Aes256 | C++ library for AES 256 bit encryptation and decriptation | Encryption library

Usually (and for .NET by default, for ECB and CBC, with CBC being the default) PKCS#7 compatible padding is used. In that case the result of a wrong key is a fully randomized final plaintext block. The chance of correct padding is about one in 2^256 for a single padding byte (the next ones are less and less likely, 1 in 65536 etc, so they are relatively inconsequential). Some unpadding routines will (incorrectly) only check the last byte, in which case the chance is 16 out of 256, or 1 out of 16.

For PKCS#7, the padding is always added. This makes sense because the decryption routine doesn't know the length, and the (binary) message may end with padding bytes by chance - as already established. So you'd have 16 bytes values 0x10. As unpadding is still used, the chance of creating a valid padding is of course still 1 in 256, as the unpadding routine doesn't know the padding used.

To get around issues with the padding you need an authentication tag. That tag can be generated by using a HMAC over the ciphertext while including the IV if that can be altered by an attacker. You could also use GCM mode, which has been added to .NET not too long ago (i.e. very, very late), which is both more efficient as less error prone (you don't have to explicitly include the IV and verification is more or less a given).

Note that the result of unpadding can also be used for padding oracle attacks, which are a type of plaintext oracle attack created by just having availability of a decrypt routine. These attacks can fully retrieve the plaintext by performing average 128 decryption ops per byte.

Unfortunately I can't provide you with a fix, but I've found a workaround for that exact same problem (company-hosted bitbucket resulting in exact same error). I also don't know exactly why the problem occurs, but my best guess would be that the libressl library shipped with Monterey has some sort of problem with specific (?TLSv1.3) certs. This guess is because the brew-installed openssl v1.1 and v3 don't throw that error when executed with /opt/homebrew/opt/openssl/bin/openssl s_client -connect ...:443

To get around that error, I've built git from source built against different openssl and curl implementations:

1. install autoconf, openssl and curl with brew (I think you can select the openssl lib you like, i.e. v1.1 or v3, I chose v3)
2. clone git version you like, i.e. git clone --branch v2.33.1 https://github.com/git/git.git
3. cd git
4. make configure (that is why autoconf is needed)
5. execute LDFLAGS="-L/opt/homebrew/opt/openssl@3/lib -L/opt/homebrew/opt/curl/lib" CPPFLAGS="-I/opt/homebrew/opt/openssl@3/include -I/opt/homebrew/opt/curl/include" ./configure --prefix=$HOME/git (here LDFLAGS and CPPFLAGS include the libs git will be built against, the right flags are emitted by brew on install success of curl and openssl; --prefix is the install directory of git, defaults to /usr/local but can be changed)
6. make install
7. ensure to add the install directory's subfolder /bin to the front of your $PATH to "override" the default git shipped by Monterey
8. restart terminal
9. check that git version shows the new version

This should help for now, but as I already said, this is only a workaround, hopefully Apple fixes their libressl fork ASAP.

It would probably be simplest to use third-party applications such as RadeonRAMDisk to emulate disk operations in-memory, but you stated you prefer not to. Another possibility is to extend PyFilesystem to allow encrypted zip-file operations on a memory filesystem.

The gpg PIN entry is handled by an external program or device, so there is no universal mean to control the prompt of a PIN, unless you force gpg into batch mode, and force PIN entry to loop back to the caller script, so you have full control of it.

Note that this is of questionable security, because while taking control of the pin entry, you are also responsible for all the security, and a shell script is the least secure environment to handle secret data like a PIN.

Here it is how you would control the PIN prompt.
(Know the security concerns before using this):

Please, be aware that the cipher suites described in your debug output doesn't show the cipher suite that was actually used by openssl, ECDHE-RSA-AES256-GCM-SHA384. In fact, they don't include any cipher suite that requires AES 256. It may not be of relevance, but it may be a symptom of any misconfiguration, and can explain why the handshake is failing. As indicated in the Oracle documentation when describing Java 8 supported cipher suites:

Cipher suites that use AES_256 require installation of the JCE Unlimited Strength Jurisdiction Policy Files.

As a consequence, please, be sure you installed and properly configured the JCE Unlimited Strength Jurisdiction Policy Files.

As indicated by @dave_thompson_085 in his excellent comment, only Oracle Java 8 below 8u161 requires adding the unlimited policy, as stated in Appendix C of the aforementioned Oracle documentation.

The JCE Unlimited Strength Jurisdiction Policy Files are bundled into the JDK since JDK 8u151, but the unlimited policy was not defined as the default one since JDK 8u161.

In JDK 8u151 or 8u152, as stated in one of the previous cited links, and explained as well by @dave_thompson_085 - thank you very much again, in order to make the unlimited version of the JCE the one that should be used, you need to define the system property crypto.policy. From the docs:

This release introduces a new feature whereby the JCE jurisdiction policy files used by the JDK can be controlled via a new Security property. In older releases, JCE jurisdiction files had to be downloaded and installed separately to allow unlimited cryptography to be used by the JDK. The download and install steps are no longer necessary. To enable unlimited cryptography, one can use the new crypto.policy Security property. If the new Security property (crypto.policy) is set in the java.security file, or has been set dynamically by using the Security.setProperty() call before the JCE framework has been initialized, that setting will be honored. By default, the property will be undefined. If the property is undefined and the legacy JCE jurisdiction files don't exist in the legacy lib/security directory, then the default cryptographic level will remain at 'limited'. To configure the JDK to use unlimited cryptography, set the crypto.policy to a value of 'unlimited'. See the notes in the java.security file shipping with this release for more information.

The issue is not present in OpenJDK.

As an alternative solution, as suggested in this related SO question, probably using an alternate provider like BouncyCastle could be of help as well.

i wanted to post a quick update for anybody that is having the same issue, i opened a similiar question on the microsoft q&a site and looks like it's an issue on the azure side that they are working on fixing for GA Microsoft Q&A

Version 3.3.10 is based on Amazon Linux 2 (AL2), however all your settings are for AL1 which do not work in the new version.

To property setup your httpd in EB based on AL2 you have to use .platform folder, not .ebextentions. All details are in AWS Docs under Reverse proxy configuration and Configuring Apache HTTPD sections.

Following my comments: you cannot view an encrypted var inside a playbook with the technique proposed in the documentation, for memory:

I do not know your network/proxy setup, so I cannot really explain the behaviour of FTPClient. Your server seems to return IP address of the proxy in the PASV response. The default NAT resolver of FTPClient decides that the address is wrong (is it a local network host address?) and choses to use original FTP server's address instead.

While WinSCP does not do that and connects to the IP that the server returned.

To avoid the NAT resolver from messing with the address, use FTPClient.setPassiveNatWorkaround (though that's deprecated):