search

vi / websocat

Command-line client for WebSockets, like netcat (or curl) for ws:// with advanced socat-like functions
MIT License
7.17k stars 278 forks source link

Pkcs12 compatibility issues on OpenSSL 1.x.x #239

Closed uuonda closed 6 months ago

uuonda commented 6 months ago

On OpenSSL 1.x.x this command from the docs generates pkcs12 file incompatible with websocat.

openssl pkcs12 -export -out output.pkcs12 -inkey key.pem -in cert.pem

The error message is not printed until after first incoming connection.

websocat: error::digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()

This happens because OpenSSL 1.x.x uses "legacy" RC2-40 algorithm. The fix is 

openssl pkcs12 -export -descert -out output.pkcs12 -inkey key.pem -in cert.pem

Hopefully that will save some time for someone.

vi commented 6 months ago

Maybe it's also why I needed to update sample certificate to test TLS?

uuonda commented 6 months ago

Maybe. I'm not testing TLS. Why would I use test.pkcs12 when I have CA issued certificates?

vi commented 6 months ago

It quick test some TLS things without bothering to issue openssl commands or using actual CA during the development. For example, to connect to wss://127.0.0.1 from a https:// site in browser (by temporarily approving the test certificate). ws://127.0.0.1 won't work, you need some TLS.

uuonda commented 6 months ago

Right. It's just that on many systems openssl command from the docs or embedded help produces a pkcs12 archive incompatible with websocat. And the error message is not exactly descriptive.

Anyway, whoever else might have this problem should be able to find this solution on the issues page.

vi commented 6 months ago

I'll probably adjust the sample command line in the help and the document.