Useful OpenSSL Tricks

By Van Emery


OpenSSL deserves a lot of credit. It is an extremely useful, valuable Open Source project. When people talk about how successful Apache is, rock-solid crypto toolkits like OpenSSL and OpenSSH should also be mentioned. Here are a few (of the many) functions that I have found useful, along with examples of how to use them:

These examples assume that you are using a Unix-like OS, with OpenSSL 0.9.6b or higher.

Base64 Encode/Decode

Base64 encoding is a standard method for converting 8-bit binary information into a limited subset of ASCII characters for safe transport through e-mail systems, and other systems that are not 8-bit safe. With OpenSSL, it is very easy to encode and decode Base64 data:

$ openssl enc -base64 -in myfile -out myfile.b64

$ openssl enc -d -base64 -in myfile.b64 -out myfile.decrypt

Symmetric Encryption/Decryption of Files

As you can imagine, being able to encrypt and decrypt files with strong ciphers is a useful function. With OpenSSL, you can even use the commands in shell scripts. Here are some command line examples using the Blowfish, Triple DES, and CAST5 ciphers:

$ openssl enc -e -a -salt -bf -in tomcat.jpg -out tomcat.blowfish
enter bf-cbc encryption password:
Verifying password - enter bf-cbc encryption password:

$ openssl enc -d -a -bf -in tomcat.blowfish -out tomcat-decrypt.jpg
enter bf-cbc decryption password:

$ openssl enc -e -a -salt -des3 -in tomcat.jpg -out tomcat.des3
enter des-ede3-cbc encryption password:
Verifying password - enter des-ede3-cbc encryption password:

$ openssl enc -d -a -des3 -in tomcat.des3 -out tomcat-des3.jpg
enter des-ede3-cbc decryption password:

$ openssl enc -e -a -salt -cast5-cbc -in tomcat.jpg -out tomcat.cast5
enter cast5-cbc encryption password:
Verifying password - enter cast5-cbc encryption password:

$ openssl enc -d -a -cast5-cbc -in tomcat.cast5 -out tomcat-cast5.jpg
enter cast5-cbc decryption password:

If the file will not be transported as an e-mail attachment, you can forego the -a argument, which base64 encodes and decodes the ciphertext. Sometimes this is referred to as "ASCII armor". The non-base64 encoded files should be smaller. Here is an example using the CAST5-CBC algorithm:

$ openssl enc -e -salt -cast5-cbc -in tomcat.jpg -out tomcat.nob64
enter cast5-cbc encryption password:
Verifying password - enter cast5-cbc encryption password:

$ openssl enc -d -cast5-cbc -in tomcat.nob64 -out tomcat-nob64.jpg
enter cast5-cbc decryption password:

Cryptographic Hashing Functions

What if you want to check to see that a file has not been tampered with? One simple way to do this is a cryptographic hashing function. This will give you a fixed-length string (called a message digest) given an input file of any length. SHA-1 and RIPE-MD160 are considered current; MD-5 is considered outdated.

$ openssl dgst -sha1 -c tomcat.jpg
SHA1(tomcat.jpg)= 92:b1:9b:96:ef:45:c3:89:b4:2e:e6:96:5b:43:bf:02:66:4a:47:8f

$ openssl dgst -ripemd160 -c tomcat.jpg
RIPEMD160(tomcat.jpg)= 68:f2:05:a9:9d:52:f1:cc:04:ed:d7:1e:42:80:0a:b8:c0:e6:cc:6d

$ openssl dgst -md5 -c tomcat.jpg
MD5(tomcat.jpg)= e7:13:d6:a7:cc:16:e3:da:0a:f7:ab:5a:fa:e3:3b:34

You can see that the md5sum utility that is shipped with most GNU/Linux distributions returns the same value as the openssl md5 message digest:

$ md5sum tomcat.jpg
e713d6a7cc16e3da0af7ab5afae33b34  tomcat.jpg

The OpenSSL dgst (message digest/hashing) command also has numerous options for signing digests, verifying signatures, etc.


OpenSSL has a great test utility available, called s_client. This lets you test servers that use SSL/TLS with a powerful command line utility. The following is an example of using s_client to view information about a secure web server:

$ openssl s_client -connect

depth=0 /C=US/ST=North Carolina/L=Durham/O=Red Hat, Inc./OU=Web Operations/
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/ST=North Carolina/L=Durham/O=Red Hat, Inc./OU=Web Operations/
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/ST=North Carolina/L=Durham/O=Red Hat, Inc./OU=Web Operations/
verify error:num=21:unable to verify the first certificate
verify return:1
Certificate chain
 0 s:/C=US/ST=North Carolina/L=Durham/O=Red Hat, Inc./OU=Web Operations/
   i:/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
Server certificate
subject=/C=US/ST=North Carolina/L=Durham/O=Red Hat, Inc./OU=Web Operations/
issuer=/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
No client certificate CA names sent
SSL handshake has read 1549 bytes and written 314 bytes
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 1024 bit
    Protocol  : TLSv1
    Cipher    : EDH-RSA-DES-CBC3-SHA
    Session-ID: 97D3E2DF903F5757AF8BED807F5FD9665F43300F139BDFCD1701974D97E5C5CA
    Master-Key: 4B2295AEDCE520F4615769135FB65EBD6E2345C88FCE4EB7450B71B17FD1A2B4460D751DC3DF05C311DA54B02A7B04D1
    Key-Arg   : None
    Start Time: 1063899107
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)

Once you have connected, you can manually type in any commands you want, such as "GET /" and "HEAD / HTTP/1.0" for secure web servers. There are also options like -no_tls1 and -no_ssl2 that let you specify which version of SSL/TLS that you want to connect with.

The -showcerts and -debug options are also worth a look.


Back to Linux Gouge...

Valid HTML 4.01!