OpenSSL is a powerful Secure Sockets Layer cryptographic library. Apache uses it for HTTPS encryption, and OpenSSH uses it for SSH encryption. But, you don't have to use it as a library. It's also a multipurpose, cross-platform crypto tool.
Here's a little background on OpenSSL. Before OpenSSL, there was ssleay, an SSL implementation written by Eric A. Young. It was successively improved and eventually became OpenSSL, similar to how NCSA HTTPd became the Apache Web server. Today, OpenSSL supports dozens of cryptographic algorithms and protocols with hundreds of options.
OpenSSL has a lot of features. In addition to the SSL client and server features, OpenSSL also has:
US federal government NIST FIPS 140-2 Level 1 validation.
TLS, the next generation of SSL.
X.509 key and certificate generation.
X.509 certificate authority.
File encryption and hashing.
UNIX password hashes.
Nine different commercial cryptographic hardware devices.
Cryptographic performance testing.
Six message digest algorithms.
Nine cipher algorithms with four block modes (where applicable).
Multiple crypto protocols.
Although OpenSSL is complex, a lot of that complexity can be avoided. The remainder of this article concentrates on features that are easy to use, and in only a few lines of shell code.
This article uses the same section titles as in my earlier GnuPG article (“GnuPG Hacks”, Linux Journal, March 2006, page 52) to make it easier to compare OpenSSL and GnuPG.
First, let's confirm that OpenSSL is installed and in your path. Many Linux distributions, even some small distributions, include OpenSSL. Usually OpenSSL is located in /usr/bin/, like most bundled packages.
In all of the examples, the shell prompt is set to $.
$ openssl version
Note that there are no leading dashes for the version option.
You should get something like this:
OpenSSL 0.9.7d 17 Mar 2004
The exact version number, date and other details may vary. At the time of this writing, the current version is OpenSSL 0.9.8a. The examples we're using should work for most versions of OpenSSL.
If you typed openssl with no command-line option, you'll get this:
If this happens, simply type quit or press Ctrl-C to exit safely. It's only the OpenSSL internal command-line prompt. It doesn't have command-line editing and has no explicit help function. But, it will type a list of commands if you type a command it doesn't know. It's better to avoid it for now.
Binary files typically are sent in e-mail using MIME. However, if your e-mail software doesn't support MIME, like most command-line e-mail, you're stuck with uuencode, or you can use OpenSSL's base64 encoding. Base64 is the same encoding used by the much more complicated MIME protocol, but it's not directly MIME-compatible.
To wrap a file in base64 text encoding, type:
$ openssl base64 < filename.bin > filename.txt
To unwrap a base64-encoded file, type:
$ openssl base64 -d < filename.txt > filename.bin
Note that OpenSSL doesn't care about the filename extension.
OpenSSL, unlike GnuPG or MIME, also can encode short strings, as follows:
$ echo "The Linux Journal" | openssl base64 VGhlIExpbnV4IEpvdXJuYWwK
Decoding is similar:
$ echo "VGhlIExpbnV4IEpvdXJuYWwK" | openssl base64 -d The Linux Journal
sum and cksum are the traditional UNIX checksum programs. They work fine, as long as as you don't need cross-platform compatibility or security, and you don't mind that occasionally two completely different files will have the same checksum value.
Although Linux systems often have md5sum installed, the MD5 algorithm suffers from a relatively new vulnerability and shouldn't be used anymore.
If it's installed, the more secure sha1sum should be used. Several different programs go by this name, however. Some versions can hash only one file at a time, some can't handle stdin or have some other deficiency. If you run into any of these problems or simply want consistent, known, good cross-platform software, consider OpenSSL.
The OpenSSL hash output format is a bit different from GnuPG, but numerically identical. OpenSSL format always identifies the algorithm used and also outputs a lowercase hexadecimal string with no whitespace. Some find this format easier to use.
Here are some examples:
$ openssl sha1 filename SHA1(filename)= e83a42b9bc8431a6645099be50b6341a35d3dceb $ openssl md5 filename MD5(filename)= 26e9855f8ad6a5906fea121283c729c4
As in my previous “GnuPG Hacks” article, the above examples use a file that contains the string: “The Linux Journal”. Note that there is no period in the string.
If you have a problem replicating these results, here is the ASCII-annotated hexadecimal representation of the file. Note the newline at the end automatically added by vi:
T h e L i n u x J o u r n a l \n 54 68 65 20 4c 69 6e 75 78 20 4a 6f 75 72 6e 61 6c 0a
OpenSSL, unlike GnuPG, doesn't have SHA-512, but OpenSSL does have MD2, MD4 and MDC2. These are older algorithms that are provided for backward compatibility. Like MD5, they shouldn't be used anymore.
|Speed Up Your Web Site with Varnish||Jun 19, 2013|
|Non-Linux FOSS: libnotify, OS X Style||Jun 18, 2013|
|Containers—Not Virtual Machines—Are the Future Cloud||Jun 17, 2013|
|Lock-Free Multi-Producer Multi-Consumer Queue on Ring Buffer||Jun 12, 2013|
|Weechat, Irssi's Little Brother||Jun 11, 2013|
|One Tail Just Isn't Enough||Jun 07, 2013|
- Speed Up Your Web Site with Varnish
- Containers—Not Virtual Machines—Are the Future Cloud
- Linux Systems Administrator
- Lock-Free Multi-Producer Multi-Consumer Queue on Ring Buffer
- Senior Perl Developer
- Technical Support Rep
- Non-Linux FOSS: libnotify, OS X Style
- UX Designer
- RSS Feeds
- It is quiet helping
40 min 24 sec ago
57 min 28 sec ago
- Reachli - Amplifying your
2 hours 13 min ago
3 hours 2 min ago
- good point!
3 hours 5 min ago
- Varnish works!
3 hours 14 min ago
- Reply to comment | Linux Journal
3 hours 44 min ago
- Reply to comment | Linux Journal
6 hours 10 min ago
- Reply to comment | Linux Journal
10 hours 9 min ago
- Yeah, user namespaces are
11 hours 26 min ago
Free Webinar: Hadoop
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers
Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.
Some of key questions to be discussed are:
- What is the “typical” Hadoop cluster and what should be installed on the different machine types?
- Why should you consider the typical workload patterns when making your hardware decisions?
- Are all microservers created equal for Hadoop deployments?
- How do I plan for expansion if I require more compute, memory, storage or networking?