What is OpenSSL?
To understand OpenSSL, you also need to understand its two broad purposes. First, it serves as a toolkit for Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. Second, it is a general purpose cryptography library for applications securing communications taking place over computer networks. This is essential in revealing identities of parties communicating between two points on the internet and guarding systems against eavesdropping. OpenSSL is initially written in C but has wrappers (programs or data that frames other programs or data so that they can run smoothly) supporting numerous other languages. It has wide use in web servers with over 60% web servers having them in 2017.
The OpenSSL library holds tools essential for the following tasks:
- Generating private keys for RSA (Rivest-Shamir-Adleman, a public key cryptosystem)
- Generating Certificate Signing Request (CSRs)
- Performing encryption/decryption as well as managing certificates
Therefore, OpenSSL can broadly be described as a platform that provides an array of utility functions as well as implementing basic cryptographic functions. This makes it an important element of internet security and cryptography.
A brief history of OpenSSL
There was the need for tools that could be used for encrypting code being used on the rapidly expanding internet in 1998. Around the same time, Tim Hudson and Eric Andrew Young were working on the SSLeay project which abruptly ended in December that year when the duo joined RSA security. What is SSLeay? It is an open-sourced SSL implementation. As a result, the now-defunct SSLeay provided the foundation for the OpenSSL project which was launched by Stephen Henson and a team of other 11 developers.
The project has since grown tremendously and has a budget of $ 1 Million which is shouldered by donors.
The platform holds its license under the Apache-style license allocation. This means that there are simple license conditions that give anyone freedom to freely obtain OpenSSL and use it for both non-commercial and commercial purposes.
Over the years a number of OpenSSL and TLS vulnerabilties have been discovered by security researchers, which signifies the importance of having penetration test performed against an organizations external and internal attack surface.