Skip to content

OpenSSL

June 26, 2025
September 29, 2015

x-509

OpenSSL is a toolkit for the TLS and SSL.
OpenSSL - Wikiwand
ossl-guide-introduction - OpenSSL Documentation
How SSL Certificates Use Digital Signatures

OpenSSL Cookbook | Feisty Duck ❗!important

OpenSSL PKI Tutorial v2.0 — OpenSSL PKI Tutorial
OpenSSL Essentials: Working with SSL Certificates, Private Keys and CSRs | DigitalOcean
Symmetric Key Decryption Methods (AES, ARIA, Blowfish, Camellia, ChaCha20, Cast, DES, 3DES, IDEA, RC2 and RC4) CLI command generator
The Most Common OpenSSL Commands
Some list of openssl commands for check and verify your keys
OpenSSL command cheatsheet
OpenSSL Quick Reference Guide

jbp.io :: TLS performance: rustls versus OpenSSL

Troubleshooting

sudo su
sudo tcpdump -vvv -s 0 -nni <interface> -w <file> host <host> and port <port> &
openssl s_client -connect <host>:<port> -state -msg

openssl s_client -connect www.feistyduck.com:443 -CApath /etc/ssl/certs/ # TLS1.2
openssl s_client -connect toco.hk:443 -CApath /etc/ssl/certs/ # cert error

# e.g.
sudo su
sudo tcpdump -vvv -s 0 -nni eno1 -w internal.cap host 10.6.64.170 and port 443 &
openssl s_client -connect 10.6.64.170:443 -state -msg

SOL15475 - Troubleshooting SSL/TLS renegotiation
SOL15292 - Troubleshooting SSL/TLS handshake failures
SOL10209 - Overview of packet tracing with the ssldump utility


Alternate Implementations

Win32/Win64 OpenSSL Installer for Windows - Shining Light Productions

LibreSSL

fork of OpenSSL by OpenBSD

LibreSSL
LibreSSL - Wikiwand

Tink/BoringSSL

Google originally forked OpenSSL as BoringSSL

Tink  |  Google for Developers
Goodbye OpenSSL, and Hello To Google Tink | by Prof Bill Buchanan OBE FRSE | ASecuritySite: When Bob Met Alice | Medium

Tink Cryptography Library
boringssl - Git at Google

mbedtls

implements cryptographic primitives, X.509 certificate manipulation and the SSL/TLS and DTLS protocols

Mbed TLS
Mbed-TLS/mbedtls: An open source, portable, easy to use, readable and flexible TLS library, and reference implementation of the PSA Cryptography API. Releases are on a varying cadence, typically around 3 - 6 months between releases.
Mbed TLS documentation hub — Mbed TLS documentation

Implements PSA Crypto API
PSA Certified Crypto API 1.2 — PSA Certified Crypto API 1.2

wolfSSL

wolfSSL – Embedded SSL/TLS Library
WolfSSL - Wikiwand
wolfSSL/wolfssl: The wolfSSL library is a small, fast, portable implementation of TLS/SSL for embedded devices to the cloud. wolfSSL supports up to TLS 1.3 and DTLS 1.3! GPL

SymCrypt

microsoft/SymCrypt: Cryptographic library
microsoft/SymCrypt-OpenSSL: OpenSSL engine for use with SymCrypt cryptographic library

Botan

Botan — Botan

Network Security Services (NSS)

Network Security Services (NSS) — Firefox Source Docs documentation

certutil
cmsutil
crlutil
modutil
nss-config
pk12util
shlibsign
signtool
signver
ssltap

CFSSL

Introducing CFSSL - CloudFlare's PKI toolkit

cloudflare/cfssl: CFSSL: Cloudflare's PKI and TLS toolkit

myca.json:

{
  "CN": "k3s",
  "hosts": ["k3s"],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "SG",
      "ST": "SG",
      "L": "Singapore"
    }
  ]
}
cfssl gencert -initca myca.json | cfssljson -bare myca

serverRuest.json

{
   "CN": "registry",
   "hosts": [ "ubuntu" ],
   "key": {
      "algo": "rsa",
      "size": 2048
   }
}
cfssl gencert -ca=myca.pem -ca-key=myca-key.pem -config=ca-config.json -profile=server -hostname=ubuntu serverRequest.json | cfssljson -bare registry

GnuTLS

pretty outdated, not recommend

GnuTLS