Last updated: February 19, 2019
OpenSSL: Here’s What You Need To Know About SSL and TLS Now.
OpenSSL is a software library that implements the SSL (secure sockets layer) and TLS (transport layer security) web security protocols.
SSL and TLS are methods for using cryptography to secure communication between two parties. Although there are some important differences at a technical level (and SSL has largely been made obsolete in favor of the more secure TLS), they both work essentially the same way. (In fact, many people simply refer to both protocols as “SSL.”)
The following description of how SSL/TLS works is very simplified, but it gives you a basic understanding of what is going on:
- Once a connection is made between a client and server, the client requests a secure connection. It requests information about what types of cryptographic security the client supports.
- The server choses the most secure option that both the server and client support, and then sends a security certificate signed with the server’s public key.
- The client verifies the certificate and generates a secret key to send to the server, encrypted with the server’s public key.
- The client and server use the secret key to generate pair of symmetric keys (or two pairs of public-private keys), and communication commences securely.
SSL/TLS is not a piece of software or a technology — it is a protocol, a procedure for accomplishing the above series of steps, along with specific cryptographic algorithms. A piece of software (an “implementation”) is needed to implement the protocol.
OpenSSL is the most popular SSL/TLS implementation currently in use.
- An Introduction to the OpenSSL Command Line Tool is an excellent tutorial that covers both the theory behind public key cryptography and the practical use of OpenSSL.
- OpenSSL Introduction from Ubuntu provides an overview of SSL technology in general and the OpenSSL implementation in particular. While geared for Ubuntu users, most of the information here would be helpful for people on any Linux distribution.
- OpenSSL Essentials: Working with SSL Certificates, Private Keys and CSRs is a great overview of the theory and practice of OpenSSL, aimed at web hosting consumers. Some of the information is specific to Digital Ocean customers, but most of it will be helpful to anyone using a Linux web hosting plan.
- OpenSSL Command-Line HOWTO is a series of cook-book style recipes for using OpenSSL.
- OpenSSL Cookbook is a free two-chapter e-book that covers the most frequently used features and commands of
openssl. It is excerpted from the full-length book Bulletproof SSL and TLS: Understanding and Deploying SSL/TLS and PKI to Secure Servers and Web Applications (2014), by Ivan Ristic.
- Secure programming with the OpenSSL API is a very detailed programming tutorial, explaining how to incorporate SSL encryption into C applications using the OpenSSL library.
- Using Borland C++ Builder and OpenSSL walks through building a simple HTTPS client.
- Configuring & Using OpenSSL Tools is a brief tutorial on using the
openssltool at the command line.
- OpenSSL Tutorial for Apache Rampart/C is a detailed technical tutorial on the library, for Apache webserver users on Linux.
openssllibrary source code is available from the official GitHub repository.
Openssl-toolsis a set of shell scripts for making
openssleasier to use.
- SSL Checker can help you diagnose problems with your OpenSSL installation. Just enter a domain name, and the tool provides details on the associated certificate.
- OpenSSL CSR Tool will auto-generate a customer CSR (certificate signing request) based on your input parameters.
- Win32 OpenSSL is a distribution of OpenSSL designed to be easy to install on Windows machines.
- CSR Decoder will check your CSR (certificate signing request), decode the details, and provide a report to you of the CSR’s contents.
- OpenSSL.org is the official homepage for the OpenSSL toolkit.
- OpenSSL Software Services Inc is the corporate sponsor of the OpenSSL project.
Books on OpenSSL and Related Topics
- Network Security with OpenSSL (2002), by Viega, Messier, and Chandra, is the definitive text on OpenSSL. It is a little out of date now, but the basic information is still relevant.
- Bulletproof SSL and TLS: Understanding and Deploying SSL/TLS and PKI to Secure Servers and Web Applications (2014), by Ivan Ristic, is a very complete guide to server security, covering SSL and related tools in depth. OpenSSL, and alternative SSL options, are explored.
- Apache: The Definitive Guide (2002), by Laurie and Laurie, is not specifically about OpenSSL, but about Apache webserver administration in general. There is excellent coverage on security here, placed in context of the whole task of systems administration. That material is particularly relevant, as one of the coauthors is a core contributor to the OpenSSL project.
- Implementing SSL / TLS Using Cryptography and PKI (2011), by Joshua Davies, is a “must-read” for those who want an in-depth understanding of how SSL and OpenSSL really works on a fundamental level.
- SSL and TLS: Designing and Building Secure Systems (2000), by Eric Rescorla, is a highly technical look at SSL and TLS, with information about the strengths, weaknesses, approaches to implementations, and practical use in system engineering. OpenSSL, and several other SSL tools, are covered in detail.
Alternatives to OpenSSL
OpenSSL is one of the most popular SSL/TLS libraries for server-side web security, and it serves as the default “reference implementation” for the SSL protocol. But it isn’t the only option available.
- LibreSSL is a fork of OpenSSL with the goals of “modernizing the codebase, improving security, and applying best practice development processes.”
- NSS is a set of security libraries from Mozilla. They are used in the Firefox and Chrome browsers, as well as by Red Hat and AOL. NSS works well with the Apache server.
- BoringSSL is Google’s fork of OpenSSL. It is available for public use under an open source license, but there is no guarantee of API stability as it is not built with consumers in mind.
- S2n is Amazon’s implementation of just the TLS security library from the OpenSSL project, excluding all the additional crypto tools.
- GnuTLS is a SSL/TLS library from the GNU project.
How to stay secure with OpenSSL
The most important thing to know about OpenSSL is that it isn’t perfect, and never will be. That is the case with any software project, especially one dealing with cryptographic security.
The one thing that you can do to best ensure your websites are safe is to keep your OpenSSL installation up to date. Subscribe to the OpenSSL newslog, and be sure to upgrade anytime there is a new release.
If you don’t think you have the resources or wherewithal to keep your OpenSSL installation up to date, consider using a managed hosting service where these concerns are taken care of for you.
Further Reading and Resources
We have more guides, tutorials, and infographics related to programming and computer use:
- SOAP Introduction and Resources: learn all about this important messaging protocol.
- OAuth Resources: this resource explains how OAuth allows different computer applications to communicate with each other.
Unix Programming Resources
There are a lot of aspects of computer programming, and we have a great place for you to start learning: Unix Programming Resources.