OpenSSL — The Cryptography and TLS Toolkit

Introduction

OpenSSL is a robust open-source toolkit that implements the SSL and TLS protocols along with a general-purpose cryptography library. Nearly every Linux distribution, web server, and networked application depends on it for secure communication.

What OpenSSL Does

• Implements TLS 1.0 through 1.3 and DTLS for secure network communication
• Provides symmetric ciphers (AES, ChaCha20), hash functions (SHA-2, SHA-3), and public-key algorithms (RSA, ECDSA, EdDSA)
• Manages X.509 certificates: generation, signing, verification, and revocation
• Offers a command-line tool for certificate operations, encryption, and debugging
• Exposes the libcrypto and libssl C APIs used by thousands of downstream projects

Architecture Overview

OpenSSL is split into two libraries. libcrypto contains all cryptographic primitives, ASN.1 parsing, and the provider framework introduced in OpenSSL 3.x. libssl builds on libcrypto to implement the TLS and DTLS protocols. The 3.x provider model allows plugging in alternative algorithm implementations, including FIPS-validated modules, without changing application code.

Self-Hosting & Configuration

• Install from system packages (e.g., apt install openssl libssl-dev) or build from source
• Configure with ./Configure selecting target platform and optional FIPS module
• Set OPENSSL_CONF to point to a custom openssl.cnf for default behaviors
• Use the FIPS provider for compliance: openssl fipsinstall -out fipsmodule.cnf
• Link applications against libssl and libcrypto with pkg-config or CMake find_package

Key Features

• Supports TLS 1.3 with zero-RTT early data and modern cipher suites
• Provider architecture in 3.x enables runtime-selectable algorithm backends
• FIPS 140-2/3 validated cryptographic module available
• Comprehensive CLI for certificate chains, key generation, CMS, and PKCS operations
• Extensive platform support from embedded Linux to mainframes

Comparison with Similar Tools

• LibreSSL — OpenBSD fork focused on code simplification; smaller feature set
• BoringSSL — Google fork optimized for Chrome and Android; no stable ABI guarantee
• GnuTLS — LGPL alternative with a different API design; less widespread adoption
• wolfSSL — lightweight TLS for embedded systems; smaller footprint but narrower ecosystem

FAQ

Q: Is OpenSSL affected by the Heartbleed vulnerability? A: Heartbleed (CVE-2014-0160) was fixed in 2014. All modern versions (1.1.1+ and 3.x) are not affected.

Q: What changed in OpenSSL 3.x? A: Version 3.0 introduced the provider model, deprecated many low-level APIs, and moved FIPS validation into a separate loadable module.

Q: Can OpenSSL generate Let's Encrypt certificates? A: OpenSSL can generate CSRs and keys, but you need an ACME client like acme.sh or certbot to interact with Let's Encrypt.

Q: Is OpenSSL thread-safe? A: Yes, since version 1.1.0 OpenSSL handles locking internally and is safe for multi-threaded use.

Sources

• https://github.com/openssl/openssl
• https://www.openssl.org/docs/