Skip to main content
Tech Radar
  • Tech Radar Pro
  • Tech Radar Gaming
Tech Radar Pro TechRadar IT Insights for Business
Subscribe
RSS
(opens in new tab) (opens in new tab) (opens in new tab) (opens in new tab)
Asia
flag of Singapore
Singapore
Europe
flag of Danmark
Danmark
flag of Suomi
Suomi
flag of Norge
Norge
flag of Sverige
Sverige
flag of UK
UK
flag of Italia
Italia
flag of Nederland
Nederland
flag of België (Nederlands)
België (Nederlands)
flag of France
France
flag of Deutschland
Deutschland
flag of España
España
North America
flag of US (English)
US (English)
flag of Canada
Canada
flag of México
México
Australasia
flag of Australia
Australia
flag of New Zealand
New Zealand
Technology Magazines
(opens in new tab)
Technology Magazines (opens in new tab)
Why subscribe?
  • The best tech tutorials and in-depth reviews
  • Try a single issue or save on a subscription
  • Issues delivered straight to your door or device
From$12.99
(opens in new tab)
View Deal (opens in new tab)
  • News
  • Reviews
  • Features
  • Opinions
  • Website builders
  • Web hosting
  • Security
Trending
  • Best standing desk deals
  • Best cloud storage 2023
  • Everything you need to WFH
  • What is Microsoft Teams?
  • Windows 11 for business

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

  1. Home
  2. VPN
  3. Computing
Supported (opens in new tab)

What is OpenSSL?

By Nate Drake

What is OpenSSL and how does it help keep you safe and secure online?

A laptop half-closed against a black backdrop
(Image credit: Unsplash / Tianyi Ma)

Secure Sockets Layer (SSL) is an internet security protocol. It establishes encrypted connections between computers on a network, such as the internet. 

The OpenSSL Project dates back to 1998 to develop a free, versatile set of encryption tools for online use. Amongst other things this includes open-source versions of both the SSL and TLS protocols. As the source code is freely available OpenSSL is supported on a number of platforms including Linux, macOS and Windows.  

What’s in the box? 

The core library (libssl) of OpenSSL is written in the C Programming Language. It’s designed to allow users to enable support for SSL/TLS in both client and server applications. This is useful for websites, messaging apps, and VPN services, including free VPNs.

The library relies heavily on OpenSSL’s comprehensive cryptographic library, libcrypto. This supports a huge number of algorithms including the industry standard Advanced Encryption Standard (AES). The libcrypto library also supports older encryption algorithms like Blowfish and Camellia.

The library also supports a number of implementations of Public Key Cryptography such as the RSA algorithm and the Diffie-Hellman key exchange. OpenSSL also supports elliptic-curve cryptography, which provides high-strength encryption but with smaller key-sizes than regular symmetric/asymmetric encryption, making it much faster.

The two main OpenSSL libraries are brought together under a comprehensive command line tool. This allows users to perform routine activities like creating certificates, generating RSA Public/Private keys and even generating keys based on elliptic curves. This is a real perk of OpenSSL relative to other software libraries, as it means no third party software is required to make use of them. 

OpenSSL opportunities 

There’s no doubt that the world is a better place for OpenSSL, particularly given that the project offers both the software libraries and the toolkit to make use of them.

This means that if a programmer wants to create an application which can communicate over networks safely, they don’t need to create their own version of SSL or some bespoke encryption algorithm: they can simply point their own program to OpenSSL’s libraries.

This can offer a lot of peace of mind. Coding applications from scratch which can communicate securely is extremely difficult, so it’s far better to use established code. The fact that OpenSSL source code is reviewed by both project members and the community at large means that bugs are more likely to be spotted and corrected.

The most recent version of OpenSSL (3.0) was released under the Apache License v2 : in simplest terms this means any products created using it can be re-released under a software license of the developer’s choice. This means that it can be used in commercial software and there’s no obligation to release the full source code of the program as would be the case with other open-source software licenses like the General Public License (GNU GPL). 

OpenSSL obstacles 

The fact that OpenSSL is reviewed by dedicated engineers and the software community doesn’t mean it’s perfect. 

This was best illustrated in 2014 when the Heartbleed Bug was discovered. 

Officially known as CVE-2014-0160, Heartbleed was a serious flaw in the implementation of OpenSSL discovered by researchers at Google and Codenomicon. 

The bug potentially allowed bad actors to read information that would normally be encrypted by SSL/TLS. It affects OpenSSL's implementation of the transport layer security protocols (TLS/DTLS) heartbeat extension (RFC6520), which can lead to a memory leak between clients and servers. 

This had very serious implications for all websites, messaging programs and VPNs using the OpenSSL library as an attacker could do this without leaving any trace, meaning they could monitor a connection for days or weeks.

More worryingly, the most common server software is Apache and nginx, making up just over two thirds of those on the Internet today. Both types of server use OpenSSL, not to mention a number of alternative operating systems which came with OpenSSL bundled such as FreeBSD, Debian and Ubuntu.

