Definition

OpenSSL

Robert Sheldon

By

Robert Sheldon

What is OpenSSL?

OpenSSL is an open source cryptographic toolkit that facilitates secure communications between endpoints on a network. The toolkit includes three core components: the libcrypto library, the libssl library and a command-line utility for performing cryptographic tasks.

The libcrypto library

This library provides a variety of application programming interfaces for performing general-purpose cryptography. It also enables access to a wide range of cryptographic algorithms used in different internet standards. The library supports various types of general-purpose cryptographic functionality, including symmetric encryption, certificate handling, public key cryptography, pseudo-random number generation and cryptographic hash functions.

The libssl library

This library includes the functions necessary to facilitate secure peer-to-peer communications. The library depends on the libcrypto library, using many of its capabilities. The libssl library provides implementations of multiple secure network communication protocols, including the Transport Layer Security (TLS) protocol, which is the widely used successor to Secure Sockets Layer (SSL). The libssl library still supports SSL version 3, but only as a compile-time option. In addition, the library provides implementations of the Datagram TLS (DTLS) protocol and the Quick UDP Internet Connections (QUIC) protocol, a newer transport protocol developed by Google.

The command-line utility

The command-line utility, openssl, offers a useful tool for performing an assortment of cryptographic tasks. For example, users can create key parameters, generate X.509 certificates, calculate message digests, encrypt or decrypt files, and generate certificate signing requests or certificate revocation lists. Users can also run TLS and DTLS client and server tests, as well as QUIC client tests.

To view a list of available openssl commands, users can enter openssl -help at a command prompt on a system where the OpenSSL toolkit is installed. They can also see which version of OpenSSL is installed by entering the command openssl version -a. Because the command includes the -a switch, it will return the version details as well as the directories where certificates, private keys, configuration files and other types of files are stored.

According to the research report titled "Global State of Exposure: OpenSSL Vulnerabilities" from Bitsight, a cybersecurity ratings company, two-thirds of the world's web servers now use OpenSSL. Although most of the OpenSSL components are written in C, wrappers are available for a variety of other computer languages, enabling them to access the OpenSSL libraries.

The OpenSSL Project is responsible for developing and maintaining OpenSSL, which is distributed under the Apache v2 license. However, this license applies only to OpenSSL 3.0 or later. Prior versions are licensed under the dual OpenSSL and SSLeay licenses, in which the conditions of both licenses apply. The latest version of OpenSSL is 3.2.1, which was released on Jan. 30, 2024.

OpenSSL providers

OpenSSL makes extensive use of providers in facilitating access to algorithm implementations. A provider is essentially a container that holds multiple algorithm implementations, although there's one type of provider that contains no algorithms. The OpenSSL distribution includes the following five core providers:

Default. This provider includes all the standard built-in algorithm implementations in OpenSSL, including Secure Hash Algorithm 3 (SHA-3), Message Digest Method 5 (MD-5), Advanced Encryption Standard (AES), Secure Hash Algorithm Keccak (SHAKE), SEED, Cipher-based Message Authentication Code (CMAC), TLS 1 pseudo-random function (TLS1-PRF), X448 and Rivest-Shamir-Adleman (RSA). If an application doesn't specify a provider, the default provider is used. The provider is loaded automatically when first attempting to access one of its algorithms, if no other provider has been loaded. Because this is a built-in provider, it's compiled and linked into the libcrypto library.
Legacy. This provider contains those algorithms that are no longer commonly used or are discouraged from being used because of security issues. The legacy provider supports legacy applications and offers backward compatibility. It also includes algorithms such as Message Digest Method 4 (MD-4), Multi-Domain Command and Control (MDC2), CAST, Blowfish, International Data Encryption Algorithm (IDEA), RC5, Data Encryption Standard (DES) and RMD160.
Base. This provider contains a small subset of non-cryptographic algorithms that are included in the default provider, such as the X448 and X25519 key exchanges and Digital Signature Algorithm (DSA). For example, the provider contains algorithms for serializing and deserializing file keys. The OpenSSL Project recommends that users who don't load the default provider should load this one instead.
FIPS. This provider includes subset algorithm implementations that are included in the default provider. The FIPS provider contains only algorithm implementations that conform to the Federal Information Processing Standard, which defines minimum security requirements for cryptographic modules. For example, the provider includes the AES, DSA, Triple DES and Elliptic Curve Digital Signature Algorithm (ECDSA) algorithms.
Null. This provider is built into the libcrypto library and includes no algorithms. It's used primarily to prevent the default provider from being automatically loaded, which can be helpful when using nondefault library contexts. A library context determines the scope in which configuration options take effect.

To use a specific algorithm in OpenSSL, at least one provider must be loaded that contains an implementation of that algorithm. If a provider isn't specified, OpenSSL automatically loads the default provider. Users can also obtain providers from third-party sources. Third-party providers come in the form of loadable modules, which typically have the file extension .so or .dll, depending on the platform.

What's the difference between endpoint security and network security? Learn how they both play important roles in an organization's cybersecurity strategy.

This was last updated in February 2024

Continue Reading About OpenSSL

OpenSSL vulnerabilities 'not as bad as feared'

Types of PKI certificates and their use cases

Explore the impact of quantum computing on cryptography

Decoding zero trust in endpoint security: A practical guide for CISOs

Endpoint security best practices to keep company data safe

Search Networking

What is shielded twisted pair (STP) and how does it work?
Shielded twisted pair (STP) is a kind of cable made up of smaller wires where each small pair of wires is twisted together and ...
What is ping and how does it work?
Ping (Packet Internet Groper) is a basic internet program that enables a user to test and verify if a particular destination ...
What is 1000BASE-T (Gigabit Ethernet)?
1000BASE-T is a Gigabit Ethernet standard that operates at a speed of 1 gigabit per second (Gbps) over copper wiring.

Search Security

What is a firewall and why do I need one?
A firewall is a network security device that prevents unauthorized access to a network by inspecting incoming and outgoing ...
What is risk appetite?
Risk appetite is the amount of risk an organization or investor is willing to take in pursuit of objectives it deems have value.
What is penetration testing?
A penetration test, also called a 'pen test,' is a simulated cyberattack on a computer system, network or application to identify...

Search CIO

What is compliance risk?
Compliance risk is an organization's potential exposure to legal penalties, financial forfeiture and material loss, resulting ...
What is quantum entanglement and how does it work?
Quantum entanglement is a foundational phenomenon in quantum mechanics where two or more particles become interconnected in such ...
What is systems thinking?
Systems thinking is a holistic approach to analysis that focuses on the way that a system's constituent parts interrelate and how...

Search HRSoftware

What is team collaboration?
Team collaboration is a communication and project management approach that emphasizes teamwork, innovative thinking and equal ...
What is talent management? Definition, basics and strategy
Talent management is a strategic approach organizations use to attract, develop, retain, and optimize employees.
What is employee experience?
Employee experience is a worker's perception of the organization they work for during their tenure.

Search Customer Experience

What are customer service and support?
Customer service is the support organizations offer to customers before, during and after purchasing a product or service.
What is quality of experience (QoE or QoX)?
Quality of experience (QoE or QoX) is a measure of the overall level of a customer's satisfaction and experience with a product ...
What is voice of the customer? A guide to VOC Strategy
Voice of the customer (VOC) is the component of customer experience (CX) that focuses on customer needs, wants, expectations and ...

Close