Introduction
OpenSSL is a widely used library that handles network connection security by SSL/TLS.
One of its problems is that the official documentation is frequently incomplete, spread across the net, and quite far away from beginners.
General Basics
Usually, OpenSSL offers 2 different connection SSL/TLS types:
- simple, with no certificate handling.
- authenticated, with certificate handling.
Usually, we are working with the second one, with the authentication of both the client & the server.
On the client-side, a private key and its certificate shall be provided.
On the server-side a certificate shall be provided.
All these certificates shall be related to a CA root (ie the last one of the certificate chain shall be a CA one).
Usually, they are saved in PEM format (.pem, .crt, .key) and they usually are placed into a folder ‘PEM’ (usually into the program folder). This folder also contains all CA certificates that are indirectly used during the verifications.
If you use them, they shall be renamed in the following format: <cert. hash>.<progressive from 0> (for example: ‘1A2B3C4D.0‘).
OpenSSL offers a command-line utility that allows us to handle and test keys, certificates, … with quite good diagnostics. The following commands are used to verify and track down issues.
Testing commands
In order to test/verify connections, it is very useful to use built-in features of ‘openssl.exe’.
One of the many capabilities is to emulate an SSL/TLS server with several options, and it’s available by the following command line:
openssl s_server -state -accept <listening port> -cert <certificate file> -key <private key file> -CAfile <ca file>
To force client certificate usage use this other command line:
openssl s_server -state -accept <listening port> -Verify 1 -cert <certificate file> -key <private key file> -CAfile <ca file>
To verify connection and/or certificate/keys… with a server, use this command line:
openssl s_client -state -showcerts -connect <server_name/ip_addr:port> -CApath <CA cert path> -cert <client certificate file> -key <client private key file>
or if you need to use a specific CA certificate file:
openssl s_client -state -showcerts -connect <server_name/ip_addr:port> -CAfile <CA cert file> -cert <client certificate file> -key <client private key file>
and if you need to set limits ciphers (encryption and hash algorithm), you can add this parameter:
-cipher <cipher_list>
you can also force connection protocol to use by adding one of these:
-tls1_0 -tls1_1 -tls1_2 -tls1_3
NOTE: keep in mind that all SSL protocols are considered unsafe.
Other useful commands
To create an RSA key pair:
openssl genrsa -out <key file.pem> -3 <bits>
To extract the public key to be signed:
openssl rsa -pubout -in <private key file.pem> -out <pub. key file.pem>
To extract certificate info:
openssl x509 -text -in <certificate filename>
To extract certificate hash:
openssl x509 -hash -in <certificate filename>
Runtimes Libraries
There are 2 official DLLs that need to be distributed, in order to work with OpenSSL under Windows32, and they are:
- ssleay32.dll
- libeay32.dll
They need VC2008 runtimes libraries and these ones have to be installed by the MS setup file.
From v1.1.x, these DLLs are changed to:
- libssl-1_1.dll
- libcrypto-1_1.dll
From September 2018, they are using VS2017 RTMs.
A program shall be specifically designed for v1.1.x since the libraries interface is changed.
Be sure that to get the proper file considering your OS and program type (32-64 bits).
It can be reached by the link in this page (the OpenSSL binaries page): http://slproweb.com/products/Win32OpenSSL.html or by the official site, in the ‘about‘ page, ‘Binaries‘ tab.
Available Ciphers
In order to disable insecure/weak ciphers, you can use the following cipher list:
DEFAULT:!eNULL:!aNULL:!DES:!3DES:!RC2:!RC4:!MD4
From the client-side, this blacklist removes them from the client/server capabilities in order to pilot the server choice and to improve the connection security.
Useful links
Home page IBM Knowledge Center IBM Knowledge Center – SSL message reference