[openssl-users] OpenSSL vs GPG for encrypting files? Security best practices?

Jakob Bohm jb-openssl at wisemo.com
Mon Nov 5 21:06:11 UTC 2018

On 03/11/2018 10:11, Hanno Böck wrote:
> On Sat, 3 Nov 2018 12:28:02 +0500
> Марк Коренберг <socketpair at gmail.com> wrote:
>> Try openssl cms ( as newer alternative to s/mime)
> cms is not newer than s/mime, it's the underlying message format of
> s/mime.
> According to this
> https://www.openssl.org/docs/man1.0.2/apps/openssl.html
> it only supports deprecated cipher modes (cbc, cfb, ofb, ecb) and has
> exactly the malleability vulnerability the original poster was asking
> about (including a wide variety of obscure and some insecure ciphers). I
> don't think this should be recommended.
For clarity, the "openssl smime" and "openssl cms" commands to
provide mostly complete cryptosystems and are used as the
S/MIME implementation for some respected e-mail clients that
also use the gpg command line for OpenPGP messages.

Also the "openssl smime" command (and underlying OpenSSL API)
has from time to time been described as superseded by the
"openssl cms" command (and API), though there are holes in the
backward compatibility.

Now the S/MIME and CMS encryption standard may suffer from lack
of integrity checks when not carefully combined with the signing
feature of that same crypto system.

There are other subcommands of the openssl command line utility
which are similarly respected high level operations rather than
the low level primitive operations also available such as "enc".


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list