What is OpenSSL?

A laptop half-closed against a black backdrop
(Image credit: Unsplash / Tianyi Ma)

Secure Sockets Layer (SSL) is an internet security protocol. It establishes encrypted connections between computers on a network, such as the internet. 

The OpenSSL Project dates back to 1998 to develop a free, versatile set of encryption tools for online use. Amongst other things this includes open-source versions of both the SSL and TLS protocols. As the source code is freely available OpenSSL is supported on a number of platforms including Linux, macOS and Windows.  

What’s in the box? 

The core library (libssl) of OpenSSL is written in the C Programming Language. It’s designed to allow users to enable support for SSL/TLS in both client and server applications. This is useful for websites, messaging apps, and VPN services, including free VPNs.

The library relies heavily on OpenSSL’s comprehensive cryptographic library, libcrypto. This supports a huge number of algorithms including the industry standard Advanced Encryption Standard (AES). The libcrypto library also supports older encryption algorithms like Blowfish and Camellia.

The library also supports a number of implementations of Public Key Cryptography such as the RSA algorithm and the Diffie-Hellman key exchange. OpenSSL also supports elliptic-curve cryptography, which provides high-strength encryption but with smaller key-sizes than regular symmetric/asymmetric encryption, making it much faster.

The two main OpenSSL libraries are brought together under a comprehensive command line tool. This allows users to perform routine activities like creating certificates, generating RSA Public/Private keys and even generating keys based on elliptic curves. This is a real perk of OpenSSL relative to other software libraries, as it means no third party software is required to make use of them. 

OpenSSL opportunities 

There’s no doubt that the world is a better place for OpenSSL, particularly given that the project offers both the software libraries and the toolkit to make use of them.

This means that if a programmer wants to create an application which can communicate over networks safely, they don’t need to create their own version of SSL or some bespoke encryption algorithm: they can simply point their own program to OpenSSL’s libraries.

This can offer a lot of peace of mind. Coding applications from scratch which can communicate securely is extremely difficult, so it’s far better to use established code. The fact that OpenSSL source code is reviewed by both project members and the community at large means that bugs are more likely to be spotted and corrected.

The most recent version of OpenSSL (3.0) was released under the Apache License v2 : in simplest terms this means any products created using it can be re-released under a software license of the developer’s choice. This means that it can be used in commercial software and there’s no obligation to release the full source code of the program as would be the case with other open-source software licenses like the General Public License (GNU GPL). 

OpenSSL obstacles 

The fact that OpenSSL is reviewed by dedicated engineers and the software community doesn’t mean it’s perfect. 

This was best illustrated in 2014 when the Heartbleed Bug was discovered. 

Officially known as CVE-2014-0160, Heartbleed was a serious flaw in the implementation of OpenSSL discovered by researchers at Google and Codenomicon. 

The bug potentially allowed bad actors to read information that would normally be encrypted by SSL/TLS. It affects OpenSSL's implementation of the transport layer security protocols (TLS/DTLS) heartbeat extension (RFC6520), which can lead to a memory leak between clients and servers. 

This had very serious implications for all websites, messaging programs and VPNs using the OpenSSL library as an attacker could do this without leaving any trace, meaning they could monitor a connection for days or weeks.

More worryingly, the most common server software is Apache and nginx, making up just over two thirds of those on the Internet today. Both types of server use OpenSSL, not to mention a number of alternative operating systems which came with OpenSSL bundled such as FreeBSD, Debian and Ubuntu.

Developers at Google helped to develop a security patch to fix the vulnerability and newer versions of OpenSSL have been amended so it’s no longer a threat. Still there’s no way of knowing for certain how many servers were exploited before Heartbleed was patched.

In 2015, another bug was discovered in OpenSSL which potentially could allow attackers to crash servers using OpenSSL-generated certificates as part of a “Denial of Service” or DDoS attack.

After this, it may surprise readers that servers still use OpenSSL but it still remains a very simple way to use advanced SSL/TLS protocols in applications. The fact that the source code was freely available is precisely what allowed bugs like these to be exposed and patched so quickly. Had this occurred in proprietary closed-source software the bug may not have been discovered, nor would the developer necessarily have made it public.

The CEO of the OpenSSL project also pointed out that their team is quite small and underfunded, so cannot be expected to perform robust risk-testing as well as implement new features. The industry has also responded by encouraging more funding for OpenSSL.

OpenSSL overall 

In the wake of the Heartbleed bug, the OpenBSD Project forked the OpenSSL project to create LibreSSL, which emphasizes more simplistic code as well as improved security. It’s now the favored TLS encryption library for the principle BSD operating systems, Gentoo and macOS. Google also created their own fork of OpenSSL called BoringSSL - although it’s open source it’s primarily designed for use with their own projects so not recommended for third parties.

OpenSSL remains a popular open source implementation of the SSL/TLS protocols, particularly given how easy it is to include in other products like Apache and nginx server software. 

If you’re considering building a website or online service, you should still make sure to obtain an SSL Certificate for your server from a valid certificate authority (CA) before doing anything else.  

Nate Drake is a tech journalist specializing in cybersecurity and retro tech. He broke out from his cubicle at Apple 6 years ago and now spends his days sipping Earl Grey tea & writing elegant copy.