OpenSSL Introduction, Tutorials, and Resources

OpenSSL is a software library that implements the SSL (secure sockets layer) and TLS (transport layer security) web security protocols.

SSL and TLS are methods for using cryptography to secure communication between two parties. Although there are some important differences at a technical level (and SSL has largely been made obsolete in favor of the more secure TLS), they both work essentially the same way. (In fact, many people simply refer to both protocols as "SSL.")

The following description of how SSL/TLS works is very simplified, but it gives you a basic understanding of what is going on:

  • Once a connection is made between a client and server, the client requests a secure connection. It requests information about what types of cryptographic security the client supports.
  • The server choses the most secure option that both the server and client support, and then sends a security certificate signed with the server's public key.
  • The client verifies the certificate and generates a secret key to send to the server, encrypted with the server's public key.
  • The client and server use the secret key to generate pair of symmetric keys (or two pairs of public-private keys), and communication commences securely.

SSL/TLS is not a piece of software or a technology — it is a protocol, a procedure for accomplishing the above series of steps, along with specific cryptographic algorithms. A piece of software (an "implementation") is needed to implement the protocol.

OpenSSL is the most popular SSL/TLS implementation currently in use.

OpenSSL Tutorials

OpenSSL Tools

  • The openssl library source code is available from the official GitHub repository.
  • Openssl-tools is a set of shell scripts for making openssl easier to use.
  • SSL Checker can help you diagnose problems with your OpenSSL installation. Just enter a domain name, and the tool provides details on the associated certificate.
  • OpenSSL CSR Tool will auto-generate a customer CSR (certificate signing request) based on your input parameters.
  • Win32 OpenSSL is a distribution of OpenSSL designed to be easy to install on Windows machines.
  • CSR Decoder will check your CSR (certificate signing request), decode the details, and provide a report to you of the CSR's contents.

OpenSSL Community

  • Network Security with OpenSSL (2002), by Viega, Messier, and Chandra, is the definitive text on OpenSSL. It is a little out of date now, but the basic information is still relevant.
  • Bulletproof SSL and TLS: Understanding and Deploying SSL/TLS and PKI to Secure Servers and Web Applications (2014), by Ivan Ristic, is a very complete guide to server security, covering SSL and related tools in depth. OpenSSL, and alternative SSL options, are explored.
  • Apache: The Definitive Guide (2002), by Laurie and Laurie, is not specifically about OpenSSL, but about Apache webserver administration in general. There is excellent coverage on security here, placed in context of the whole task of systems administration. That material is particularly relevant, as one of the coauthors is a core contributor to the OpenSSL project.
  • Implementing SSL / TLS Using Cryptography and PKI (2011), by Joshua Davies, is a "must-read" for those who want an in-depth understanding of how SSL and OpenSSL really works on a fundamental level.
  • SSL and TLS: Designing and Building Secure Systems (2000), by Eric Rescorla, is a highly technical look at SSL and TLS, with information about the strengths, weaknesses, approaches to implementations, and practical use in system engineering. OpenSSL, and several other SSL tools, are covered in detail.

Alternatives to OpenSSL

OpenSSL is one of the most popular SSL/TLS libraries for server-side web security, and it serves as the default "reference implementation" for the SSL protocol. But it isn't the only option available.

  • LibreSSL is a fork of OpenSSL with the goals of "modernizing the codebase, improving security, and applying best practice development processes."
  • NSS is a set of security libraries from Mozilla. They are used in the Firefox and Chrome browsers, as well as by Red Hat and AOL. NSS works well with the Apache server.
  • BoringSSL is Google's fork of OpenSSL. It is available for public use under an open source license, but there is no guarantee of API stability as it is not built with consumers in mind.
  • S2n is Amazon's implementation of just the TLS security library from the OpenSSL project, excluding all the additional crypto tools.
  • GnuTLS is a SSL/TLS library from the GNU project.

How to stay secure with OpenSSL

The most important thing to know about OpenSSL is that it isn't perfect, and never will be. That is the case with any software project, especially one dealing with cryptographic security.

The one thing that you can do to best ensure your websites are safe is to keep your OpenSSL installation up to date. Subscribe to the OpenSSL newslog, and be sure to upgrade anytime there is a new release.

If you don't think you have the resources or wherewithal to keep your OpenSSL installation up to date, consider using a managed hosting service where these concerns are taken care of for you.

Further Reading and Resources

We have more guides, tutorials, and infographics related to programming and computer use:

Unix Programming Resources

There are a lot of aspects of computer programming, and we have a great place for you to start learning: Unix Programming Resources.