OpenSSL
openssl genrsa for key generation, openssl req for certificate signing requests, and openssl s_client for testing TLS/SSL connections, including verifying server-supported TLS protocol versions by forcing specific versions with flags such as -tls1_3 or -tls1_2) that enable developers and administrators to perform security tasks without custom code. The availability of certain TLS versions may be restricted by system configurations in certain distributions, such as Red Hat Enterprise Linux where the default system-wide cryptographic policy enables only TLS 1.2 and TLS 1.3.[8][9][2]
Since version 3.0, OpenSSL is distributed under the permissive Apache License 2.0, allowing broad commercial and non-commercial use while requiring attribution and patent grants.[1][10]
Widely adopted in software like Apache HTTP Server, Nginx, and countless libraries, OpenSSL underpins much of the internet's security infrastructure but has faced scrutiny due to historical vulnerabilities, prompting ongoing improvements in code quality, fuzzing, and formal verification.[11] Its development is maintained by a global community via GitHub, with regular releases ensuring compatibility with emerging standards like post-quantum cryptography in version 3.5.[12][13]
History
Origins and Founding
SSLeay, the predecessor to OpenSSL, was initiated in 1995 by Australian cryptographers Eric A. Young and Tim J. Hudson as an open-source implementation of the Secure Sockets Layer (SSL) protocol, aimed at providing a free alternative to proprietary cryptographic libraries like those from Netscape and RSA. The project began amid the rapid expansion of the internet in the mid-1990s, where the need for secure data transmission was growing, but U.S. export controls restricted access to strong encryption technologies outside academic and limited commercial uses.[14] SSLeay's development focused on implementing SSL 2.0 and later SSL 3.0 using algorithms such as RC2 and RC4, filling a gap left by unavailable open alternatives like Netscape's Network Security Services (NSS).[15] The first release of SSLeay occurred in 1995, marking it as one of the earliest freely available SSL toolkits and enabling developers to integrate secure connections without licensing fees or legal hurdles related to encryption exports. By the late 1990s, SSLeay had achieved significant adoption, particularly within the Apache HTTP Server ecosystem through third-party modules like mod_ssl, which allowed the creation of open-source secure web servers and contributed to the proliferation of HTTPS in early web applications.[16] In December 1998, following Young and Hudson's employment at RSA Security, SSLeay's active development ceased unofficially due to conflicts between its open-source nature and the company's commercial interests, prompting the community to fork the project.[17] This led to the founding of the OpenSSL Project on December 23, 1998, with the release of OpenSSL 0.9.1c, rebranded to emphasize its commitment to open development and a dual-licensing model compatible with both open-source and commercial use.[16] The new project maintained SSLeay's core goals of delivering a robust, unrestricted cryptographic library for SSL/TLS protocols, supporting the burgeoning demand for secure online transactions and communications in an increasingly connected world.[1]Early Development and Milestones
The OpenSSL 0.9.x series, spanning releases from 1998 to 2005, marked a period of substantial feature expansion that solidified its role as a versatile open-source cryptography library. Early releases in this series introduced support for advanced ciphers, such as AES cipher suites compliant with RFC 3268 in version 0.9.7.[18] Subsequent updates added Online Certificate Status Protocol (OCSP) support in 0.9.7 for improved certificate validation. In 0.9.8, released in July 2005, further ciphers including SEED were added, with Camellia support introduced in the 0.9.8 series from 2006; Cryptographic Message Syntax (CMS) support came later in version 1.0.1. These enhancements addressed growing demands for robust public key infrastructure and secure email standards, with ASN.1 parsing improvements contributing to more reliable certificate processing across applications.[19] A pivotal milestone arrived with the release of OpenSSL 1.0.0 on March 29, 2010, which brought significant performance optimizations and expanded cryptographic primitives. This version incorporated a new elliptic curve cryptography library section, enabling efficient implementations of curves like NIST P-224 for key exchange and digital signatures, offering superior security-to-performance ratios compared to traditional RSA. Performance gains were achieved through optimizations in core algorithms, including faster AES implementations and a revamped random number generator leveraging operating system PRNGs, reducing computational overhead in SSL/TLS handshakes. Additionally, 1.0.0 introduced support for Datagram TLS (DTLS), PKCS#5 v2.0 PBKDF2 for key derivation, and TLS extensions, facilitating broader adoption in real-time applications like VoIP.[20][20][20] OpenSSL 1.1.0, released in August 2016, introduced further improvements including API enhancements for better abstraction and multi-threading support via the OSSL thread API, preparing the library for modern concurrent applications while maintaining backward compatibility.[21] OpenSSL's integration into major Linux distributions during the early 2000s represented a key community milestone, establishing it as the de facto cryptographic engine for systems like Debian, Red Hat, and Ubuntu, where it powered package managers, web servers, and system services. This widespread embedding accelerated its evolution, with distributions contributing patches for compatibility and performance. By the mid-2010s, OpenSSL played a crucial role in standardizing TLS 1.2 support, fully implemented in version 1.0.1 released in March 2012, aligning with RFC 5246 and enabling secure extensions like Server Name Indication for virtual hosting.[22][23][24] Early security awareness was heightened by packaging challenges, such as the 2003 Debian update addressing a timing-based side-channel attack vulnerability in OpenSSL 0.9.7, which underscored the risks of distribution-specific modifications and prompted improved auditing practices across the ecosystem. The project's community growth accelerated following the 2014 Heartbleed incident, exposing chronic underfunding; this crisis led to the formation of the Core Infrastructure Initiative by the Linux Foundation, securing over $3.9 million in commitments from tech giants like Microsoft, Google, and Intel to establish a sustainable sponsorship model for OpenSSL development and governance. Although the OpenSSL Foundation itself was formalized later in 2014 to oversee non-commercial aspects, these efforts marked a turning point in professionalizing contributions and ensuring long-term viability.[25][26][27]Release History
Major Version Timeline
OpenSSL's major version releases mark significant architectural and functional advancements in the library's evolution, focusing on enhanced security, performance, and compatibility with emerging standards. The 1.0.0 series, released on March 29, 2010, represented a substantial update from prior versions, incorporating numerous performance optimizations, support for additional TLS extensions such as server name indication (SNI) per RFC 6066, and improved handling of certificate revocation via OCSP stapling.[28] It also enhanced multi-threading capabilities through refined callback mechanisms, enabling safer concurrent access in applications. This release laid groundwork for broader adoption in production environments by addressing long-standing efficiency issues in cryptographic operations. OpenSSL 1.1.0, released on August 25, 2016, introduced a major API refactoring to promote forward compatibility and security. Key changes included making internal data structures opaque to applications, which reduced the risk of direct memory manipulation vulnerabilities, and deprecating the legacy ENGINE abstraction in favor of a more modular provider model preview.[29] The update also streamlined threading support by leveraging platform-native primitives, eliminating the need for custom locking callbacks in many cases.[30] The 3.0 series debuted on September 7, 2021, ushering in a provider-based architecture that allows pluggable cryptographic implementations without recompiling the core library. This design facilitates easier integration of custom algorithms and hardware accelerators while enforcing secure-by-default configurations, such as raising the minimum security level to 1 and disabling legacy protocols like SSLv2 and SSLv3.[4] Deprecated features from prior versions, including certain low-level APIs, were removed to streamline development and reduce maintenance overhead. In the post-3.0 era, OpenSSL 3.1 reached end-of-life on March 14, 2025, ceasing all security updates and patches.[31] The 3.5 LTS version followed on April 8, 2025, as a long-term support release with maintenance committed until April 8, 2030. It emphasized post-quantum cryptography readiness by integrating NIST-standardized algorithms like ML-KEM for key encapsulation, ML-DSA for digital signatures, and SLH-DSA for hash-based signatures, alongside performance optimizations in key derivation and TLS handshakes.[32][13] OpenSSL 3.6.0, released on October 1, 2025, builds on these foundations as a feature release, introducing support for opaque symmetric key objects (EVP_SKEY) in key exchange and derivation operations to enhance modularity across providers. It also added verification for Leighton-Micali Signature (LMS) schemes per NIST SP 800-208, further advancing quantum-resistant capabilities, and included hybrid key exchange mechanisms compatible with TLS 1.3 for seamless migration to post-quantum hybrids.[33] Recent patch releases, such as 3.5.4 on September 30, 2025, addressed vulnerabilities including an out-of-bounds read/write in CMS message decryption (CVE-2025-9230) and related issues (CVE-2025-9231, CVE-2025-9232).[34]| Version | Release Date | Key Features | Support Notes |
