OpenSSL is an open source cryptographic toolkit that facilitates secure communications between endpoints on a network. The toolkit includes three core components: the libcrypto library, the libssl library and a command-line utility for performing cryptographic tasks.
This library provides a variety of application programming interfaces for performing general-purpose cryptography. It also enables access to a wide range of cryptographic algorithms used in different internet standards. The library supports various types of general-purpose cryptographic functionality, including symmetric encryption, certificate handling, public key cryptography, pseudo-random number generation and cryptographic hash functions.
This library includes the functions necessary to facilitate secure peer-to-peer communications. The library depends on the libcrypto library, using many of its capabilities. The libssl library provides implementations of multiple secure network communication protocols, including the Transport Layer Security (TLS) protocol, which is the widely used successor to Secure Sockets Layer (SSL). The libssl library still supports SSL version 3, but only as a compile-time option. In addition, the library provides implementations of the Datagram TLS (DTLS) protocol and the Quick UDP Internet Connections (QUIC) protocol, a newer transport protocol developed by Google.
The command-line utility, openssl, offers a useful tool for performing an assortment of cryptographic tasks. For example, users can create key parameters, generate X.509 certificates, calculate message digests, encrypt or decrypt files, and generate certificate signing requests or certificate revocation lists. Users can also run TLS and DTLS client and server tests, as well as QUIC client tests.
To view a list of available openssl commands, users can enter openssl -help at a command prompt on a system where the OpenSSL toolkit is installed. They can also see which version of OpenSSL is installed by entering the command openssl version -a. Because the command includes the -a switch, it will return the version details as well as the directories where certificates, private keys, configuration files and other types of files are stored.
According to the research report titled "Global State of Exposure: OpenSSL Vulnerabilities" from Bitsight, a cybersecurity ratings company, two-thirds of the world's web servers now use OpenSSL. Although most of the OpenSSL components are written in C, wrappers are available for a variety of other computer languages, enabling them to access the OpenSSL libraries.
The OpenSSL Project is responsible for developing and maintaining OpenSSL, which is distributed under the Apache v2 license. However, this license applies only to OpenSSL 3.0 or later. Prior versions are licensed under the dual OpenSSL and SSLeay licenses, in which the conditions of both licenses apply. The latest version of OpenSSL is 3.2.1, which was released on Jan. 30, 2024.
OpenSSL makes extensive use of providers in facilitating access to algorithm implementations. A provider is essentially a container that holds multiple algorithm implementations, although there's one type of provider that contains no algorithms. The OpenSSL distribution includes the following five core providers:
To use a specific algorithm in OpenSSL, at least one provider must be loaded that contains an implementation of that algorithm. If a provider isn't specified, OpenSSL automatically loads the default provider. Users can also obtain providers from third-party sources. Third-party providers come in the form of loadable modules, which typically have the file extension .so or .dll, depending on the platform.
What's the difference between endpoint security and network security? Learn how they both play important roles in an organization's cybersecurity strategy.
27 Feb 2024