Developers at Google helped to develop a security patch to fix the vulnerability and newer versions of OpenSSL have been amended so it’s no longer a threat. Still there’s no way of knowing for certain how many servers were exploited before Heartbleed was patched.

In 2015, another bug was discovered in OpenSSL which potentially could allow attackers to crash servers using OpenSSL-generated certificates as part of a “Denial of Service” or DDoS attack.

After this, it may surprise readers that servers still use OpenSSL but it still remains a very simple way to use advanced SSL/TLS protocols in applications. The fact that the source code was freely available is precisely what allowed bugs like these to be exposed and patched so quickly. Had this occurred in proprietary closed-source software the bug may not have been discovered, nor would the developer necessarily have made it public.

The CEO of the OpenSSL project also pointed out that their team is quite small and underfunded, so cannot be expected to perform robust risk-testing as well as implement new features. The industry has also responded by encouraging more funding for OpenSSL.

OpenSSL overall 

In the wake of the Heartbleed bug, the OpenBSD Project forked the OpenSSL project to create LibreSSL, which emphasizes more simplistic code as well as improved security. It’s now the favored TLS encryption library for the principle BSD operating systems, Gentoo and macOS. Google also created their own fork of OpenSSL called BoringSSL - although it’s open source it’s primarily designed for use with their own projects so not recommended for third parties.

OpenSSL remains a popular open source implementation of the SSL/TLS protocols, particularly given how easy it is to include in other products like Apache and nginx server software. 

If you’re considering building a website or online service, you should still make sure to obtain an SSL Certificate for your server from a valid certificate authority (CA) before doing anything else.  

Today's best overall VPNs
Express VPN (opens in new tab)
ExpressVPN 12 month
(opens in new tab)
$6.67
/mth
(opens in new tab)
View Deal (opens in new tab)
UP TO 1 YEAR FREE
NordVPN (opens in new tab)
NordVPN 2 Year
(opens in new tab)
$3.49
/mth
(opens in new tab)
View Deal (opens in new tab)
Exclusive discount
HotSpot Shield (opens in new tab)
Hotspot Shield 3 year
(opens in new tab)
$2.49
/mth
(opens in new tab)
View Deal (opens in new tab)
+2 months free
Surfshark (opens in new tab)
Surfshark 24 Months
(opens in new tab)
$2.30
/mth
(opens in new tab)
View Deal (opens in new tab)
+3 MONTHS FREE
Private Internet Access (opens in new tab)
Private Internet Access 24 Month
(opens in new tab)
$2.11
/mth
(opens in new tab)
View Deal (opens in new tab)
We check over 250 million products every day for the best prices

TechRadar Pro created this content as part of a paid partnership with ExpressVPN.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

By submitting your information you agree to the Terms & Conditions (opens in new tab) and Privacy Policy (opens in new tab) and are aged 16 or over.
Nate Drake
Social Links Navigation

Nate Drake is a tech journalist specializing in cybersecurity and retro tech. He broke out from his cubicle at Apple 6 years ago and now spends his days sipping Earl Grey tea & writing elegant copy.

  1. Vecna stares directly into the camera in Stranger Things season 4
    1
    Stranger Things season 5 is about to hit the big Marvel and Star Wars problem
  2. 2
    10 things you didn't know Google Maps could do
  3. 3
    7 new movies and TV shows on Netflix, Prime Video, Disney Plus, and more this weekend (March 17)
  4. 4
    5 reasons why you emphatically need a Dolby Atmos soundbar in your life
  5. 5
    After years of owning OLED TVs, I've finally stopped worrying about burn-in
  1. Vecna stares directly into the camera in Stranger Things season 4
    1
    Stranger Things season 5 is about to hit the big Marvel and Star Wars problem
  2. 2
    Folding phones will be massive in 2023. Here’s why
  3. 3
    10 things you didn't know Google Maps could do
  4. 4
    Soul jump into March’s PlayStation Plus Catalog with this action-adventure game
  5. 5
    7 new movies and TV shows on Netflix, Prime Video, Disney Plus, and more this weekend (March 17)
Technology Magazines
(opens in new tab)
  • ●
Technology Magazines (opens in new tab)
  • The best tech tutorials and in-depth reviews
From$12.99
(opens in new tab)
View Deal (opens in new tab)

TechRadar is part of Future US Inc, an international media group and leading digital publisher. Visit our corporate site (opens in new tab).

  • About Us (opens in new tab)
  • Contact Us (opens in new tab)
  • Terms and conditions (opens in new tab)
  • Privacy policy (opens in new tab)
  • Cookies policy (opens in new tab)
  • Advertise with us (opens in new tab)
  • Web notifications (opens in new tab)
  • Accessibility Statement
  • Careers (opens in new tab)

© Future US, Inc. Full 7th Floor, 130 West 42nd Street, New York, NY 10036.