Questions tagged [openssl]
OpenSSL: The Open Source Toolkit for SSL and TLS
1,618
questions
0
votes
0
answers
47
views
TLS cipher suites ordering
I have nginx configured to use ssl_ciphers PROFILE=SYSTEM;.
And I have Alma Linux configured to use the DEFAULT crypto policy:
~$ update-crypto-policies --show
DEFAULT
From the RHEL 9 documentation:
...
- 161
1
vote
1
answer
38
views
openssl ignores intermediate certificate in pkcs12 file
After creating a new S/MIME certificate, I am stuck with creating a valid PKCS #12 file that is accepted by most mail clients:
$ openssl verify smime.pfx
CN = [email protected], emailAddress = mail@...
-1
votes
0
answers
54
views
How to prevent cURL error from happening
My websoket has broken down two times in the past month with cURL maybe caused by openssl misconfiguration. Happening when I try to broadcast a laravel event to websocket:
Pusher error: cURL error 35: ...
- 19
-1
votes
1
answer
2k
views
OpenSSL 1.0.2 SHA1 requirement causing HTTPS compatibility error with Microsoft Edge 119 ERR_SSL_PROTOCOL_ERROR [closed]
I encountered the problem described in this Thread but with the Microsoft Edge browser version 119, which has been published on November 2, 2023.
The problem only seems to occur on webserver instances ...
0
votes
0
answers
80
views
Dovecot: SSL not working (no suitable signature algorithm), other daemons work just fine
I try to secure my Dovecot with SSL/TLS using Letsencrypt certificates. Dovecot immediately closes any TLS connection and reports the confusing error "no suitable signature algorithm" in the ...
- 161
1
vote
1
answer
157
views
keytool error: java.security.cert.CertificateParsingException: signed fields invalid
I have a X509 certificate pem file I got from Mongo Atlas. I'm trying to import it into the keystore like so:
keytool -importcert -file X509-cert.pem -alias myalias -keystore mykeystore.p12 -storetype ...
- 139
0
votes
1
answer
52
views
Configure OpenVPN with existing certificate
I want to configure OpenVPN with available certificates, without using easy-rsa.
I use openssl to generate private.key and csr.csr. Then I use opensource CA EJBCA to authenticate csr and create a ...
- 1
0
votes
1
answer
59
views
installed homebrew openssl library not found when building MongoDb PHP driver on Mac
Similar to this questioner, due to a 502 Bad Gateway error, following the PHP docs I am attempting to build the PHP Mongo driver from scratch, using a modified ./config step
./configure --with-mongodb-...
- 123
0
votes
2
answers
230
views
Is it possible to hide a binary file from the system
A VPS on Centos 7 came with a very old version of openssl. I built and installed a newer version of openssl. (details below) This newer openssl was only installed in order to upgrade to a much newer ...
- 103
1
vote
1
answer
130
views
OpenVPN Revoke a certificate without the CRT file with Easy RSA
I'm confused, I have an OpenVPN server on Debian. The previous system administrator who was in charge of this server deleted the user certificates (.crt file) with the command "rm -f example.crt&...
- 13
0
votes
0
answers
90
views
openssl crash on nginx building ubuntu 22.04
trying this on ubuntu 22.04
sudo ./configure --with-cc-opt='-g -O2 -ffile-prefix-map=/build/nginx-zctdR4/nginx-1.18.0=. -flto=auto -ffat-lto-objects -flto=auto -ffat-lto-objects -fstack-protector-...
0
votes
2
answers
1k
views
How to restart openssl on debian
I have made some changes in openssl.cnf and wants to restart service. Normally I would just restart machine for changes to take effect but I don't want to restart machine. Tried sudo systemctl restart ...
- 763
3
votes
6
answers
13k
views
HTTPS compatibility issue with Chrome 116/117 ERR_SSL_PROTOCOL_ERROR
I'm having error ERR_SSL_PROTOCOL_ERROR since 2 day on my website for some reason.
Browsers tested
Windows Chrome 117.0.5938.132 : ERR_SSL_PROTOCOL_ERROR
Android Chrome 117.0.5938.61 : ...
- 202
0
votes
1
answer
106
views
Warning with sending emails from Thunderbird to Postfix using its own CA
I'm asking for help because I simply don't have the strength anymore, I've spent a lot of time and I'm still left with an unsolved puzzle.
My problem: I keep getting "Wrong Site" warnings ...
- 11
0
votes
0
answers
58
views
Install old OpenSSL 0.9.8 on MacOS 13.2, make error
for compatibility purpose of some functionalities and old softwares I need to install OpenSSL0.9.8 on a modern MacOS machine.
I downloaded the source archive from: https://www.openssl.org/source/old/0....
2
votes
1
answer
736
views
TLS 1.0 broken with newer Debian/OpenSSL
I'm migrating a server running Debian 10 to a server running Debian 12 (and a 6.x kernel), and the last thing that doesn't seem to be working is TLS 1.0, which I've been trying to figure out.
