OpenSSL, originally SSLeay is a free software for Transport Layer Security, originally Secure Sockets Layer ( SSL).

OpenSSL includes implementations of network protocols and various codes and the program for the openssl command line for requesting, generating and managing certificates.


SSLeay enabled mid-1990s to use SSL and outside the United States with strong encryption because this implementation was created in Australia and therefore not exposed to any export restrictions. The name of the software were the initials of the network protocol and the programmer. Eric A. Young had previously worked on implementations of Kerberos and DES. For this new project inspired him in 1995 to his friend Tim J. Hudson. Hudson also contributed significantly to the project by programmed associated patches for other free software for Windows.

The SSLeay version 0.9.1b from the summer of 1998 was no longer published, but further developed by a new team until December 1998 and published as OpenSSL 0.9.1c. Ralf S. Engelschall, co-founder of this group, describes the development of OpenSSL as a prerequisite for the creation of mod_ssl, the most widely used encryption module for Apache web server. In contrast to virtually final mod_ssl, which only remained to the maintenance of the development of OpenSSL is not yet complete. Instead, dedicated, free programmers would continue to design applications, building on the already established basic functions of OpenSSL.

FIPS -140- 2 certification

OpenSSL is the first FIPS 140-2 certified open -source program. This is a security standard that the National Institute of Standards and Technology ( NIST) has been set for the Cryptographic Module Validation Program.

The release was issued in January 2006. In June, she was withdrawn for the time being, however, re-issued on 16 February 2007. According to John Weathersby from the Open Source Software Institute ( OSSI ) was the problem of "political nature" ( in the original: a political challenge), since a comparable commercial providers certification costs considerable money. Was paid to the process by the U.S. Department of Defense and interested companies who had hoped to see a free solution financial savings as well as standardization.

Vulnerability in Debian packages

On 13 May 2008, the Debian project announced that the OpenSSL package of distributions since September 17, 2006 (Version 0.9.8c - 1 to 0.9.8g -9 ) contained a vulnerability. Due to a bug in a Debian-specific patch the generated key with the contained in these packages are predictable random number generator. Affected are SSH, OpenVPN, DNSSEC keys, key in X.509 certificates and session keys used in SSL / TLS connections (HTTPS ) be used. Keys that were generated with GnuPG or GnuTLS, are not affected.

The vulnerability was created in an attempt to eliminate a warning message a code checking software. It should be a little relevant line of code that caused the warning be removed, but also a second occurrence of this line was removed, which was in a different context and had a completely different meaning.

The appropriate key pairs are easy to attack, since it is possible to calculate all eligible private key within a few days. For the affected SSH key a freely downloadable package exists on the internet. This error were and are SSL connections to many servers against man-in- the-middle attacks vulnerable. Connections to servers that have ever had a certificate with a weak key, as long as vulnerable until the certificates expire or are revoked effective. It should be noted that many browsers do not check for revoked certificates. Especially prominent in this context was a vulnerable server of the service provider Akamai, which is responsible among others for the provision of the MAGPIE software of the German tax and driver updates from ATI.


OpenSSL is under the license of SSLeay and its own license, which apply together. Both are similar to the original BSD license. The major limitation is therefore that advertise third-party products that contain OpenSSL, OpenSSL must mention and the two authors of SSLeay.

Revision history

This overview includes extracts from the " ChangeLog " and the " State Project "

0.9.1 - versions

0.9.2 - versions

0.9.3 - versions

0.9.4 - versions

0.9.5 - versions

0.9.6 - versions

0.9.7 - versions

0.9.8 - versions

1.0.0 - versions

1.0.1 - versions

  • Initial support TLS v1.2
  • Added SRP support