OpenSSL
What is OpenSSL?
OpenSSL is an open source cryptographic toolkit that facilitates secure communications between endpoints on a network. The toolkit includes three core components: the libcrypto library, the libssl library and a command-line utility for performing cryptographic tasks.
The libcrypto library
This library provides a variety of application programming interfaces for performing general-purpose cryptography. It also enables access to a wide range of cryptographic algorithms used in different internet standards. The library supports various types of general-purpose cryptographic functionality, including symmetric encryption, certificate handling, public key cryptography, pseudo-random number generation and cryptographic hash functions.
The libssl library
This library includes the functions necessary to facilitate secure peer-to-peer communications. The library depends on the libcrypto library, using many of its capabilities. The libssl library provides implementations of multiple secure network communication protocols, including the Transport Layer Security (TLS) protocol, which is the widely used successor to Secure Sockets Layer (SSL). The libssl library still supports SSL version 3, but only as a compile-time option. In addition, the library provides implementations of the Datagram TLS (DTLS) protocol and the Quick UDP Internet Connections (QUIC) protocol, a newer transport protocol developed by Google.
The command-line utility
The command-line utility, openssl, offers a useful tool for performing an assortment of cryptographic tasks. For example, users can create key parameters, generate X.509 certificates, calculate message digests, encrypt or decrypt files, and generate certificate signing requests or certificate revocation lists. Users can also run TLS and DTLS client and server tests, as well as QUIC client tests.
To view a list of available openssl commands, users can enter openssl -help at a command prompt on a system where the OpenSSL toolkit is installed. They can also see which version of OpenSSL is installed by entering the command openssl version -a. Because the command includes the -a switch, it will return the version details as well as the directories where certificates, private keys, configuration files and other types of files are stored.
According to the research report titled "Global State of Exposure: OpenSSL Vulnerabilities" from Bitsight, a cybersecurity ratings company, two-thirds of the world's web servers now use OpenSSL. Although most of the OpenSSL components are written in C, wrappers are available for a variety of other computer languages, enabling them to access the OpenSSL libraries.
The OpenSSL Project is responsible for developing and maintaining OpenSSL, which is distributed under the Apache v2 license. However, this license applies only to OpenSSL 3.0 or later. Prior versions are licensed under the dual OpenSSL and SSLeay licenses, in which the conditions of both licenses apply. The latest version of OpenSSL is 3.2.1, which was released on Jan. 30, 2024.
OpenSSL providers
OpenSSL makes extensive use of providers in facilitating access to algorithm implementations. A provider is essentially a container that holds multiple algorithm implementations, although there's one type of provider that contains no algorithms. The OpenSSL distribution includes the following five core providers:
- Default. This provider includes all the standard built-in algorithm implementations in OpenSSL, including Secure Hash Algorithm 3 (SHA-3), Message Digest Method 5 (MD-5), Advanced Encryption Standard (AES), Secure Hash Algorithm Keccak (SHAKE), SEED, Cipher-based Message Authentication Code (CMAC), TLS 1 pseudo-random function (TLS1-PRF), X448 and Rivest-Shamir-Adleman (RSA). If an application doesn't specify a provider, the default provider is used. The provider is loaded automatically when first attempting to access one of its algorithms, if no other provider has been loaded. Because this is a built-in provider, it's compiled and linked into the libcrypto library.
- Legacy. This provider contains those algorithms that are no longer commonly used or are discouraged from being used because of security issues. The legacy provider supports legacy applications and offers backward compatibility. It also includes algorithms such as Message Digest Method 4 (MD-4), Multi-Domain Command and Control (MDC2), CAST, Blowfish, International Data Encryption Algorithm (IDEA), RC5, Data Encryption Standard (DES) and RMD160.
- Base. This provider contains a small subset of non-cryptographic algorithms that are included in the default provider, such as the X448 and X25519 key exchanges and Digital Signature Algorithm (DSA). For example, the provider contains algorithms for serializing and deserializing file keys. The OpenSSL Project recommends that users who don't load the default provider should load this one instead.
- FIPS. This provider includes subset algorithm implementations that are included in the default provider. The FIPS provider contains only algorithm implementations that conform to the Federal Information Processing Standard, which defines minimum security requirements for cryptographic modules. For example, the provider includes the AES, DSA, Triple DES and Elliptic Curve Digital Signature Algorithm (ECDSA) algorithms.
- Null. This provider is built into the libcrypto library and includes no algorithms. It's used primarily to prevent the default provider from being automatically loaded, which can be helpful when using nondefault library contexts. A library context determines the scope in which configuration options take effect.
To use a specific algorithm in OpenSSL, at least one provider must be loaded that contains an implementation of that algorithm. If a provider isn't specified, OpenSSL automatically loads the default provider. Users can also obtain providers from third-party sources. Third-party providers come in the form of loadable modules, which typically have the file extension .so or .dll, depending on the platform.
What's the difference between endpoint security and network security? Learn how they both play important roles in an organization's cybersecurity strategy.