OpenSSL is a free and open source software cryptography library that implements both the Secure Sockets Layer (SSL) and the Transport Layer Security (TLS) protocols, which are primarily used to provide secure communications between web browsers and web servers. In essence, it prevents both eavesdropping and identification of clients. The library also provides tools for creating RSA private keys and certificate signing requests (CSRs), and for managing certificates and performing checksums. Written in C and assembly language, OpenSSL also comes with wrappers for many other programming languages. Versions of the library are available for most operating systems, including Microsoft Windows, Linux, and many versions of Unix and Unix-like operating systems. Its use is so wide that most servers running on the Internet today run it in one form or another.
- Provides an open source implementation of both SSL and TLS protocols
- Comes with a complete set of useful cryptographic tools
- Supports a variety of programming languages
- Is completely free to use
- Is used in most web servers running today
- Is FIPS 140-2 compliant
- Will slow web servers down (by definition of what it does)
- Has had many security vulnerabilities over the years
- The project only employs one full-time developer
Whenever you load a web page in a browser using HTTPS, you are likely using OpenSSL, as most web servers run it (66% by the latest estimates). It is as ubiquitous as it is powerful, as it is what secures communication between web servers and browsers. It supports a whole host of cryptography algorithms, including ciphers, cryptographic hash functions and public key cryptography. It is also one of only two open source libraries to receive a FIPS 140-2 compliance certificate from the National Institute of Standards and Technology's Cryptographic Module Validation Program. It does not have many drawbacks, apart from the fact that — by definition — its use in web communications will slow the web server. It has also had many security vulnerabilities over the years. Most notably was the Heartbleed bug in 2014 that allow hackers to obtain portions of the server's application memory. Finally, the project only employees one full-time developer.