Skip to content

Instantly share code, notes, and snippets.

@tothi
Last active September 4, 2023 12:51
Show Gist options
  • Save tothi/392dbb008ae0b60d25cfa4447bc21121 to your computer and use it in GitHub Desktop.
Save tothi/392dbb008ae0b60d25cfa4447bc21121 to your computer and use it in GitHub Desktop.
/etc/ssl/openssl.cnf supporting legacy digests like MD4 (useful for offensive tools requiring NTLM support)

This is a minimal /etc/ssl/openssl.cnf supporting legacy algorithms on modern openssl installations where it is disabled by default.

The marked (######) lines should be added to your openssl.cnf (other parts may be unchanged).

For checking if legacy providers are enabled successfully:

$ openssl list -providers
Providers:
  default
    name: OpenSSL Default Provider
    version: 3.0.7
    status: active
  legacy
    name: OpenSSL Legacy Provider
    version: 3.0.7
    status: active

Or checking directly if e.g. MD4 is working:

$ echo test | openssl dgst -md4
MD4(stdin)= 36d729ab4ff7260da6fb010ef5747bb3

In Python (calculating NTLM):

$ python -c 'import hashlib; print(hashlib.new("md4", "P@ssw0rd!".encode("utf-16le")).hexdigest())'
217e50203a5aba59cefa863c724bf61b

Openssl MD4 is mandatory for (Python) offensive tools using NTLM.

openssl_conf = openssl_init
[openssl_init]
providers = provider_sect
[provider_sect]
default = default_sect
legacy = legacy_sect ######
[default_sect]
activate = 1
[legacy_sect] ######
activate = 1 ######
@chvancooten
Copy link

Thanks for this! Small addition, I needed to do this programmatically and the openssl.cnf config file can be quite big. Here's a one-liner:

sed -i '/^default = default_sect/a legacy = legacy_sect\n\n[legacy_sect]\nactivate=1\n' /etc/ssl/openssl.cnf

@OscarVanL
Copy link

OscarVanL commented Sep 4, 2023

I also wanted to programatically change this config (in a dockerfile), but in the latest Debian bookworm running OpenSSL 3.0.9 the default config looks a little different to what @chvancooten's sed statement expected, meaning the sed command won't fix the config to enable legacy mode.

Instead of using the brittle sed string replacement, it's better to extend the default config (inspired by this).

Create a new file openssl-legacy.cnf and set the contents of the file to extend the default openssl config:

# Extend the default debian openssl config
.include = /etc/ssl/openssl.cnf

openssl_conf = openssl_init

[openssl_init]
providers = provider_sect

[provider_sect]
default = default_sect
legacy = legacy_sect

[default_sect]
activate = 1

[legacy_sect]
activate = 1

Set the env var OPENSSL_CONF=<path-to-file>/openssl-legacy.cnf to override the default OpenSSL config to use your extended config.

In your dockerfile you can then

COPY <LOCAL>/openssl-legacy.cnf <PATH>/
ENV OPENSSL_CONF=<PATH>/openssl-legacy.cnf
RUN openssl list -providers | grep legacy

The last RUN line requires that the legacy openssl provider be enabled for the dockerfile build to continue

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment