What is OpenSSL
OpenSSL is an open-source software, implementing a commercial-grade toolkit which offers a wide range of cryptographic functions using plaintext keys. It is used as a fundamental building block by a variety of applications dealing with general-purpose cryptography and secure communication.
For data security applications, the OpenSSL toolkit offers functions for creating the certificates for secure VPN authentication, for secure internet communication, secure banking traffic, secure credit card transactions, secure mail and messaging traffic, and for many more cryptographic purposes. In the light of the broad variety of cryptographic functions and the widespread use of OpenSSL by companies providing cryptographic software and internet applications, the acceleration of cryptographic processing by means of hardware is of utmost importance.
OpenSSL runs on multiple platforms and operating systems (including Linux®, Mac OS, or Windows™) for use by enterprises, as well as for private use.
The OpenSSL toolkit comprises the following components:
- libssl
- is an implementation of the Transport Layer Security (TLS) protocol for secure data transmission in the internet, which is used, for example, by the Apache web server.
- libcrypto
- is a library which provides functions for a variety of cryptographic use cases, among others for
the following purposes:
- creating and managing private and public key pairs
- processing public key cryptographic operations
- creating X.509 certificates, Certificate Signing Requests (CSRs) and Certificate Revocation Lists (CRLs)
- applying hash functions
- applying encryption and decryption algorithms
- generating cryptographic pseudo-random numbers.
The libcrypto library constitutes the basis of the TLS implementation, but can also be used independently.
- openssl
- is a command line tool for using the cryptography functions of the libcrypto library,
and also for additional purposes, like for example:
- SSL/TLS client and server tests
- handling of S/MIME signed or encrypted mail
- time stamp requests, generation and verification.
You can access more detailed information from the home page of the OpenSSL Project:
Among others, the following topics are presented on this home page:
- the GitHub repository from where to download the master sources
- a page with frequently asked questions
- links to the man pages
- information about OpenSSL file formats, especially the OpenSSL configuration files, about environment variables, and about further conventions.
Engines and providers
The OpenSSL architecture supports plug in-mechanisms, so called engines and, since OpenSSL 3.0, also supports providers. The important difference between providers and engines is the level at which the APIs occur that cross the boundary from OpenSSL into an engine or a provider. Engines present a low-level interface that requires knowledge of the OpenSSL internals, whereas providers present an interface that performs cryptographic operations at a higher level.
Engines replace some of the implementations of the OpenSSL libcrypto library with their own processing. Typically engines are dynamically loadable modules configured with OpenSSL that provide cryptographic algorithm implementations. Usually these are alternative implementations of algorithms already provided by libcrypto, for example to enable hardware acceleration of the algorithm.
- cryptographic primitives for an algorithm
- serialization for an algorithm
- store loader back ends.
Though engines are in general still supported with OpenSSL 3.0 or later, they are deprecated. There may exist user or system applications that might not work with OpenSSL 3.0 and engines. In general, applications using the OpenSSL 3.0 API will probably not work with engines.
Find more information on the following web sites: