Browse Definitions :


What is OpenSSL?

OpenSSL is an open source cryptographic toolkit that facilitates secure communications between endpoints on a network. The toolkit includes three core components: the libcrypto library, the libssl library and a command-line utility for performing cryptographic tasks.

The libcrypto library

This library provides a variety of application programming interfaces for performing general-purpose cryptography. It also enables access to a wide range of cryptographic algorithms used in different internet standards. The library supports various types of general-purpose cryptographic functionality, including symmetric encryption, certificate handling, public key cryptography, pseudo-random number generation and cryptographic hash functions.

The libssl library

This library includes the functions necessary to facilitate secure peer-to-peer communications. The library depends on the libcrypto library, using many of its capabilities. The libssl library provides implementations of multiple secure network communication protocols, including the Transport Layer Security (TLS) protocol, which is the widely used successor to Secure Sockets Layer (SSL). The libssl library still supports SSL version 3, but only as a compile-time option. In addition, the library provides implementations of the Datagram TLS (DTLS) protocol and the Quick UDP Internet Connections (QUIC) protocol, a newer transport protocol developed by Google.

The command-line utility

The command-line utility, openssl, offers a useful tool for performing an assortment of cryptographic tasks. For example, users can create key parameters, generate X.509 certificates, calculate message digests, encrypt or decrypt files, and generate certificate signing requests or certificate revocation lists. Users can also run TLS and DTLS client and server tests, as well as QUIC client tests.

To view a list of available openssl commands, users can enter openssl -help at a command prompt on a system where the OpenSSL toolkit is installed. They can also see which version of OpenSSL is installed by entering the command openssl version -a. Because the command includes the -a switch, it will return the version details as well as the directories where certificates, private keys, configuration files and other types of files are stored.

According to the research report titled "Global State of Exposure: OpenSSL Vulnerabilities" from Bitsight, a cybersecurity ratings company, two-thirds of the world's web servers now use OpenSSL. Although most of the OpenSSL components are written in C, wrappers are available for a variety of other computer languages, enabling them to access the OpenSSL libraries.

The OpenSSL Project is responsible for developing and maintaining OpenSSL, which is distributed under the Apache v2 license. However, this license applies only to OpenSSL 3.0 or later. Prior versions are licensed under the dual OpenSSL and SSLeay licenses, in which the conditions of both licenses apply. The latest version of OpenSSL is 3.2.1, which was released on Jan. 30, 2024.

OpenSSL providers

OpenSSL makes extensive use of providers in facilitating access to algorithm implementations. A provider is essentially a container that holds multiple algorithm implementations, although there's one type of provider that contains no algorithms. The OpenSSL distribution includes the following five core providers:

  • Default. This provider includes all the standard built-in algorithm implementations in OpenSSL, including Secure Hash Algorithm 3 (SHA-3), Message Digest Method 5 (MD-5), Advanced Encryption Standard (AES), Secure Hash Algorithm Keccak (SHAKE), SEED, Cipher-based Message Authentication Code (CMAC), TLS 1 pseudo-random function (TLS1-PRF), X448 and Rivest-Shamir-Adleman (RSA). If an application doesn't specify a provider, the default provider is used. The provider is loaded automatically when first attempting to access one of its algorithms, if no other provider has been loaded. Because this is a built-in provider, it's compiled and linked into the libcrypto library.
  • Legacy. This provider contains those algorithms that are no longer commonly used or are discouraged from being used because of security issues. The legacy provider supports legacy applications and offers backward compatibility. It also includes algorithms such as Message Digest Method 4 (MD-4), Multi-Domain Command and Control (MDC2), CAST, Blowfish, International Data Encryption Algorithm (IDEA), RC5, Data Encryption Standard (DES) and RMD160.
  • Base. This provider contains a small subset of non-cryptographic algorithms that are included in the default provider, such as the X448 and X25519 key exchanges and Digital Signature Algorithm (DSA). For example, the provider contains algorithms for serializing and deserializing file keys. The OpenSSL Project recommends that users who don't load the default provider should load this one instead.
  • FIPS. This provider includes subset algorithm implementations that are included in the default provider. The FIPS provider contains only algorithm implementations that conform to the Federal Information Processing Standard, which defines minimum security requirements for cryptographic modules. For example, the provider includes the AES, DSA, Triple DES and Elliptic Curve Digital Signature Algorithm (ECDSA) algorithms.
  • Null. This provider is built into the libcrypto library and includes no algorithms. It's used primarily to prevent the default provider from being automatically loaded, which can be helpful when using nondefault library contexts. A library context determines the scope in which configuration options take effect.

To use a specific algorithm in OpenSSL, at least one provider must be loaded that contains an implementation of that algorithm. If a provider isn't specified, OpenSSL automatically loads the default provider. Users can also obtain providers from third-party sources. Third-party providers come in the form of loadable modules, which typically have the file extension .so or .dll, depending on the platform.

What's the difference between endpoint security and network security? Learn how they both play important roles in an organization's cybersecurity strategy.

This was last updated in February 2024

Continue Reading About OpenSSL

  • DNS attack

    A DNS attack is an exploit in which an attacker takes advantage of vulnerabilities in the domain name system.

  • malware

    Malware, or malicious software, is any program or file that's intentionally harmful to a computer, network or server.

  • cloud security

    Cloud security, also known as 'cloud computing security,' is a set of policies, practices and controls deployed to protect ...

  • data collection

    Data collection is the process of gathering data for use in business decision-making, strategic planning, research and other ...

  • chief trust officer

    A chief trust officer (CTrO) in the IT industry is an executive job title given to the person responsible for building confidence...

  • green IT (green information technology)

    Green IT (green information technology) is the practice of creating and using environmentally sustainable computing resources.

  • diversity, equity and inclusion (DEI)

    Diversity, equity and inclusion is a term used to describe policies and programs that promote the representation and ...

  • ADP Mobile Solutions

    ADP Mobile Solutions is a self-service mobile app that enables employees to access work records such as pay, schedules, timecards...

  • director of employee engagement

    Director of employee engagement is one of the job titles for a human resources (HR) manager who is responsible for an ...

Customer Experience
  • digital marketing

    Digital marketing is the promotion and marketing of goods and services to consumers through digital channels and electronic ...

  • contact center schedule adherence

    Contact center schedule adherence is a standard metric used in business contact centers to determine whether contact center ...

  • customer retention

    Customer retention is a metric that measures customer loyalty, or an organization's ability to retain customers over time.