Questions tagged [openssl]
OpenSSL: The Open Source Toolkit for SSL and TLS
1,614
questions
1
vote
1
answer
14
views
OpenVPN Revoke a certificate without the CRT file with Easy RSA
I'm confused, I have an OpenVPN server on Debian. The previous system administrator who was in charge of this server deleted the user certificates (.crt file) with the command "rm -f example.crt&...
- 11
0
votes
0
answers
22
views
openssl crash on nginx building ubuntu 22.04
trying this on ubuntu 22.04
sudo ./configure --with-cc-opt='-g -O2 -ffile-prefix-map=/build/nginx-zctdR4/nginx-1.18.0=. -flto=auto -ffat-lto-objects -flto=auto -ffat-lto-objects -fstack-protector-...
-1
votes
0
answers
26
views
I can't set sufficient secure parameters for Diffie-Hellman key exchange on a LAMP stack
I have Let's Encrypt SSH. Ubuntu 22.04. PHP 8.1.2 and Mysql 8.1.
I have created a file in /etc/ssh/certs and named it dhparam.pem (I also tried ffdhe4096.txt). And added the parameters in it. In /etc/...
- 99
0
votes
2
answers
98
views
How to restart openssl on debian
I have made some changes in openssl.cnf and wants to restart service. Normally I would just restart machine for changes to take effect but I don't want to restart machine. Tried sudo systemctl restart ...
- 743
2
votes
7
answers
6k
views
HTTPS compatibility issue with Chrome 116/117 ERR_SSL_PROTOCOL_ERROR
I'm having error ERR_SSL_PROTOCOL_ERROR since 2 day on my website for some reason.
Browsers tested
Windows Chrome 117.0.5938.132 : ERR_SSL_PROTOCOL_ERROR
Android Chrome 117.0.5938.61 : ...
- 192
0
votes
1
answer
91
views
Warning with sending emails from Thunderbird to Postfix using its own CA
I'm asking for help because I simply don't have the strength anymore, I've spent a lot of time and I'm still left with an unsolved puzzle.
My problem: I keep getting "Wrong Site" warnings ...
- 11
0
votes
0
answers
41
views
Install old OpenSSL 0.9.8 on MacOS 13.2, make error
for compatibility purpose of some functionalities and old softwares I need to install OpenSSL0.9.8 on a modern MacOS machine.
I downloaded the source archive from: https://www.openssl.org/source/old/0....
1
vote
1
answer
136
views
TLS 1.0 broken with newer Debian/OpenSSL
I'm migrating a server running Debian 10 to a server running Debian 12 (and a 6.x kernel), and the last thing that doesn't seem to be working is TLS 1.0, which I've been trying to figure out.
I'm ...
- 164
1
vote
0
answers
55
views
How to convert a DER private key to PEM
I have a private key that is in binary format. I'm not sure if this is DER format but I need to convert it to PEM.
I'm using openssl with this command:
openssl rsa -inform DER -outform PEM -in test....
- 11
0
votes
1
answer
41
views
Have you got a worked example of using Postgres through ODBC with openssl and the Progress DataDirect Linux driver?
I am new to openssl configuration, Postgres, and the Progress DataDirect ODBC driver, and I am trying to set this up. I have Postgres working in a container, set up with
tjcw:~$ openssl req -new -x509 ...
- 69
0
votes
0
answers
129
views
Configure QUIC and HTTP/3 in Ubuntu
I want to install and configure nginx-1.19.0 with HTTP/3 support on Ubuntu 22.04. OpenSSL version is 3.0.2. I was surfing in internet but I didn't find something straight forward to guide me how to ...
1
vote
1
answer
44
views
AWX error X509 using custom EE image with pyopenssl
I'm currently setting up an AWX platform hosted on K8s cluster to get a proper UI + features for multi-user purpose.
Context :
I created an EE image pushed on a Nexus repository that AWX use in order ...
- 343
0
votes
1
answer
51
views
SSL Certificate loading error in postgresql.conf file during restart
openssl genrsa -out root.key 2048
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
chown postgres:postgres server.*
...
0
votes
0
answers
29
views
CA-Certificate and Server Certificate are expired! - openVPN - Server <--> Client(x)
I am hosting an openVPN-Service to connect ~30 IoT-Clients directly to my Server. I have forgoten to extend the lifetime of the self-signed ca.cert and the server.crt. Now my openVPN-Clients could not ...
- 3
0
votes
0
answers
19
views
self signed for a site accessible through VPN
I'd like to know if what I'm doing is right or is there another way to do this?
I have this site that is accessible through VPN and i'd like the end users not to see the "not secured" ...
- 11
0
votes
1
answer
55
views
self signed certificate for a site that can only be access through VPN
I read a lot of articles about self signed certificates and I'm not exactly sure if I'm getting near to what I want to actually achieve.
I'm trying to implement a self signed certificate so that the ...
