OpenSSL
Encyclopedia
OpenSSL is an open source
implementation of the SSL and TLS
protocols. The core library
(written in the C programming language
) implements the basic cryptographic
functions and provides various utility functions. Wrappers allowing the use of the OpenSSL library in a variety of computer languages are available.
Versions are available for most Unix-like
operating systems (including Solaris, Linux
, Mac OS X
and the four open source BSD operating systems), OpenVMS
and Microsoft Windows
. IBM provides a port for the System i (OS/400). OpenSSL is based on SSLeay by Eric A. Young and Tim Hudson, development of which unofficially ended around December 1998, when Young and Hudson both started to work for RSA Security
.
Cipher
s:
Cryptographic hash function
s:
Public-key cryptography
:
programs to be involved with validation under the FIPS 140-2
computer security standard by the National Institute of Standards and Technology
's (NIST) Cryptographic Module Validation Program (CMVP). (OpenSSL itself is not validated, but a component called the OpenSSL FIPS Object Module, based on OpenSSL, was created to provide many of the same capabilities).
A certificate was first awarded in January 2006 but revoked in July 2006 "when questions were raised about the validated module’s interaction with outside software." The certification was reinstated in February 2007.
1.0 and SSLeay License is 4-clause BSD License. The common usage of the term dual-license is that the user may pick which license they wish to use. However, OpenSSL documentation uses the term dual-license to mean that both licenses apply.
As the OpenSSL License is Apache License
1.0, but not Apache License 2.0, it requires the phrase This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/) to appear in advertising material and any redistributions (Sections 3 and 6 of the OpenSSL License). Due to this restriction, OpenSSL License and Apache License are incompatible with the GPL.
Some GPL developers have added an OpenSSL exception to their licenses specifically allowing OpenSSL to be used with their system. GNU Wget
and climm both use such exceptions. Other packages use the LGPL licensed GnuTLS
which performs the same task.
Open source
The term open source describes practices in production and development that promote access to the end product's source materials. Some consider open source a philosophy, others consider it a pragmatic methodology...
implementation of the SSL and TLS
Transport Layer Security
Transport Layer Security and its predecessor, Secure Sockets Layer , are cryptographic protocols that provide communication security over the Internet...
protocols. The core library
Library (computer science)
In computer science, a library is a collection of resources used to develop software. These may include pre-written code and subroutines, classes, values or type specifications....
(written in the C programming language
C (programming language)
C is a general-purpose computer programming language developed between 1969 and 1973 by Dennis Ritchie at the Bell Telephone Laboratories for use with the Unix operating system....
) implements the basic cryptographic
Cryptography
Cryptography is the practice and study of techniques for secure communication in the presence of third parties...
functions and provides various utility functions. Wrappers allowing the use of the OpenSSL library in a variety of computer languages are available.
Versions are available for most Unix-like
Unix-like
A Unix-like operating system is one that behaves in a manner similar to a Unix system, while not necessarily conforming to or being certified to any version of the Single UNIX Specification....
operating systems (including Solaris, Linux
Linux
Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
, Mac OS X
Mac OS X
Mac OS X is a series of Unix-based operating systems and graphical user interfaces developed, marketed, and sold by Apple Inc. Since 2002, has been included with all new Macintosh computer systems...
and the four open source BSD operating systems), OpenVMS
OpenVMS
OpenVMS , previously known as VAX-11/VMS, VAX/VMS or VMS, is a computer server operating system that runs on VAX, Alpha and Itanium-based families of computers. Contrary to what its name suggests, OpenVMS is not open source software; however, the source listings are available for purchase...
and Microsoft Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
. IBM provides a port for the System i (OS/400). OpenSSL is based on SSLeay by Eric A. Young and Tim Hudson, development of which unofficially ended around December 1998, when Young and Hudson both started to work for RSA Security
RSA Security
RSA, the security division of EMC Corporation, is headquartered in Bedford, Massachusetts, United States, and maintains offices in Australia, Ireland, Israel, the United Kingdom, Singapore, India, China, Hong Kong and Japan....
.
Major version releases
- OpenSSL 1.0.0 was released on March 29, 2010.
- OpenSSL 0.9.8 was released on July 5, 2005.
- OpenSSL 0.9.7 was released on December 31, 2002.
- OpenSSL 0.9.6 was released on September 25, 2000.
- OpenSSL 0.9.5 was released on February 28, 2000.
- OpenSSL 0.9.4 was released on August 9, 1999.
- OpenSSL 0.9.3 was released on May 25, 1999.
- OpenSSL 0.9.2b was released on March 22, 1999.
- OpenSSL 0.9.1c was the first release, on December 23, 1998.
