OpenSSL Hacks

OpenSSL contains a command-line tool to do nearly everything possible within the OpenSSL library. Even better, it's probably already installed on your system.

OpenSSL is a powerful Secure Sockets Layer cryptographic library. Apache uses it for HTTPS encryption, and OpenSSH uses it for SSH encryption. But, you don't have to use it as a library. It's also a multipurpose, cross-platform crypto tool.

Here's a little background on OpenSSL. Before OpenSSL, there was ssleay, an SSL implementation written by Eric A. Young. It was successively improved and eventually became OpenSSL, similar to how NCSA HTTPd became the Apache Web server. Today, OpenSSL supports dozens of cryptographic algorithms and protocols with hundreds of options.

OpenSSL has a lot of features. In addition to the SSL client and server features, OpenSSL also has:

  • US federal government NIST FIPS 140-2 Level 1 validation.

  • TLS, the next generation of SSL.

  • X.509 key and certificate generation.

  • X.509 certificate authority.

  • S/MIME encryption.

  • File encryption and hashing.

  • UNIX password hashes.

  • Nine different commercial cryptographic hardware devices.

  • Cryptographic performance testing.

  • Thirty-six commands.

  • Six message digest algorithms.

  • Nine cipher algorithms with four block modes (where applicable).

  • Multiple crypto protocols.

Although OpenSSL is complex, a lot of that complexity can be avoided. The remainder of this article concentrates on features that are easy to use, and in only a few lines of shell code.

This article uses the same section titles as in my earlier GnuPG article (“GnuPG Hacks”, Linux Journal, March 2006, page 52) to make it easier to compare OpenSSL and GnuPG.

Getting Started

First, let's confirm that OpenSSL is installed and in your path. Many Linux distributions, even some small distributions, include OpenSSL. Usually OpenSSL is located in /usr/bin/, like most bundled packages.

In all of the examples, the shell prompt is set to $.

First, type:

$ openssl version

Note that there are no leading dashes for the version option.

You should get something like this:

OpenSSL 0.9.7d 17 Mar 2004

The exact version number, date and other details may vary. At the time of this writing, the current version is OpenSSL 0.9.8a. The examples we're using should work for most versions of OpenSSL.

If you typed openssl with no command-line option, you'll get this:


If this happens, simply type quit or press Ctrl-C to exit safely. It's only the OpenSSL internal command-line prompt. It doesn't have command-line editing and has no explicit help function. But, it will type a list of commands if you type a command it doesn't know. It's better to avoid it for now.

Binary File Shields

Binary files typically are sent in e-mail using MIME. However, if your e-mail software doesn't support MIME, like most command-line e-mail, you're stuck with uuencode, or you can use OpenSSL's base64 encoding. Base64 is the same encoding used by the much more complicated MIME protocol, but it's not directly MIME-compatible.

To wrap a file in base64 text encoding, type:

$ openssl base64 < filename.bin > filename.txt

To unwrap a base64-encoded file, type:

$ openssl base64 -d < filename.txt > filename.bin

Note that OpenSSL doesn't care about the filename extension.

OpenSSL, unlike GnuPG or MIME, also can encode short strings, as follows:

$ echo "The Linux Journal" | openssl base64

Decoding is similar:

$ echo "VGhlIExpbnV4IEpvdXJuYWwK" | openssl base64 -d
The Linux Journal

Note the -d option, which specifies decoding.

Better Checksums

sum and cksum are the traditional UNIX checksum programs. They work fine, as long as as you don't need cross-platform compatibility or security, and you don't mind that occasionally two completely different files will have the same checksum value.

Although Linux systems often have md5sum installed, the MD5 algorithm suffers from a relatively new vulnerability and shouldn't be used anymore.

If it's installed, the more secure sha1sum should be used. Several different programs go by this name, however. Some versions can hash only one file at a time, some can't handle stdin or have some other deficiency. If you run into any of these problems or simply want consistent, known, good cross-platform software, consider OpenSSL.

The OpenSSL hash output format is a bit different from GnuPG, but numerically identical. OpenSSL format always identifies the algorithm used and also outputs a lowercase hexadecimal string with no whitespace. Some find this format easier to use.

