[openssl-users] Openssl 1_1_0 compatibility question

david david at daku.org
Sat Sep 3 22:54:42 UTC 2016


In the home-grown application I have, data is encrypted on Windows 
clients and decrypted on Centos servers, all with OpenSSL, using a 
shared symmetric password.

My clients have been running OpenSSL versions 1.0.* with each new 
version being installed on Windows (using 
https://slproweb.com/download/Win64OpenSSL...) with no compatibility 
issues, EXCEPT when I switched from 1.0.2h to 1.1.0.

My servers are running whichever is supported by Centos systems -- 
currently 1.0.1e-fips.

My methods do the following, with my real values replaced by fixed 
values in this example:

On the client: Encrypt the value "abcde" with a password "123" with salt
   Windows command: echo abcde | openssl enc -salt -a -A -aes128 -pass pass:123

On the server: Decrypt the salted message with the password "123", 
and recover the value "1".
   Linux command: echo (the output of the above) | openssl enc -d 
-salt -a -A -aes128 -pass pass:123

When the ENCRYPTING software is 1_0_2h and the decrypting software is 
1_0_1e on Linux or 1_0_2h on Windows, the decryption successfully 
recovers the value "abcde".
When the encrypting software is 1_1_0 and the decrypting software is 
1_0_1e on Linux or 1_0_2h on Windows, it fails with the message:

bad decrypt
139701985818440:error:06065064:digital envelope 
routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:596:

Or, in summary
When both the encrypting and decrypting software are both 1_1_0, or 
both 1_0_2(e..h), the decryption succeeded.  If the versions were 
different, it failed.

Is this a feature or a bug?  Is there some setting I should have different?

Thanks in advance


More information about the openssl-users mailing list