I'm ...
- 184
1
vote
0
answers
148
views
How to convert a DER private key to PEM
I have a private key that is in binary format. I'm not sure if this is DER format but I need to convert it to PEM.
I'm using openssl with this command:
openssl rsa -inform DER -outform PEM -in test....
- 11
0
votes
1
answer
89
views
Have you got a worked example of using Postgres through ODBC with openssl and the Progress DataDirect Linux driver?
I am new to openssl configuration, Postgres, and the Progress DataDirect ODBC driver, and I am trying to set this up. I have Postgres working in a container, set up with
tjcw:~$ openssl req -new -x509 ...
- 69
0
votes
0
answers
485
views
Configure QUIC and HTTP/3 in Ubuntu
I want to install and configure nginx-1.19.0 with HTTP/3 support on Ubuntu 22.04. OpenSSL version is 3.0.2. I was surfing in internet but I didn't find something straight forward to guide me how to ...
1
vote
1
answer
80
views
AWX error X509 using custom EE image with pyopenssl
I'm currently setting up an AWX platform hosted on K8s cluster to get a proper UI + features for multi-user purpose.
Context :
I created an EE image pushed on a Nexus repository that AWX use in order ...
- 343
0
votes
1
answer
103
views
SSL Certificate loading error in postgresql.conf file during restart
openssl genrsa -out root.key 2048
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
chown postgres:postgres server.*
...
0
votes
0
answers
82
views
CA-Certificate and Server Certificate are expired! - openVPN - Server <--> Client(x)
I am hosting an openVPN-Service to connect ~30 IoT-Clients directly to my Server. I have forgoten to extend the lifetime of the self-signed ca.cert and the server.crt. Now my openVPN-Clients could not ...
- 3
0
votes
0
answers
22
views
self signed for a site accessible through VPN
I'd like to know if what I'm doing is right or is there another way to do this?
I have this site that is accessible through VPN and i'd like the end users not to see the "not secured" ...
- 11
0
votes
1
answer
108
views
self signed certificate for a site that can only be access through VPN
I read a lot of articles about self signed certificates and I'm not exactly sure if I'm getting near to what I want to actually achieve.
I'm trying to implement a self signed certificate so that the ...
- 11
0
votes
0
answers
587
views
[Microsoft][ODBC Driver 17 for SQL Server] SSL Provider: [error:0A000102:SSL routines::unsupported protocol] in PHP Laravel on macOS using Brew
I'm encountering an issue while trying to connect to a SQL Server database using PHP Laravel on macOS with Brew. I'm receiving the following error message:
[Microsoft][ODBC Driver 17 for SQL Server] ...
0
votes
0
answers
344
views
ValueError: Invalid version. The only valid version for X509Req is 0
I'm trying to renew the SSL but I got this error:
SSL Error 1
SSL Error 2
I already tried sudo pip3 install pyOpenSSL and sudo pip3 install cryptography==40.0.1, uninstalled it, and installed it again,...
- 1
0
votes
1
answer
93
views
Identify SSL certificate type for apache configuration
I have SSL certificate files:
Root2023.crt
t1.crt
t1.pem
t1.pk8
on my apache How can I determine which of these files should be used for SSLCertificateFile, SSLCertificateKeyFile, and ...
- 139
0
votes
2
answers
191
views
curl with --cacert fails on almalinux8 but works on ubuntu
We try this:
curl -v --cacert cert.pem https://example.com/path.asmx
on ubuntu its working, we're getting:
successfully set certificate verify locations:
* CAfile: cert.pem
CApath: /etc/ssl/...
- 3
0
votes
0
answers
186
views
Cannot connect to LDAP server ERRNO=0
I have a php application (apache,redhat with selinux disabled) and I am struggling with ldap configuration. I am trying to connect to a ldap server and I am getting this error in apache logs:
...
2
votes
1
answer
570
views
Apache 2.4 on Windows slow to respond to initial first request
I started serving pre-compressed Brotli files on my website https://www.filmfix.com/en/home/. They work; but ever since then, Apache is having response issues along all VirtualHost setups (not just ...
- 274
1
vote
0
answers
70
views
OpenSSL issue with Rancher/Kubernetes cluster on RHEL 8
So we are working on setting up a big Rancher/Kubernetes cluster on a bunch of RHEL 8 servers. We have everything installed and have Rancher running on a 3 node cluster behind a load balancer. The ...
- 11
0
votes
1
answer
260
views
Disable TLSv1.0 and TLSv1.1 when generating certificates using openssl 1.1.1
I am struggling to implement a feature for my certificates. I am generating my certificates with OPENSSL 1.1.1.
I want to allow only TLSv1.2 and TLSv1.3. The other protocols should not be possible (...
0
votes
1
answer
561
views
OpenSSL 3.0 generating p12 certificate issue with FIPS
I am running the OpenSSL command to generate bundle.p12 with -legacy option. RHEL 9 FIPS Enabled setup.
openssl pkcs12 -export -legacy -in cacert.pem -inkey cakey.pem -out bundle.p12
Error creating ...