Here are some examples:

$ openssl sha1 filename
SHA1(filename)= e83a42b9bc8431a6645099be50b6341a35d3dceb

$ openssl md5 filename
MD5(filename)= 26e9855f8ad6a5906fea121283c729c4

As in my previous “GnuPG Hacks” article, the above examples use a file that contains the string: “The Linux Journal”. Note that there is no period in the string.

If you have a problem replicating these results, here is the ASCII-annotated hexadecimal representation of the file. Note the newline at the end automatically added by vi:

T  h  e     L  i  n  u  x     J  o  u  r  n  a  l  \n
54 68 65 20 4c 69 6e 75 78 20 4a 6f 75 72 6e 61 6c 0a

OpenSSL, unlike GnuPG, doesn't have SHA-512, but OpenSSL does have MD2, MD4 and MDC2. These are older algorithms that are provided for backward compatibility. Like MD5, they shouldn't be used anymore.



Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

In relation to the password

IainB's picture

In relation to the password hash, surely the server needs to know the salt too? When I run the example I don't get the salt returned, so how can the hash be used?? Can the salt be derived from the hash somehow, and if so, doesn't knowledge of the salt make the hash much, much weaker?

I'm sure I've missed something obvious!

As far as I know, the salt

aurir_'s picture

As far as I know, the salt is stored between two dollar signs. So it's part of the hash. At least for the MD5 (openssl passwd -1).

MD5 passwd hash

BernieD's picture

I need a cc or gcc source file that I can compile on an HP running HPUX 11. I want to compile it into an existing process that currently generates and hashes 8 digit passwords using DES i.e., the old crypt(). I nust now increase that password from 8 positions to 15 for security purposes. I'd guess that a perl script would do also as long as it had the proper hooks to the MD5 hash.

I will really appreciate any help on this item.


Anonymous's picture

Great Article Anthony!

Very interesting and informational.

Can you expand a little on where you say:

" the above example multiple times. The output is the cryptographic hash of your password. The hash is randomly salted so that every time it's run, the output will be different, even if the password is the same."

Why will the output be different?



Wu Yongzheng's picture

Basically, salt is a random string appended to your password. So instead of hash(password), we do hash(password | salt). The server keeps both salt and hash value. The purpose of salt is to prevent pre-calculated table attack.


Page is rendered too wide

rhkramer's picture

The lines on this page are too wide, I have to scroll horizontally to read each line, hence I haven't read the article.

The problem seems to be Table 2, and specifically the header lines, but Table 3 may also be wide on some screens.

I'm sure someone can find a number of creative ways to solve the problem.

Randy Kramer

Page is rendered too wide

Keith Daniels's picture

In most browsers, those capable of handling cascading style sheets (CSS) that table displays with a horizontal scroll bar at the bottom and does not extend the page width.

What browser are you using and what version?

Linux Journal

I forgot to ask

Keith Daniels's picture

Have you changed the settings in your browser so you use a default or customized style sheet for it? This is common with Opera.

Linux Journal

All the new OSs and windowing systems are oriented towards content consumption instead of content production.

--Steve Daniels 2013

Width problem

Allan Morris's picture

The width problem on this page as commented by others is still there. Using Konqueror 3.5.4 on Kubuntu with stylesheet set as default. Browser as-is passes the acid style test 100%. The problem is with your site.


Allan Morris.

Width problem

Keith Daniels's picture

There were two problems here. Though I made the page quit showing so wide, the problems still exist.

Problem #1 Konqueror will not obey the CSS rule (overflow: auto;) for a table which would make a horizontal scroll bar appear only underneath the over sized table and the screen would not display wide. All other browsers I tested do this.

Problem #2 Konqueror obeyed a CSS rule for table headers (th{white-space: nowrap;}) that none of the other browsers paid any attention to. I killed the white-space rule and the page no longer over extends your screen (or at least not as much, there is still a point where the table headers will not continue to wrap). If the other browsers had obeyed this rule I would have found this problem much earlier.


All the new OSs and windowing systems are oriented towards content consumption instead of content production.

--Steve Daniels 2013