|
Size: 597
Comment:
|
← Revision 16 as of 2023-06-21 09:01:26 ⇥
Size: 2146
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| ## page was renamed from OpenSSL | |
| Line 4: | Line 3: |
| A library for implementing SSL/TLS encryption. | '''OpenSSL''' provides the cryptographic libraries '''libcrypto''' ('''`crypto(7ssl)`''') and '''libssl''' ('''`ssl(7ssl)`'''), as well as the utility '''`openssl(1ssl)`'''. |
| Line 10: | Line 9: |
== Installation == Most [[Linux]] and [[BSD]] distributions offer an `openssl` package. ---- |
|
| Line 12: | Line 21: |
| It is highly recommended to '''not''' use OpenSSL certificates for web encryption. These certificates will be self-signed (as opposed to signed by a trusted certificate authority). | It is highly recommended to '''not''' use `openssl(1ssl)`-generated certificates for web encryption. Clients have no reason to trust a self-signed certificate unless you 1. operate your own certificate authority ('''''strongly'' not recommended''') 2. configure all client machines |
| Line 21: | Line 33: |
| openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/domain-name.com/key.pem -out /etc/ssl/domain-name.com/cert.pem | openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /path/to/domain-name.com/key.pem -out /path/to/domain-name.com/cert.pem |
| Line 23: | Line 35: |
---- == Diffie-Hellman Parameters == `ssl(7ssl)` defaults to 1024-bit keys, which lags behind the modern standard of 2048-bits. This is a particular problem for software that defer cryptographic decisions to `ssl(7ssl)` at runtime, such as `nginx(8)`. One of the most common cryptographic decisions that is affected by this situation is the selection of parameters for Diffie-Hellman key exchanges. To generate a stronger configuration, try: {{{ openssl dhparam -out /path/to/dhparam.pem 4096 }}} For details on how to use this configuration, see the following articles for [[Nginx/Encryption|Nginx]]. ---- == Encrypted Telnet == To test an encrypted connection as with [[Telnet#SMTP|telnet(1)]], try: {{{ openssl s_client -starttls smtp -connect mail.example.com:587 openssl s_client -connect -connect mail.example.com:465 }}} ---- == See also == [[https://man.archlinux.org/man/openssl.1ssl|openssl(1ssl)]] [[https://man.archlinux.org/man/core/openssl/crypto.7ssl.en|crypto(7ssl)]] [[https://man.archlinux.org/man/core/openssl/ssl.7ssl.en|ssl(7ssl)]] [[Encryption/SSL|SSL]] [[Encryption/TLS|TLS]] [[Encryption/LibreSSL|LibreSSL]] [[Encryption/Quictls|Quictls]] |
OpenSSL
OpenSSL provides the cryptographic libraries libcrypto (crypto(7ssl)) and libssl (ssl(7ssl)), as well as the utility openssl(1ssl).
Contents
Installation
Most Linux and BSD distributions offer an openssl package.
Certificates
It is highly recommended to not use openssl(1ssl)-generated certificates for web encryption. Clients have no reason to trust a self-signed certificate unless you
operate your own certificate authority (strongly not recommended)
- configure all client machines
Usage
To generate a certificate and private key simultaneously, try:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /path/to/domain-name.com/key.pem -out /path/to/domain-name.com/cert.pem
Diffie-Hellman Parameters
ssl(7ssl) defaults to 1024-bit keys, which lags behind the modern standard of 2048-bits. This is a particular problem for software that defer cryptographic decisions to ssl(7ssl) at runtime, such as nginx(8). One of the most common cryptographic decisions that is affected by this situation is the selection of parameters for Diffie-Hellman key exchanges.
To generate a stronger configuration, try:
openssl dhparam -out /path/to/dhparam.pem 4096
For details on how to use this configuration, see the following articles for Nginx.
Encrypted Telnet
To test an encrypted connection as with telnet(1), try:
openssl s_client -starttls smtp -connect mail.example.com:587 openssl s_client -connect -connect mail.example.com:465