Introduction to OpenSSL/LibreSSL
Index
Introduction
This document aims to demonstrate the use of cryptographic mechanisms based on the OpenSSL/LibreSSL library. This library has the ability to work with cryptographic mechanisms such as symmetric cryptography, asymmetric cryptography, generation of message authentication codes as well as work with digital certificates and more.
To run these labs the following requirements are needed:
OpenSSL/LibreSSL.
The goal of these labs is to demonstrate the use of the OpenSSL library to provide a range of cryptographic functionality.
The examples presented here only demonstrate just a small sample of the full capabilities of OpenSSL.
Setup
There is nothing very relevant to do in terms of setup. You just need to install the OpenSSL library - if you use the Kali Linux distribution (or any other Linux distribution, such as Ubuntu, Debian or Parrot OS), it may already be installed by default.
On Windows, OpenSSL can be installed using for example the Cygwin software package. On MacOS, OpenSSL is installed by default, but if you need to use a newer version of it, you can use the Brew tool (https://brew.sh).
For Windows there are also other options that you can use. So, the main alternatives for installing OpenSSL on Windows 10/11, are as follows (from the simplest to the most complicated):
Use Chocolatey to install OpenSSL on Windows 10 with Powershell, or directly install the OpenSSL binary from the web site;
Use Windows Subsystem for Linux (WSL), which allows you to run Linux applications on Windows 10/11 - in practice it is like installing Linux on top of Windows 10/11;
Use a Linux distribution, inside a virtualization tool like VMware or VirtualBox, on top of Windows 10/11;
Any other, which may involve the use of containers such as Docker.
Regarding option 1, it is described in the following links:
Regarding option 2, it is explained in the following links:
Regarding option 3, it consists of:
Download a Linux distribution, such as Ubuntu
Download and install either VMware Workstation Player or VirtualBox on Windows 10/11. This site even has already prepared Ubuntu images to be installed in both virtualization environments;
Install the Linux distribution in the selected virtualization environment.
This page contains also important and relevant information on how to install OpenSSL on Windows. It provides a detailed step-by-step process on how to do it.
If you choose, you may also not install OpenSSL natively and use a web-based version that can be found here.
Basic commands
Here we will just list some of the basic commands for working with OpenSSL.
Check the OpenSSL version
openssl version
OpenSSL 1.1.1n 15 Mar 2022
OPENSSL COMMAND LIST
openssl help
Standard commands
asn1parse ca ciphers cms
crl crl2pkcs7 dgst dhparam
dsa dsaparam ec ecparam
enc engine errstr gendsa
genpkey genrsa help list
nseq ocsp passwd pkcs12
pkcs7 pkcs8 pkey pkeyparam
pkeyutl prime rand rehash
req rsa rsautl s_client
s_server s_time sess_id smime
speed spkac srp storeutl
ts verify version x509
Message Digest commands (see the `dgst' command for more details)
blake2b512 blake2s256 gost md4
md5 mdc2 rmd160 sha1
sha224 sha256 sha3-224 sha3-256
sha3-384 sha3-512 sha384 sha512
sha512-224 sha512-256 shake128 shake256
sm3
Cipher commands (see the `enc' command for more details)
aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb
aes-256-cbc aes-256-ecb aria-128-cbc aria-128-cfb
aria-128-cfb1 aria-128-cfb8 aria-128-ctr aria-128-ecb
aria-128-ofb aria-192-cbc aria-192-cfb aria-192-cfb1
aria-192-cfb8 aria-192-ctr aria-192-ecb aria-192-ofb
aria-256-cbc aria-256-cfb aria-256-cfb1 aria-256-cfb8
aria-256-ctr aria-256-ecb aria-256-ofb base64
bf bf-cbc bf-cfb bf-ecb
bf-ofb camellia-128-cbc camellia-128-ecb camellia-192-cbc
camellia-192-ecb camellia-256-cbc camellia-256-ecb cast
cast-cbc cast5-cbc cast5-cfb cast5-ecb
cast5-ofb des des-cbc des-cfb
des-ecb des-ede des-ede-cbc des-ede-cfb
des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb
des-ede3-ofb des-ofb des3 desx
idea idea-cbc idea-cfb idea-ecb
idea-ofb rc2 rc2-40-cbc rc2-64-cbc
rc2-cbc rc2-cfb rc2-ecb rc2-ofb
rc4 rc4-40 seed seed-cbc
seed-cfb seed-ecb seed-ofb sm4-cbc
sm4-cfb sm4-ctr sm4-ecb sm4-ofbOpenSSL interactive console access
Oldest versions of OpenSSL supported an interactive console mode, when the user invoked the openssl command. Newer versions don't support it anymore.
openssl
OpenSSL> Generic structure of OpenSSL application and commands
OpenSSL CLI application has the following structure of commands:
openssl [command] -[options]Where the command is a set of commands supported by the OpenSSL CLI application, and options is a set of options supported by a given command.
In order to know which options are supported by a given command, simply do:
openssl [command] -helpUsually, each OpenSSL command supports general options, input options and output options. Depending on the type of command, other specific options may be available.
Check the options for a particular command
openssl ca -help
Usage: ca [options]
Valid options are:
-help Display this summary
-verbose - Talk alot while doing things
-config file - A config file
-name arg - The particular CA definition to use
-gencrl - Generate a new CRL
-crldays days - Days is when the next CRL is due
-crlhours hours - Hours is when the next CRL is due
-startdate YYMMDDHHMMSSZ - certificate validity notBefore
-enddate YYMMDDHHMMSSZ - certificate validity notAfter (overrides -days)
-days arg - number of days to certify the certificate for
-md arg - md to use, one of md2, md5, sha or sha1
-policy arg - The CA 'policy' to support
-keyfile arg - private key file
-keyform arg - private key file format (PEM or ENGINE)
-key arg - key to decode the private key if it is encrypted
-cert file - The CA certificate
-selfsign - sign a certificate with the key associated with it
-in file - The input PEM encoded certificate request(s)
-out file - Where to put the output file(s)
-outdir dir - Where to put output certificates
-infiles .... - The last argument, requests to process
-spkac file - File contains DN and signed public key and challenge
-ss_cert file - File contains a self signed cert to sign
-preserveDN - Don't re-order the DN
-noemailDN - Don't add the EMAIL field into certificate' subject
-batch - Don't ask questions
-msie_hack - msie modifications to handle all those universal strings
-revoke file - Revoke a certificate (given in file)
-subj arg - Use arg instead of request's subject
-utf8 - input characters are UTF8 (default ASCII)
-multivalue-rdn - enable support for multivalued RDNs
-extensions .. - Extension section (override value in config file)
-extfile file - Configuration file with X509v3 extentions to add
-crlexts .. - CRL extension section (override value in config file)
-engine e - use engine e, possibly a hardware device.
-status serial - Shows certificate status given the serial number
-updatedb - Updates db for expired certificatesMost of the times, it is also better to read the documentation on the OpenSSL website, since it is must more verbose than the information provided by the CLI.
Another important source of information about OpenSSL is the OpenSSL Cookbook, an online free book that covers diverse information about OpenSSL.
Last updated