Collaborate Disseminate
I am running testssl scan on an http port, after running the scan I got some errors highlighted in red.
The main one that I noticed is that certificate does not have SAN.
testlssl output:
subjectAltName (SAN) missing (NOT ok) — Br… Continue reading Is missing SAN in certificate a security issue?
A while ago, I created self-signed certificates for my internal domains with openssl:
openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:secp384r1 -days 3650 -nodes -keyout mysite.eden.internal.key -out eden.django.crt -subj "/C=… Continue reading Subject alternative name missing from certificate signed by own CA [duplicate]
I found that I can print information about the cipher suites allowed in each SECLEVEL with
openssl ciphers -v -s -tls1_2 ‘EECDH+AESGCM @SECLEVEL=2’
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-R… Continue reading What Server Temp Key algorithms are allowed in each SECLEVEL?
I was looking to verify the digital signature (if any) on the openssl3.3.1.tar.gz download from OpenSSL. The "PGP sign" link has nothing behind it (thought it’d have an asc or sig file).
I was able to checksum the hash on the dow… Continue reading openssl tar download, verifying the signature [closed]
Right up front – I am aware of this question here.
But this is not about browsers, for now.
I checked the certificate with openssl, which tells me GTS Root R1 is the root ca.
Same result in Chrome and by utilizing openssl cli from my Windo… Continue reading Why can’t I find google’s Root CA in my trust store? [closed]
I would like to extract the session key, master key and premaster key in TLS connection. In my case nginx plays TLS termination. So I want to see those key in nginx side. Here is my nginx.conf
user nginx;
worker_processes 1;
env SSLKEYLO… Continue reading How to retrieve TLS shared key in SSLKEYLOGFILE?
Is there a variable I can use to fill the openssl.cnf file with the Linux server hostname?
I know you can use -subj fields, but I specifically want to prefill the openssl.cnf if possible as I can then use it elsewhere in the configuration … Continue reading Using the server hostname as a variable in openssl.cnf for the CN?
As part of TLS1.3 handshake client hello sent containing the TLS1.3 version support as part of suppored_versions extension, consider if as part of server hello supported_versions extension is not present, but Legacy_version is set to 0x030… Continue reading In TLS1.3 server hello can the legacy version field set to 0x0304
I am using stunnel as a wrapper for using TLS/SSL to a remote port in Windows 10. My understanding is that stunnel uses openssl for the heavy lifting. Everything seems to be working, but I cannot get a verification on the certificate. S… Continue reading using stunnel or openssl to verify a remote certificate
I sent a client hello indicating TLS1.3 support, and it contains a list of all ciphersuites that support TLS1.3, TLS1.2 and TLS1.1
And consider server negotiated TLS1.3 indicating serverHello.supported_versions=0304, but ciphersuite select… Continue reading server negotiating TLS1.3 but sent TLS1.2 ciphersuite