0
votes
1
answer
547
views
Can't get .pfx file to work on Linux
I am writing a C# program that has to call an API endpoint that requires authentication via certificates.
I have got a .pfx file, which I can import in Windows and everything works fine, however the ...
- 3
0
votes
1
answer
526
views
openssl s_client works with IP, but does nothing with domain name
I recently-ish set up an internal (firewalled) apache2 web server that exactly one of my colleagues cannot reach for some reason (PR_END_OF_FILE_ERROR, indicating something's wrong with the handshake/...
- 111
0
votes
1
answer
157
views
Fastcgi script "file not found" / Primary script unknown
ACTUAL SITUATION
I am in the process of transferring a static web server to a container.
ISSUE ENCOUNTERED
When i'm trying to reach my server, i received "File not found" with :
curl ...
0
votes
1
answer
69
views
Certificate works when added a space to it, why?
We have generated a certificate via Letsencrypt and trying to use it via nginx, but we get a weird error:
cannot load certificate "/home/path/site.pem": PEM_read_bio_X509_AUX() failed
The ...
- 111
0
votes
0
answers
400
views
.p12 certificate not working on mac (Ventura 13.4.1) but works on windows
I generated ssl certificates for (Nifi Registry https://nifi.apache.org/registry.html) I installed them in Windows.. it worked and i get a prompt to select certificate when i open the website https://
...
- 103
0
votes
0
answers
197
views
NodeJS https server returns http 0 and SSL error:14094412 ERR_SSL_SSLV3_ALERT_BAD_CERTIFICATE
I have a nodejs https server running on my Raspberry Pi. It responses to ajax requests. When open the webpage with a desktop/laptop or an iPhone (Safari), the ajax call returns the proper result with ...
- 101
1
vote
0
answers
96
views
How to have "empty" for x509's nameConstraints extension subtree?
I am signing x509 certificates that should only be used for CN under a specific domain, not for any IP/email/UPN.
the rfc5280 says that passing empty to a permitted value will allow all of those class,...
- 52
0
votes
1
answer
231
views
how to work with x509 certificate bundles with openssl
Is it possible to work with x509 certificates in a pkcs7 bundle file?
I need to sign all certificates in a bundle with extra x509 extensions. e.g. (if they were a single x509 crt file)
openssl x509 -...
- 52
1
vote
0
answers
119
views
Not receiving any response from SMTP server after successfully connected via openssl or telnet
I am trying to set up my postfix using Gmail smtp relay server. I have set it up in other servers without issues, but I am having difficulty getting it to work in my work network.
I tested if there is ...
- 11
-1
votes
1
answer
264
views
Yum to packages.microsoft.com failed on Centos 7
You can say i'm beginner in using Centos. Our regional want to use packages.microsoft.com as repository. We have open the firewall to the packages.microsoft.com. Tracepath is no issue, but when we are ...
- 3
0
votes
1
answer
166
views
OpenSSL Error: lib(128):capi_rsa_priv_enc:function not supported in client Auth
My scripts to sign file via API was working properly fine when my previous server setup was Ubuntu 20.04 and openssl version is 1.1.1b.
But after upgrade, I am getting this issue. Client environment ...
-1
votes
1
answer
267
views
How to verify signed file? [closed]
How to check a validity of a file using openssl and cms?
I've got a file (foo.bin) and a signature (foo.bin.cms) which is include x509 der format certificate.
is there any way to check validity of ...
- 3
0
votes
1
answer
161
views
Cannot enable OCSP stapling
Windows Server 2022
Apache x64 2.4.57
OpenSSL 3.0.8
My Apache SSL conf has this:
SSLUseStapling On
SSLStaplingCache "shmcb:${SRVROOT}/logs/ssl_stapling(65536)"
...
- 260
0
votes
0
answers
250
views
How to sign a certificate for s/mime and generate pkcs12 store with existing CA?
I want to create a certificate store file in pkcs12 format to use in thunderbird for s/mime signing and encrypting. I already run a mail and web server that use certificates signed by a CA certificate ...
- 136
0
votes
0
answers
20
views
How can i disable the TLS handshake with 128-Bit-Key from the browser with my apache2 settings? [duplicate]
When I load a website on an apache2 with ssl and look at the settings of the certificate in the browser, it is always a 128-bit key length, only want 256-bit and above to be allowed.
I have that in ...
- 308
0
votes
0
answers
217
views
Apache SSL not working - server took too long to respond
I am trying to get Apache (2.4.41, Ubuntu) to work with SSL and am not having luck. Whenever I visit the site in my browser, I get the error "This site can't be reached: my-domain took too long ...
- 135
0
votes
1
answer
750
views
Remove old Cipher Suites
I manage some websites and one of them got a poor security rating (from sec scorecard). I have a managed server, so I asked the IT guys to help, but also would like to understand this issue a little ...