Algorithms
OpenSSL supports a number of different cryptographic algorithms:Cipher
Cipher
In cryptography, a cipher is an algorithm for performing encryption or decryption — a series of well-defined steps that can be followed as a procedure. An alternative, less common term is encipherment. In non-technical usage, a “cipher” is the same thing as a “code”; however, the concepts...
s:
- AESAdvanced Encryption StandardAdvanced Encryption Standard is a specification for the encryption of electronic data. It has been adopted by the U.S. government and is now used worldwide. It supersedes DES...
, BlowfishBlowfish (cipher)Blowfish is a keyed, symmetric block cipher, designed in 1993 by Bruce Schneier and included in a large number of cipher suites and encryption products. Blowfish provides a good encryption rate in software and no effective cryptanalysis of it has been found to date...
, CamelliaCamellia (cipher)In cryptography, Camellia is a 128-bit block cipher jointly developed by Mitsubishi and NTT. The cipher has been approved for use by the ISO/IEC, the European Union's NESSIE project and the Japanese CRYPTREC project...
, SEEDSEEDSEED is a block cipher developed by the Korean Information Security Agency. It is used broadly throughout South Korean industry, but seldom found elsewhere. It gained popularity in Korea because 40 bit SSL was not considered strong enough , so the Korean Information Security Agency developed its...
, CAST-128CAST-128in cryptography, CAST-128 is a block cipher used in a number of products, notably as the default cipher in some versions of GPG and PGP. It has also been approved for Canadian government use by the Communications Security Establishment...
, DESData Encryption StandardThe Data Encryption Standard is a block cipher that uses shared secret encryption. It was selected by the National Bureau of Standards as an official Federal Information Processing Standard for the United States in 1976 and which has subsequently enjoyed widespread use internationally. It is...
, IDEAInternational Data Encryption AlgorithmIn cryptography, the International Data Encryption Algorithm is a block cipher designed by James Massey of ETH Zurich and Xuejia Lai and was first described in 1991. As a block cipher, it is also symmetric. The algorithm was intended as a replacement for the Data Encryption Standard[DES]...
, RC2RC2In cryptography, RC2 is a block cipher designed by Ron Rivest in 1987. "RC" stands for "Ron's Code" or "Rivest Cipher"; other ciphers designed by Rivest include RC4, RC5 and RC6....
, RC4RC4In cryptography, RC4 is the most widely used software stream cipher and is used in popular protocols such as Secure Sockets Layer and WEP...
, RC5RC5In cryptography, RC5 is a block cipher notable for its simplicity. Designed by Ronald Rivest in 1994, RC stands for "Rivest Cipher", or alternatively, "Ron's Code"...
, Triple DESTriple DESIn cryptography, Triple DES is the common name for the Triple Data Encryption Algorithm block cipher, which applies the Data Encryption Standard cipher algorithm three times to each data block....
, GOST 28147-89
Cryptographic hash function
Cryptographic hash function
A cryptographic hash function is a deterministic procedure that takes an arbitrary block of data and returns a fixed-size bit string, the hash value, such that an accidental or intentional change to the data will change the hash value...
s:
- MD5MD5The MD5 Message-Digest Algorithm is a widely used cryptographic hash function that produces a 128-bit hash value. Specified in RFC 1321, MD5 has been employed in a wide variety of security applications, and is also commonly used to check data integrity...
, MD2, SHA-1, SHA-2SHA-2In cryptography, SHA-2 is a set of cryptographic hash functions designed by the National Security Agency and published in 2001 by the NIST as a U.S. Federal Information Processing Standard. SHA stands for Secure Hash Algorithm. SHA-2 includes a significant number of changes from its predecessor,...
, RIPEMD-160, MDC-2MDC-2In cryptography, MDC-2 is a cryptographic hash function. MDC-2 is a hash function based on a block cipher with a proof of security in the ideal-cipher model...
, GOST R 34.11-94
Public-key cryptography
Public-key cryptography
Public-key cryptography refers to a cryptographic system requiring two separate keys, one to lock or encrypt the plaintext, and one to unlock or decrypt the cyphertext. Neither key will do both functions. One of these keys is published or public and the other is kept private...
:
- RSA, DSADigital Signature AlgorithmThe Digital Signature Algorithm is a United States Federal Government standard or FIPS for digital signatures. It was proposed by the National Institute of Standards and Technology in August 1991 for use in their Digital Signature Standard , specified in FIPS 186, adopted in 1993. A minor...
, Diffie–Hellman key exchange, Elliptic curveElliptic curve cryptographyElliptic curve cryptography is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. The use of elliptic curves in cryptography was suggested independently by Neal Koblitz and Victor S...
