I'm sorry for confusing you. Here is the command to use: openssl enc -aes-256-cbc -d -md md5 -in hello.en -out hello -k garystest Tomas Mraz, OpenSSL On Mon, 2023-04-03 at 10:17 -0700, Gary Li wrote: > Tomas, > Thank you for the suggestion, it still is not working for me. Here > are my steps (you might see what I did wrong): > > Encrypt: > $ more hello > Hello World! > $ openssl version -a > OpenSSL 1.0.2k-fips 26 Jan 2017 > built on: reproducible build, date unspecified > platform: linux-x86_64 > options: bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) > idea(int) blowfish(idx) > compiler: gcc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DZLIB - > DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT - > m64 -DL_ENDIAN -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 - > fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 - > grecord-gcc-switches -m64 -mtune=generic -Wa,--noexecstack -DPURIFY > -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 - > DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM - > DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM - > DGHASH_ASM -DECP_NISTZ256_ASM > OPENSSLDIR: "/etc/pki/tls" > engines: rdrand dynamic > $ openssl enc -aes-256-cbc -in hello -out hello.en -k garystest > > Decrypt: > $ openssl version -a > OpenSSL 1.1.1t 7 Feb 2023 > built on: Thu Mar 30 22:02:29 2023 UTC > platform: linux-x86_64 > options: bn(64,64) rc4(16x,int) des(int) idea(int) blowfish(ptr) > compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 - > DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ - > DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 - > DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM - > DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM - > DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DNDEBUG > OPENSSLDIR: "/usr/local/ssl/ssl" > ENGINESDIR: "/usr/local/ssl/lib/engines-1.1" > Seeding source: os-specific > $ openssl enc -aes-256-cbc -d -md sha256 -in hello.en -out hello.de - > k garystest > *** WARNING : deprecated key derivation used. > Using -iter or -pbkdf2 would be better. > bad decrypt > 139817593476416:error:06065064:digital envelope > routines:EVP_DecryptFinal_ex:bad decrypt:crypto/evp/evp_enc.c:612: > $ openssl enc -aes-256-cbc -d -md sha256 -nopad -in hello.en -out > hello.de -k garystest > *** WARNING : deprecated key derivation used. > Using -iter or -pbkdf2 would be better. > more hello.en > Salted__z▒▒0> > ▒ K▒▒>▒▒▒ > $ openssl enc -aes-256-cbc -d -md sha256 -nopad -iter 10000 -in > hello.en -out hello.de -k garystest > $ more hello.en > Salted__z▒▒0> > ▒ K▒▒>▒▒▒ > > On Mon, Apr 3, 2023 at 8:44 AM Tomas Mraz <tomas@xxxxxxxxxxx> wrote: > > As written in the openssl-enc manual page the default digest for > > hashing the password was changed from MD5 to SHA256 in OpenSSL- > > 1.1.0. > > > > You need to use -md sha256 option with the enc tool on 1.1.1 to > > decrypt > > files from the 1.0.2 version. > > > > Tomas Mraz, OpenSSL > > > > On Mon, 2023-04-03 at 07:03 -0700, Gary Li wrote: > > > Yes, with Openssl enc tool to decrypt on Ubuntu 20.04, encrypted > > > on > > > CentOS 7. > > > > > > On Sun, Apr 2, 2023, 11:11 PM Tomas Mraz <tomas@xxxxxxxxxxx> > > > wrote: > > > > Hello, > > > > > > > > is that with the openssl enc tool? Or something else? > > > > > > > > Tomas Mraz, OpenSSL > > > > > > > > On Fri, 2023-03-31 at 16:27 -0700, Gary Li wrote: > > > > > HI there, > > > > > I have files in products that are generated by Openssl > > > > > 1.0.2k- > > > > > fips, > > > > > but my new development system under Ubuntu 20.04 does not > > > > > support > > > > > this old version, and I cannot decrypt these files with > > > > > version > > > > > OpenSSL 1.1.1f or 1.1.1t. > > > > > Decryption did not have warning or error messages but the > > > > > contents > > > > > were wrong. > > > > > Are there any known solutions to this issue? > > > > > > > > > > Thank you in advance, > > > > > > > > > > Gary > > > > > > -- Tomáš Mráz, OpenSSL