|---|---|---|---|
| 1.0.0 | March 29, 2010 | TLS extensions (e.g., SNI), OCSP stapling, improved threading callbacks | End-of-life December 31, 2019 |
| 1.1.0 | August 25, 2016 | Opaque data structures, deprecated ENGINE API, native threading | End-of-life September 11, 2019 |
| 3.0 | September 7, 2021 | Provider architecture, pluggable crypto, secure defaults | LTS until September 7, 2026 |
| 3.5 | April 8, 2025 | Post-quantum algorithms (ML-KEM, ML-DSA, SLH-DSA), performance tweaks | LTS until April 8, 2030 |
| 3.6.0 | October 1, 2025 | EVP_SKEY support, LMS signatures, hybrid key exchanges | Ongoing feature branch |
Support Policies and End-of-Life
OpenSSL employs a structured release strategy to ensure long-term stability and security for its users, featuring distinct branch types. Long Term Support (LTS) releases, designated as stable branches, are planned approximately every five years and receive five years of support, including security updates and bug fixes. Regular non-LTS releases follow a two-year support cycle, providing a balance between new features and maintenance. Additionally, beta and feature branches serve for development and testing of upcoming versions, without long-term support commitments.[35] The end-of-life (EOL) policy dictates that once a version reaches its designated support endpoint, it no longer receives upstream security fixes, bug fixes, or official updates from the OpenSSL project. LTS versions adhere to a five-year lifecycle; for instance, OpenSSL 3.0, an LTS release, is supported until September 2026. Non-LTS versions, such as 3.1, have a two-year support period and reached EOL on March 14, 2025, though support was briefly extended to September 2026 for specific compliance reasons related to FIPS 140-2 modules. Earlier EOL examples include version 1.1.1, which ended support on September 11, 2023. The project strongly recommends that users and vendors migrate to actively supported versions, such as the LTS 3.5 release, which is supported until April 8, 2030, to maintain security.[11][36][37] Regarding vulnerability management, OpenSSL's backporting policy prioritizes security by applying patches for critical vulnerabilities across all supported branches, ensuring broad protection without requiring immediate upgrades. Non-critical issues or enhancements may not be backported to older branches, as the project encourages migration to newer versions for full feature access and efficiency. Security fixes are only provided for versions within their active support windows, underscoring the importance of adhering to EOL timelines.[38][35] The OpenSSL community provides clear guidelines for issue reporting to facilitate timely resolutions. Security vulnerabilities should be disclosed responsibly through the project's security policy, initially via private channels like the security mailing list before public announcement. General bugs and feature requests are handled through the official GitHub repository. Vendors and distributors bear the responsibility for backporting fixes to their downstream products if they continue supporting EOL versions, as upstream support ceases definitively at EOL dates.Technical Overview
Supported Protocols and Algorithms
OpenSSL provides implementations of key cryptographic protocols for secure communication, including the deprecated Secure Sockets Layer versions 2.0 and 3.0, as well as Transport Layer Security (TLS) versions 1.0 through 1.3.[39][40] It also supports Datagram Transport Layer Security (DTLS) for connectionless transport, specifically versions 1.0 and 1.2.[39] Starting with version 3.5, OpenSSL includes support for server-side QUIC using TLS 1.3 as the security layer. These protocols enable secure data transmission over networks, with TLS 1.3 offering modern features like integrated key exchange and authenticated encryption. While OpenSSL supports TLS 1.0 through 1.3, certain distributions enforce restrictions via system-wide cryptographic policies. For example, in Red Hat Enterprise Linux 8, the DEFAULT policy enables only TLS 1.2 and TLS 1.3, disabling TLS 1.0 and 1.1 for enhanced security.[8] Theopenssl s_client command can be used to test which TLS versions a server supports. Without a version flag, it negotiates the highest mutually available protocol (usually TLS 1.3 if supported). To force a specific version:
