= OpenSSL = '''OpenSSL''' provides the cryptographic libraries '''libcrypto''' ('''`crypto(7ssl)`''') and '''libssl''' ('''`ssl(7ssl)`'''), as well as the utility '''`openssl(1ssl)`'''. <> ---- == Installation == Most [[Linux]] and [[BSD]] distributions offer an `openssl` package. ---- == Certificates == It is highly recommended to '''not''' use `openssl(1ssl)`-generated certificates for web encryption. Clients have no reason to trust a self-signed certificate unless you 1. operate your own certificate authority ('''''strongly'' not recommended''') 2. configure all client machines === Usage === To generate a certificate and private key simultaneously, try: {{{ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /path/to/domain-name.com/key.pem -out /path/to/domain-name.com/cert.pem }}} ---- == Diffie-Hellman Parameters == `ssl(7ssl)` defaults to 1024-bit keys, which lags behind the modern standard of 2048-bits. This is a particular problem for software that defer cryptographic decisions to `ssl(7ssl)` at runtime, such as `nginx(8)`. One of the most common cryptographic decisions that is affected by this situation is the selection of parameters for Diffie-Hellman key exchanges. To generate a stronger configuration, try: {{{ openssl dhparam -out /path/to/dhparam.pem 4096 }}} For details on how to use this configuration, see the following articles for [[Nginx/Encryption|Nginx]]. ---- == Encrypted Telnet == To test an encrypted connection as with [[Telnet#SMTP|telnet(1)]], try: {{{ openssl s_client -starttls smtp -connect mail.example.com:587 openssl s_client -connect -connect mail.example.com:465 }}} ---- == See also == [[https://man.archlinux.org/man/openssl.1ssl|openssl(1ssl)]] [[https://man.archlinux.org/man/core/openssl/crypto.7ssl.en|crypto(7ssl)]] [[https://man.archlinux.org/man/core/openssl/ssl.7ssl.en|ssl(7ssl)]] [[Encryption/SSL|SSL]] [[Encryption/TLS|TLS]] [[Encryption/LibreSSL|LibreSSL]] [[Encryption/Quictls|Quictls]] ---- CategoryRicottone