, GOST R 34.10-2001
FIPS 140-2 compliance
OpenSSL is one of the few open sourceOpen source
The term open source describes practices in production and development that promote access to the end product's source materials. Some consider open source a philosophy, others consider it a pragmatic methodology...
programs to be involved with validation under the FIPS 140-2
FIPS 140-2
The Federal Information Processing Standard Publication 140-2, , is a U.S. government computer security standard used to accredit cryptographic modules. The title is Security Requirements for Cryptographic Modules...
computer security standard by the National Institute of Standards and Technology
National Institute of Standards and Technology
The National Institute of Standards and Technology , known between 1901 and 1988 as the National Bureau of Standards , is a measurement standards laboratory, otherwise known as a National Metrological Institute , which is a non-regulatory agency of the United States Department of Commerce...
's (NIST) Cryptographic Module Validation Program (CMVP). (OpenSSL itself is not validated, but a component called the OpenSSL FIPS Object Module, based on OpenSSL, was created to provide many of the same capabilities).
A certificate was first awarded in January 2006 but revoked in July 2006 "when questions were raised about the validated module’s interaction with outside software." The certification was reinstated in February 2007.
Licensing
OpenSSL is "dual licensed" under the OpenSSL License and the SSLeay License. OpenSSL License is Apache LicenseApache License
The Apache License is a copyfree free software license authored by the Apache Software Foundation . The Apache License requires preservation of the copyright notice and disclaimer....
1.0 and SSLeay License is 4-clause BSD License. The common usage of the term dual-license is that the user may pick which license they wish to use. However, OpenSSL documentation uses the term dual-license to mean that both licenses apply.
As the OpenSSL License is Apache License
Apache License
The Apache License is a copyfree free software license authored by the Apache Software Foundation . The Apache License requires preservation of the copyright notice and disclaimer....
1.0, but not Apache License 2.0, it requires the phrase This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/) to appear in advertising material and any redistributions (Sections 3 and 6 of the OpenSSL License). Due to this restriction, OpenSSL License and Apache License are incompatible with the GPL.
Some GPL developers have added an OpenSSL exception to their licenses specifically allowing OpenSSL to be used with their system. GNU Wget
Wget
GNU Wget is a computer program that retrieves content from web servers, and is part of the GNU Project. Its name is derived from World Wide Web and get...
and climm both use such exceptions. Other packages use the LGPL licensed GnuTLS
GnuTLS
GnuTLS , the GNU Transport Layer Security Library, is a free software implementation of the SSL and TLS protocols. Its purpose is to offer an application programming interface for applications to enable secure communication protocols over their network transport layer.-Features:GnuTLS consists of...
which performs the same task.
See also
- CyaSSLCyaSSLCyaSSL is a small, portable, embedded SSL programming library targeted for use by embedded systems developers. It is an open source, implementation of SSL built in the C language. It includes SSL client libraries and an SSL server implementation as well as support for multiple API's, including...
- GnuTLSGnuTLSGnuTLS , the GNU Transport Layer Security Library, is a free software implementation of the SSL and TLS protocols. Its purpose is to offer an application programming interface for applications to enable secure communication protocols over their network transport layer.-Features:GnuTLS consists of...
- Network Security ServicesNetwork Security ServicesIn computing, Network Security Services comprises a set of libraries designed to support cross-platform development of security-enabled client and server applications. NSS provides a complete open-source implementation of crypto libraries supporting SSL and S/MIME...
- PolarSSLPolarSSLPolarSSL is a dual licensed implementation of the SSL and TLS protocols. PolarSSL is almost entirely based on XySSL, which was written and copyrighted by French "white hat hacker" Christophe Devine. XySSL was first released on November 1, 2006 under GPL and BSD licenses...
- POSSE projectPOSSE projectThe Portable Open Source Security Elements, or POSSE project, was a co-operative venture between the University of Pennsylvania Distributed Systems Laboratory, the OpenBSD project and others. It received funding through a grant from the United States Defense Advanced Research Projects Agency, or...
- Comparison of TLS ImplementationsComparison of TLS ImplementationsThe Transport Layer Security protocol provide the ability to secure communications across networks. There are several TLS implementations which are free and open source software and sometimes choosing between the available implementations can be tough...
- Transport Layer SecurityTransport Layer SecurityTransport Layer Security and its predecessor, Secure Sockets Layer , are cryptographic protocols that provide communication security over the Internet...
External links
- OpenSSL homepage
- The OpenSSL License and the GPL by Mark McLoughlinMark McLoughlinMark McLoughlin is a former placekicker in the Canadian Football League for the Calgary Stampeders from 1988 to 2003 and the BC Lions in 2005...
- Use OpenSSL easily with PKCS#11 enabled smartcards
- Win32 OpenSSL
- OpenSSL for windows 32-bit and x64 version
- OpenSSL programming tutorial
- OpenSSL examples by Eric Rescorla
- Online tool to create custom command line to generate a Certificate Signing Request (CSR) in OpenSSL