- TLS 1.3:
openssl s_client -connect example.com:443 -tls1_3 -quiet - TLS 1.2:
openssl s_client -connect example.com:443 -tls1_2 -quiet
-brief provides concise output, including "Protocol version: TLSv1.x". If the requested version is not supported, the connection fails with an error such as a handshake failure.[9]
To test or enable older versions like TLS 1.0 or 1.1 in environments with restrictive policies (e.g., RHEL 8 DEFAULT), temporarily switch to the LEGACY policy: sudo update-crypto-policies --set LEGACY (restart applications or reboot for changes to take effect; not recommended for production due to increased security risks).[8]
For symmetric cryptography, OpenSSL implements the Advanced Encryption Standard (AES) in various modes, including Cipher Block Chaining (CBC) for confidentiality and Galois/Counter Mode (GCM) for authenticated encryption, supporting key sizes of 128, 192, and 256 bits.[41] It also includes ChaCha20-Poly1305, a stream cipher combined with an authenticator for high-performance authenticated encryption, particularly suited for mobile and low-power devices.[41] Other symmetric options, such as Camellia and ARIA, are available through the default provider, ensuring compatibility with international standards.[4]
Asymmetric algorithms in OpenSSL encompass Rivest-Shamir-Adleman (RSA) for encryption and signing, with support for key sizes up to 4096 bits.[4] Elliptic curve cryptography includes the Elliptic Curve Digital Signature Algorithm (ECDSA) and Elliptic Curve Diffie-Hellman (ECDH) using NIST-approved curves such as P-256, P-384, and P-521, alongside X25519 and X448 for efficient key exchange.[40] Traditional Diffie-Hellman (DH) key agreement is also supported, with modular exponentiation for generating shared secrets.[4]
The library supports a broad range of hash functions, including the SHA-1 (legacy), SHA-2 family (SHA-224, SHA-256, SHA-384, SHA-512), and SHA-3 variants for collision-resistant digesting.[4] BLAKE2 is implemented for fast, secure hashing, and all these can be used with Hash-based Message Authentication Code (HMAC) for integrity verification.[4] OpenSSL handles X.509 certificate parsing for public key infrastructure and PKCS#12 formats for bundling keys and certificates. In OpenSSL 3.5, native support for post-quantum algorithms such as ML-KEM (key encapsulation), ML-DSA, and SLH-DSA is provided through built-in providers, with the provider interface also allowing modular loading from external sources like liboqs.[40][13]
Certificate inspection and expiration checking
OpenSSL provides thex509 subcommand for parsing and displaying information from X.509 certificates in PEM or DER format.
To view the expiration date of a local certificate file:
openssl x509 -enddate -noout -in certificate.pem
notAfter field, e.g.:
notAfter=Oct 15 12:34:56 2027 GMT
notBefore) and end (notAfter) dates:
openssl x509 -dates -noout -in certificate.pem
openssl x509 -text -noout -in certificate.pem | grep -E "Not Before|Not After"
openssl x509 -checkend 2592000 -noout -in certificate.pem && echo "Expires within 30 days or less" || echo "Valid for more than 30 days"
echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -dates
-servername flag is important for SNI-enabled servers hosting multiple domains.
These commands are widely used for system administration tasks such as monitoring certificate renewals and troubleshooting TLS connections.
Private key encryption and passphrase prompting
OpenSSL supports encrypting private keys with a passphrase for added security, using ciphers like AES-256. When generating keys:openssl genrsa -aes256 -out ca.key 2048prompts for a passphrase and encrypts the key (header:-----BEGIN ENCRYPTED PRIVATE KEY-----or similar).openssl genrsa -nodes -out ca.key 2048or without the encryption flag creates an unencrypted key (header:-----BEGIN RSA PRIVATE KEY-----).
openssl ca command or openssl x509 -req -CA ca.crt -CAkey ca.key ..., OpenSSL prompts for the passphrase only if the key is encrypted. If unencrypted, no prompt occurs, as the key can be loaded directly.
This is expected behavior: encrypted keys require decryption via passphrase (unless supplied non-interactively with -passin pass:yourpass or other sources).
To check if a key is encrypted:
openssl rsa -in ca.key -check -noout
- No prompt and "RSA key ok" → unencrypted.
- Prompts for passphrase → encrypted.
openssl rsa -aes256 -in unencrypted.key -out encrypted.key
Enter passphrase when prompted. Update CA configurations to use the new key.
For automated or test environments, unencrypted keys are common (protected by file permissions), but production CAs should use encrypted keys to prevent unauthorized use if the key file is compromised.
See OpenSSL man pages for genrsa, rsa, ca, x509, and passphrase-options for details on -passin/-passout.
