Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

If you mean the OpenSSL CLI, it's hard to think of a more footgun-y cryptographic tool than the one that:

* defaults to unauthenticated encryption

* buries its one authenticated mode

* requires explicit command-line nonces

* defaults to an MD5 KDF

You could probably keep going for another 10 bullets. Never use the OpenSSL CLI for anything other than TLS stuff.



You can use ssh-keygen for signing and verifying signatures.

You can also use age[1] to encrypt payloads targeting ssh public keys. And decrypt using ssh private keys.

[1] <https://github.com/FiloSottile/age>


Yeah, the OpenSSL CLI sucks. So what's to be done?

Sure, we can build a 25519-specific tool with a less footgun-y interface. Fine, whatever, for that one use case.

Or we can build an alternative OpenSSL CLI that explodes OpenSSL and its numerous useful features in a general way and helps fix lots of use cases.


Nothing is to be done. Just don't use the OpenSSL CLI. It's a deeply cursed concept for a tool!


A command like cryptography swiss army knife useful though. If not openssl, then what?


It's useful as a toy and a learning tool, but for nothing else. For those two things, OpenSSL is fine as it is.


Are you confusing the open openSSL library with the CLI? Absolutely none of this is true when used as a signing tool on the CLI. Seems like you just needed to rant, rather than answer my question. Which is fine: I do it to, but I was legit asking a question that you ignored and you seem to know about openSSL?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: