Score:-1

decode/encode openssl sess.pem file

es flag

I'm using openssl sess_id -in sess.pem -noout -text to decode the ssl session parameters in sess.pem file (which i got using sess_out) into human readable text. I wanted to know if there is a way to do the opposite i.e convert the text into sess.pem kind of format. Basically i just want to change a couple of parameters (session-id, master-key etc) inside the sess.pem file but can't seem to find the right command.

djdomi avatar
za flag
is it always the same, and why would you like to do it? [X-and-Y-Problem](https://faq-database.de/doku.php?id=en:x-and-y-problem)
mfghani avatar
es flag
i'm trying to pentest a custom ftps server. i had a hunch that it's not properly validating the session parameters when the user tries to connect to the data port after opening a passive connection.
es flag
Related: the MySQL client has a built-in command that allows to export such `sess.pem` file with the TLS settings: `ssl_session_data_print sess.pem`
Score:0
jp flag

There are no commands to manipulate or create a SSL_SESSION, but asn1parse -genconf can create an arbitrary ASN.1 structure in DER, which you could apply using the definition in source file ssl/ssl_asn1.c, and then convert to PEM with sess_id or just base64 plus manual header/trailer lines.

To do it in code, the API is documented in the usual way; do man -k SSL_SESSION on most Unix or Unix-like. If on Windows or some other badly installed/packaged system, go to https://www.openssl.org/docs/man1.1.1/man3/ and look under PEM_*SSL_SESSION and SSL_SESSION_*.

But even if some (custom) stack fails to verify saved parameters against the new hello, it basically must still use the saved parameters, so although this is at least arguably an RFC violation I don't see how it can be a vulnerability.

Score:0
es flag

Here is a follow-up to @dave_thompson_085's answer: you can use the PEM_read_SSL_SESSION and PEM_write_SSL_SESSION functions of the OpenSSL library to decode and re-encode the PEM file. SSL_SESSION_set1_master_key will allow you to tweak the master key.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.