in the code-base I've been given to troubleshoot.
Let's call recv(), get the TLS encrypted message, and then call BIO_write() and SSL_read() instead of offloading it to OpenSSL.5 -
Fuck you Linux! I thought user password validation would be a piece of cake, like bash one liner. How wrong could I be!
Yeah, it's already ugly to grep hash and salt from /etc/shadow, but I could accept that. But then give me a friggin' tool to generate the hash. And of course the distro I chose has the wrong makepswd, OpenSSL is too old to have the new SHA-512 built in, as it should be a minimal installation I don't want to use perl or python...
And the stupid crypto function that would do me the job is even included in glibc. So it's only one line of C-code to give me all I want, but there is no package that would provide me this dull binary? Instead I will have to compile it myself and then again remove the compiler to keep image small?5 -
I am so done for today. I was trying to get this encryption work in Rust, but no fucking way. If I encrypt data in PHP, it is just impossible to decrypt them in Rust. If I encrypt something in Rust, I can decrypt it anywhere, but not the other way around.
I checked the data hundred times and they are exactly the same in both programs. Also OpenSSL library in Rust is so helpful, that it won't show any error details except that there is an error.
Fuck my life!4 -
Which encryption library do you people use with c/c++? I'm trying to use openssl but well there is more documentation about how to replace my own heart in the dark than on that. Also most of the structs have missing declarations hell yeah its nice to have a EVP_PKEY but what's that? Oh I know it's a evp_pkey_t and what's that? Nothing apparently. Comments? You kidding??? A proper library doesn't have them...3
-
1. When we struggled for month with using OpenSSL, fixing our server, then bit of Sqlite3 fuck ups. Was it even right to use those libs, not write shit ourselves, if it is such a hassle to use them, or is it only us being too stupid to read the docs? Project seemed 'finished' for over a year. Really wore us out to get it out there.
2 Our board constantly announcing the success and striving of our pentester department. Makes me feel I am at the wrong place. No dynamics, growth, just too much stupid work to plow through.
3 Starting a bit with CTF's. Realizing I am hardly at the entrance of the rabbit hole. (And also is it even the right thing going down there? My Luddite tendencies also shining through...) Not mastering all this tools. -
ARGGHH ? WHY !?
[user@localhost pkgconfig]$ ls
libcrypto.pc libpng16.pc libssh2.pc libtiff-4.pc openssl.pc zlib.pc
libjpeg.pc libpng.pc libssl.pc libtls.pc sqlite3.pc
[user@localhost pkgconfig]$ pkg-config --cflags "openssl"
Package openssl was not found in the pkg-config search path.
Perhaps you should add the directory containing `openssl.pc'
to the PKG_CONFIG_PATH environment variable
Package 'openssl', required by 'virtual:world', not found
[user@localhost pkgconfig]$ echo $PKG_CONFIG_PATH
/CustomPath/lib/pkgconfig/
[user@localhost pkgconfig]$ PKG_CONFIG_PATH=/CustomPath/lib/pkgconfig
[user@localhost pkgconfig]$ pkg-config --cflags "openssl"
Package openssl was not found in the pkg-config search path.
Perhaps you should add the directory containing `openssl.pc'
to the PKG_CONFIG_PATH environment variable
Package 'openssl', required by 'virtual:world', not found7 -
git commit -m "The test core dumps, I go home" && git push
(OpenSSL is like running a marathon: It's just some month away and you already forgot how much fucking pain it was. Nah, can't have been that bad. Shit, it is.) -
Spent hours installing m2cryoto adb openssl on Windows but couldn't reach anywhere, at home it took five minutes and done. There is nothing like osx (brew) and linux. Things are so easy on them. They make development faster.
-
Now I get why people don't use Windows while developing Ruby... Always having an error with OpenSSL that doesn't let me do https requests...
-
I spent hours trying to figure out why a specific library couldn't be found on my system. I finally tore apart the ./configure script to no avail. I did a full text search of the source code and found a `config.log` file mentioning it was having trouble with a sub-dependency. I had failed to install OpenSSL.
Top Tags
Weekly Rant
View