7 Practical uses of OpenSSL (via linuxaria.com)

Original article: http://www.linuxaria.com/howto/openssl-7-usi-pratici?lang=en


In a previous article we saw the basics of encryption and asymmetric key used in the e-mail. On Linux the most used and popular programthat deals with security and encryption is OpenSSL .

OpenSSL is an open source implementation of the SSL and TLS protocols. The core library (written in the C programming language) implements the basic cryptographic functions and provides various utility functions. Wrappers allowing the use of the OpenSSL library in a variety of computer languages are available.

Versions are available for most Unix-like operating systems (including Solaris, Linux, Mac OS X and the four open source BSD operating systems), OpenVMS and Microsoft Windows. IBM provides a port for the System i (OS/400). OpenSSL is based on SSLeay by Eric A. Young and Tim Hudson, development of which unofficially ended around December 1998, when Young and Hudson both started to work for RSA Security.

Today we will see some practical uses of programs that rely on OpenSSL.


A fundamental use of OpenSSL is to create your own Certification Authority (CA) with which you can generate certificates to be used later in other programs. Since this is a long topic it’s not discussed in this article, where we will use the simplest and least common of the OpenSSL programs.

Connect to a https service

Sometimes is useful to have the equivalent of a “telnet myservice 80 “, but with sites in https a telnet don’t work so you need an openssl command:

openssl s_client -connect host:443 -state -debugGET / HTTP/1.0

You’ll get a very long output, but you’ll be able to do some test/debug also on the encrypted http.

Generate random numbers or strings

To generate random strings you can use the openssl rand; to generate a random integer you can use:

root@laptop:~# echo $(openssl rand 4 | od -DAn)1173091498

While if you want to generate a base64 string (perhaps to get a random password)

root@laptop:~# openssl rand -base64 6Cki3awd4

Verify an online certificate from the command line

Not always the most advanced clients are also the more comfortable to see a certificate with this command you can verify a certificate from an https site or maybe a ldaps:

root@laptop:~#openssl s_client -connect google.com:443CONNECTED(00000003)depth=1 /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CAverify error:num=20:unable to get local issuer certificateverify return:0---Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com   i:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA 1 s:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority---Server certificate-----BEGIN CERTIFICATE-----MIIDITCCAoqgAwIBAgIQL9+89q6RUm0PmqPfQDQ+mjANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd.......

And if just need to check if the certificate is about to expire, check for the dates with another openssl command in pipe:

root@laptop:~# openssl s_client -connect google.com:443|openssl x509 -dates -noout??depth=1 /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CAverify error:num=20:unable to get local issuer certificateverify return:0notBefore=Dec 18 00:00:00 2009 GMTnotAfter=Dec 18 23:59:59 2011 GMT

Extract information from a certificate

An SSL certificate contains a wide range of information: issuer, valid dates, subject, and some hardcore crypto stuff. The x509 subcommand is the entry point for retrieving this information.The examples below all assume that the certificate you want to examine is stored in a file named cert.pem.

Using the -text option will give you the full breadth of information.

openssl x509 -text -in cert.pem

You can get specific information using the appropriate flag:

# who issued the cert?openssl x509 -noout -in cert.pem -issuer??# to whom was it issued?openssl x509 -noout -in cert.pem -subject??# for what dates is it valid?openssl x509 -noout -in cert.pem -dates??# the above, all at onceopenssl x509 -noout -in cert.pem -issuer -subject -dates??# what is its hash value?openssl x509 -noout -in cert.pem -hash??# what is its MD5 fingerprint?openssl x509 -noout -in cert.pem -fingerprint

Generate a MD5 hash

Openssl can be used also to generate the md5 of a text or a file:

cat yourfile | openssl md5


echo -n "your text to be hashed" |openssl md5

benchmarking with OpenSSL

Openssl include a function to benchmark your system, simply write:

openssl speed

And you’ll get a long report like this one (centrino 1.5 GHZ)

