new | show | ask | jobs Github

tptacek 4 days ago

If you mean the OpenSSL CLI, it's hard to think of a more footgun-y cryptographic tool than the one that:

* defaults to unauthenticated encryption

* buries its one authenticated mode

* requires explicit command-line nonces

* defaults to an MD5 KDF

You could probably keep going for another 10 bullets. Never use the OpenSSL CLI for anything other than TLS stuff.

▲

coppsilgold 4 days ago | parent | next [-]

You can use ssh-keygen for signing and verifying signatures.

You can also use age[1] to encrypt payloads targeting ssh public keys. And decrypt using ssh private keys.

[1] <https://github.com/FiloSottile/age>

▲

quotemstr 4 days ago | parent | prev | next [-]

Yeah, the OpenSSL CLI sucks. So what's to be done?

Sure, we can build a 25519-specific tool with a less footgun-y interface. Fine, whatever, for that one use case.

Or we can build an alternative OpenSSL CLI that explodes OpenSSL and its numerous useful features in a general way and helps fix lots of use cases.

▲

tptacek 4 days ago | parent [-]

Nothing is to be done. Just don't use the OpenSSL CLI. It's a deeply cursed concept for a tool!

▲

quotemstr 4 days ago | parent | next [-]

A command like cryptography swiss army knife useful though. If not openssl, then what?

▲

tptacek 4 days ago | parent [-]

It's useful as a toy and a learning tool, but for nothing else. For those two things, OpenSSL is fine as it is.

	▲	why-o-why 4 days ago \| parent [-]
		[flagged]

▲

pamcake 4 days ago | parent | prev [-]

[dead]

▲

why-o-why 4 days ago | parent | prev [-]

Are you confusing the open openSSL library with the CLI? Absolutely none of this is true when used as a signing tool on the CLI. Seems like you just needed to rant, rather than answer my question. Which is fine: I do it to, but I was legit asking a question that you ignored and you seem to know about openSSL?

▲

tptacek 4 days ago | parent [-]

[flagged]

	▲	why-o-why 4 days ago \| parent [-]
		[flagged]