- 11
0
votes
0
answers
192
views
[Microsoft][ODBC Driver 17 for SQL Server] SSL Provider: [error:0A000102:SSL routines::unsupported protocol] in PHP Laravel on macOS using Brew
I'm encountering an issue while trying to connect to a SQL Server database using PHP Laravel on macOS with Brew. I'm receiving the following error message:
[Microsoft][ODBC Driver 17 for SQL Server] ...
0
votes
0
answers
117
views
ValueError: Invalid version. The only valid version for X509Req is 0
I'm trying to renew the SSL but I got this error:
SSL Error 1
SSL Error 2
I already tried sudo pip3 install pyOpenSSL and sudo pip3 install cryptography==40.0.1, uninstalled it, and installed it again,...
- 1
0
votes
1
answer
77
views
Identify SSL certificate type for apache configuration
I have SSL certificate files:
Root2023.crt
t1.crt
t1.pem
t1.pk8
on my apache How can I determine which of these files should be used for SSLCertificateFile, SSLCertificateKeyFile, and ...
- 139
0
votes
2
answers
63
views
curl with --cacert fails on almalinux8 but works on ubuntu
We try this:
curl -v --cacert cert.pem https://example.com/path.asmx
on ubuntu its working, we're getting:
successfully set certificate verify locations:
* CAfile: cert.pem
CApath: /etc/ssl/...
- 3
0
votes
0
answers
74
views
Cannot connect to LDAP server ERRNO=0
I have a php application (apache,redhat with selinux disabled) and I am struggling with ldap configuration. I am trying to connect to a ldap server and I am getting this error in apache logs:
...
1
vote
0
answers
51
views
OpenSSL issue with Rancher/Kubernetes cluster on RHEL 8
So we are working on setting up a big Rancher/Kubernetes cluster on a bunch of RHEL 8 servers. We have everything installed and have Rancher running on a 3 node cluster behind a load balancer. The ...
- 11
0
votes
1
answer
115
views
Disable TLSv1.0 and TLSv1.1 when generating certificates using openssl 1.1.1
I am struggling to implement a feature for my certificates. I am generating my certificates with OPENSSL 1.1.1.
I want to allow only TLSv1.2 and TLSv1.3. The other protocols should not be possible (...
0
votes
1
answer
226
views
OpenSSL 3.0 generating p12 certificate issue with FIPS
I am running the OpenSSL command to generate bundle.p12 with -legacy option. RHEL 9 FIPS Enabled setup.
openssl pkcs12 -export -legacy -in cacert.pem -inkey cakey.pem -out bundle.p12
Error creating ...
0
votes
1
answer
256
views
Can't get .pfx file to work on Linux
I am writing a C# program that has to call an API endpoint that requires authentication via certificates.
I have got a .pfx file, which I can import in Windows and everything works fine, however the ...
- 3
0
votes
1
answer
260
views
openssl s_client works with IP, but does nothing with domain name
I recently-ish set up an internal (firewalled) apache2 web server that exactly one of my colleagues cannot reach for some reason (PR_END_OF_FILE_ERROR, indicating something's wrong with the handshake/...
- 111
0
votes
1
answer
90
views
Fastcgi script "file not found" / Primary script unknown
ACTUAL SITUATION
I am in the process of transferring a static web server to a container.
ISSUE ENCOUNTERED
When i'm trying to reach my server, i received "File not found" with :
curl ...
0
votes
1
answer
60
views
Certificate works when added a space to it, why?
We have generated a certificate via Letsencrypt and trying to use it via nginx, but we get a weird error:
cannot load certificate "/home/path/site.pem": PEM_read_bio_X509_AUX() failed
The ...
- 111
0
votes
0
answers
227
views
.p12 certificate not working on mac (Ventura 13.4.1) but works on windows
I generated ssl certificates for (Nifi Registry https://nifi.apache.org/registry.html) I installed them in Windows.. it worked and i get a prompt to select certificate when i open the website https://
...
- 103
0
votes
0
answers
141
views
NodeJS https server returns http 0 and SSL error:14094412 ERR_SSL_SSLV3_ALERT_BAD_CERTIFICATE
I have a nodejs https server running on my Raspberry Pi. It responses to ajax requests. When open the webpage with a desktop/laptop or an iPhone (Safari), the ajax call returns the proper result with ...
- 101
1
vote
0
answers
76
views
How to have "empty" for x509's nameConstraints extension subtree?
I am signing x509 certificates that should only be used for CN under a specific domain, not for any IP/email/UPN.
the rfc5280 says that passing empty to a permitted value will allow all of those class,...
- 50
0
votes
1
answer
134
views
how to work with x509 certificate bundles with openssl
Is it possible to work with x509 certificates in a pkcs7 bundle file?
I need to sign all certificates in a bundle with extra x509 extensions. e.g. (if they were a single x509 crt file)
openssl x509 -...
- 50
0
votes
0
answers
50
views
Not receiving any response from SMTP server after successfully connected via openssl or telnet
I am trying to set up my postfix using Gmail smtp relay server. I have set it up in other servers without issues, but I am having difficulty getting it to work in my work network.