OpenSSL 0.9.8o 01 Jun 2010built on: Wed Nov 17 17:54:03 UTC 2010options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) aes(partial) blowfish(idx)compiler: cc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS-D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wallavailable timing options: TIMES TIMEB HZ=100 [sysconf value]timing function used: timesThe 'numbers' are in 1000s of bytes per second processed.type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytesmd2                855.18k     1732.09k     2342.00k     2575.00k     2662.40kmdc2                 0.00         0.00         0.00         0.00         0.00md4              16213.70k    56706.21k   157499.53k   287899.83k   381457.07kmd5              13040.86k    43134.65k   112426.54k   185555.70k   228296.58khmac(md5)        12273.58k    41765.66k   109326.48k   184496.49k   230343.74ksha1             11414.65k    33576.61k    72414.64k   102876.35k   117894.33krmd160            8291.07k    21482.65k    41282.44k    53895.00k    58734.43krc4              86563.98k    95285.79k    97506.37k    97709.46k    98543.12kdes cbc          11432.19k    11648.68k    11724.95k    11777.63k    11772.70kdes ede3          4123.07k     4138.75k     4154.66k     4162.05k     4128.22kidea cbc             0.00         0.00         0.00         0.00         0.00seed cbc             0.00         0.00         0.00         0.00         0.00rc2 cbc          13996.01k    14320.10k    14542.58k    14539.74k    14484.95krc5-32/12 cbc        0.00         0.00         0.00         0.00         0.00blowfish cbc     43255.37k    47920.37k    48867.76k    49545.33k    50041.82kcast cbc         30137.81k    32121.24k    32618.69k    33104.10k    32622.36kaes-128 cbc      36708.83k
  39138.84k    39454.24k    39498.27k    39419.55kaes-192 cbc      31592.87k    33304.60k    33824.65k    33721.11k    33996.80kaes-256 cbc      27789.41k    29194.84k    29362.74k    29735.88k    29732.65kcamellia-128 cbc        0.00         0.00         0.00         0.00         0.00camellia-192 cbc        0.00         0.00         0.00         0.00         0.00camellia-256 cbc        0.00         0.00         0.00         0.00         0.00sha256            7809.17k    18163.74k    32279.64k    39705.60k    42603.65ksha512            2230.23k     8900.15k    13026.93k    18077.35k    20271.08kaes-128 ige      37110.42k    39163.19k    40161.57k    40480.51k    39874.08kaes-192 ige      31960.03k    33877.76k    34103.64k    34365.44k    34357.85kaes-256 ige      28192.66k    29575.37k    29714.13k    29876.08k    29675.52k                  sign    verify    sign/s verify/srsa  512 bits 0.001703s 0.000145s    587.1   6896.0rsa 1024 bits 0.009800s 0.000494s    102.0   2026.0rsa 2048 bits 0.062584s 0.001759s     16.0    568.5rsa 4096 bits 0.433333s 0.006440s      2.3    155.3                  sign    verify    sign/s verify/sdsa  512 bits 0.001529s 0.001768s    654.0    565.7dsa 1024 bits 0.004945s 0.005793s    202.2    172.6dsa 2048 bits 0.017221s 0.019843s     58.1     50.4

Benchmark remote connections

The s_time option lets you test connection performance. The most simple invocation will run for 30 seconds, use any cipher, and use SSL handshaking to determine number of connections per second, using both new and reused sessions:

openssl s_time -connect remote.host:443

Beyond that most simple invocation, s_time gives you a wide variety of testing options.

# retrieve remote test.html page using only new sessionsopenssl s_time -connect remote.host:443 -www /test.html -new??# similar, using only SSL v3 and high encryption (see# ciphers(1) man page for cipher strings)openssl s_time   -connect remote.host:443 -www /test.html -new   -ssl3 -cipher HIGH??# compare relative performance of various ciphers in# 10-second testsIFS=":"for c in $(openssl ciphers -ssl3 RSA); do  echo $c  openssl s_time -connect remote.host:443     -www / -new -time 10 -cipher $c 2>&1 |     grep bytes  echodone

One response to “7 Practical uses of OpenSSL (via linuxaria.com)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s