I tested if there is ...
-1
votes
1
answer
170
views
Yum to packages.microsoft.com failed on Centos 7
You can say i'm beginner in using Centos. Our regional want to use packages.microsoft.com as repository. We have open the firewall to the packages.microsoft.com. Tracepath is no issue, but when we are ...
- 3
0
votes
1
answer
145
views
OpenSSL Error: lib(128):capi_rsa_priv_enc:function not supported in client Auth
My scripts to sign file via API was working properly fine when my previous server setup was Ubuntu 20.04 and openssl version is 1.1.1b.
But after upgrade, I am getting this issue. Client environment ...
-1
votes
1
answer
175
views
How to verify signed file? [closed]
How to check a validity of a file using openssl and cms?
I've got a file (foo.bin) and a signature (foo.bin.cms) which is include x509 der format certificate.
is there any way to check validity of ...
- 3
0
votes
1
answer
110
views
Cannot enable OCSP stapling
Windows Server 2022
Apache x64 2.4.57
OpenSSL 3.0.8
My Apache SSL conf has this:
SSLUseStapling On
SSLStaplingCache "shmcb:${SRVROOT}/logs/ssl_stapling(65536)"
...
- 260
0
votes
0
answers
176
views
How to sign a certificate for s/mime and generate pkcs12 store with existing CA?
I want to create a certificate store file in pkcs12 format to use in thunderbird for s/mime signing and encrypting. I already run a mail and web server that use certificates signed by a CA certificate ...
- 136
0
votes
0
answers
20
views
How can i disable the TLS handshake with 128-Bit-Key from the browser with my apache2 settings? [duplicate]
When I load a website on an apache2 with ssl and look at the settings of the certificate in the browser, it is always a 128-bit key length, only want 256-bit and above to be allowed.
I have that in ...
- 298
0
votes
0
answers
161
views
Apache SSL not working - server took too long to respond
I am trying to get Apache (2.4.41, Ubuntu) to work with SSL and am not having luck. Whenever I visit the site in my browser, I get the error "This site can't be reached: my-domain took too long ...
- 135
0
votes
1
answer
532
views
Remove old Cipher Suites
I manage some websites and one of them got a poor security rating (from sec scorecard). I have a managed server, so I asked the IT guys to help, but also would like to understand this issue a little ...
8
votes
2
answers
681
views
SAN certificate with URI fragment
I need to generate a TLS certificate with a SAN URI where the URI has a fragment (has a hash '#'). But when I try to generate a certificate using openssl, the fragment gets stripped.
# generate key ...
- 205
0
votes
1
answer
602
views
Enable TLSv1.1 on httpd 2.4.56 running on Docker
I am trying to modernize the infrastructure of a HTTP web service. I want to update the web server to something more recent and secure, but I have to maintain compatibility with some legacy devices in ...
0
votes
0
answers
118
views
RPMBUILD Apache with mod_ssl - Not seeing/using new version of openssl
I am having issues attempting to get Apache with mod_ssl to see/use the new version of openssl which is 3.1.0.
In my httpd.spec file I have specified --with-ssl=/opt/openssl/openssl3.1.0.
rpmbuild -ba ...
- 13
2
votes
1
answer
11k
views
SSL error "unexpected eof while reading" on same server as the originating request
First, I'm aware of the SSL Library Error: error:0A000126:SSL routines::unexpected eof while reading error stemming from OpenSSL 3 reintroducing a feature to prevent truncation attacks.
The question I ...
- 587
0
votes
1
answer
640
views
openssl functions randomly returns warning: command substitution: ignored null byte in input
I try to encrypt some loads, here is a minimum working example (is RSA private key)
to_be_signed="2f93992bb1db9cab0b3b8fc2de0a2863"
#to_be_signed="7d6d2a584a227574e1c113aab56ea490&...
- 2,313
2
votes
2
answers
7k
views
Error in libcrypto connecting RHEL 9 server to Centos 6 via SFTP/SSH
I am trying to connect from a new RHEL9 server to an older Centos 6 server to SFTP files from the older server to the new one for an upgrade, but when connecting from 9 to 6 I get the following error:
...
- 29
0
votes
0
answers
120
views
Trouble Adding Public-Key Certificate to CAcerts
I am trying to add some public-key certificates to my CAcerts file. In the past I have done it by modifying the keystore directly as such:
keytool -keystore /etc/pki/java/cacerts -importcert -alias ...
- 161
0
votes
0
answers
71
views
Remote Desktop Gateway (RDG) Public CA certificate not trusted on external connection
Currently moving RDG role from "nene-server" to "NTRDG01, but when trying to connect externally to the gateway, getting certificate error:External error on gateway over https.
This was ...
1
vote
0
answers
248
views
Decrypting Kubernetes secret using the encryption key
I have a toy Kubernetes cluster with Encryption at rest enabled using the abs-256-cbc provider; I have not used any vault here for kms simulating the problem. This means the encryption key is in a ...
- 111