Convert Figma logo to code with AI

openssl logoopenssl

TLS/SSL and crypto library

27,203
10,494
27,203
1,993
View on GitHub

Top Related Projects

libressl's avatar

portable

1,399

LibreSSL Portable itself. This includes the build scaffold and compatibility layer that builds portable LibreSSL from the OpenBSD source code. Pull requests or patches sent to tech@openbsd.org are welcome.

google's avatar

boringssl

1,927

Mirror of BoringSSL

Mbed-TLS's avatar

mbedtls

5,854

An open source, portable, easy to use, readable and flexible TLS library, and reference implementation of the PSA Cryptography API. Releases are on a varying cadence, typically around 3 - 6 months between releases.

wolfSSL's avatar

wolfssl

2,481

The wolfSSL library is a small, fast, portable implementation of TLS/SSL for embedded devices to the cloud. wolfSSL supports up to TLS 1.3 and DTLS 1.3!

jedisct1's avatar

libsodium

12,645

A modern, portable, easy to use crypto library.

aws's avatar

s2n-tls

4,608

An implementation of the TLS/SSL protocols

Quick Overview

OpenSSL is a robust, full-featured open-source toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It is also a general-purpose cryptography library that provides various cryptographic functions for developers and system administrators to secure their applications and infrastructure.

Pros

  • Widely adopted and trusted by many organizations and projects
  • Comprehensive support for various cryptographic algorithms and protocols
  • Actively maintained with regular updates and security patches
  • Extensive documentation and community support

Cons

  • Complex API that can be challenging for beginners
  • Historical vulnerabilities (e.g., Heartbleed) have raised concerns about its security
  • Large codebase that can be difficult to audit thoroughly
  • Performance overhead compared to some specialized cryptographic libraries

Code Examples

  1. Generating a random key:
#include <openssl/rand.h>

unsigned char key[32];
if (RAND_bytes(key, sizeof(key)) != 1) {
    // Error handling
}
  1. Encrypting data using AES-256-CBC:
#include <openssl/evp.h>

EVP_CIPHER_CTX *ctx;
unsigned char *ciphertext;
int len, ciphertext_len;

ctx = EVP_CIPHER_CTX_new();
EVP_EncryptInit_ex(ctx, EVP_aes_256_cbc(), NULL, key, iv);
EVP_EncryptUpdate(ctx, ciphertext, &len, plaintext, plaintext_len);
ciphertext_len = len;
EVP_EncryptFinal_ex(ctx, ciphertext + len, &len);
ciphertext_len += len;
EVP_CIPHER_CTX_free(ctx);
  1. Verifying a digital signature:
#include <openssl/rsa.h>
#include <openssl/pem.h>

RSA *rsa = RSA_new();
FILE *pubkey_file = fopen("public_key.pem", "rb");
PEM_read_RSA_PUBKEY(pubkey_file, &rsa, NULL, NULL);
fclose(pubkey_file);

int result = RSA_verify(NID_sha256, digest, digest_len, signature, signature_len, rsa);
RSA_free(rsa);

Getting Started

To use OpenSSL in your project, follow these steps:

  1. Install OpenSSL development libraries:

    # On Ubuntu/Debian
sudo apt-get install libssl-dev

# On macOS with Homebrew
brew install openssl

  2. Include OpenSSL headers in your C/C++ code:

    #include <openssl/ssl.h>
#include <openssl/err.h>

  3. Compile your program with OpenSSL libraries:

    gcc -o myprogram myprogram.c -lssl -lcrypto

  4. Initialize OpenSSL in your code:

    SSL_library_init();
OpenSSL_add_all_algorithms();
SSL_load_error_strings();

Remember to check the OpenSSL documentation for detailed usage instructions and best practices.

Competitor Comparisons

libressl logo

portable

1,399

LibreSSL Portable itself. This includes the build scaffold and compatibility layer that builds portable LibreSSL from the OpenBSD source code. Pull requests or patches sent to tech@openbsd.org are welcome.

Pros of LibreSSL

  • Simplified codebase with improved readability and maintainability
  • Enhanced security focus with proactive removal of deprecated and vulnerable features
  • More consistent API and better documentation

Cons of LibreSSL

  • Smaller development community compared to OpenSSL
  • May lack some features or optimizations present in OpenSSL
  • Potential compatibility issues with software specifically designed for OpenSSL

Code Comparison

OpenSSL:

int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type)
{
    int j;
    BIO *in;
    int ret = 0;
    X509 *x = NULL;

    in = BIO_new(BIO_s_file());
    if (in == NULL) {
        SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_BUF_LIB);
        goto end;
    }

LibreSSL:

int
SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type)
{
	int ret;
	BIO *in;

	in = BIO_new(BIO_s_file());
	if (in == NULL) {
		SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_BUF_LIB);
		return 0;
	}

The LibreSSL code is generally more concise and follows a cleaner coding style, while OpenSSL's implementation tends to be more verbose and complex.

google logo

boringssl

1,927

Mirror of BoringSSL

Pros of BoringSSL

  • Simplified API and reduced codebase, making it easier to maintain and audit
  • Faster development cycle with more frequent updates and bug fixes
  • Better support for modern cryptographic algorithms and protocols

Cons of BoringSSL

  • Limited backward compatibility with older systems and applications
  • Smaller community and ecosystem compared to OpenSSL
  • Less comprehensive documentation and support resources

Code Comparison

OpenSSL:

EVP_PKEY *pkey = EVP_PKEY_new();
EVP_PKEY_assign_RSA(pkey, rsa);
EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new(pkey, NULL);
EVP_PKEY_sign_init(ctx);
EVP_PKEY_sign(ctx, signature, &sig_len, digest, digest_len);

BoringSSL:

EVP_PKEY *pkey = EVP_PKEY_new();
EVP_PKEY_set1_RSA(pkey, rsa);
size_t sig_len;
EVP_DigestSignInit(ctx, NULL, EVP_sha256(), NULL, pkey);
EVP_DigestSignUpdate(ctx, message, message_len);
EVP_DigestSignFinal(ctx, signature, &sig_len);

The code comparison shows that BoringSSL has a more streamlined API for digital signatures, requiring fewer function calls and providing a more intuitive flow. OpenSSL's approach is more verbose and requires separate initialization steps for the signing context.

Mbed-TLS logo

mbedtls

5,854

An open source, portable, easy to use, readable and flexible TLS library, and reference implementation of the PSA Cryptography API. Releases are on a varying cadence, typically around 3 - 6 months between releases.

Pros of mbedtls

  • Smaller footprint and better suited for embedded systems
  • More modular design, allowing for easier customization
  • Simpler API, making it easier to learn and use

Cons of mbedtls

  • Less comprehensive feature set compared to OpenSSL
  • Smaller community and ecosystem
  • Fewer third-party tools and integrations available

Code Comparison

OpenSSL example (initializing a TLS client):

SSL_CTX *ctx = SSL_CTX_new(TLS_client_method());
SSL *ssl = SSL_new(ctx);
SSL_set_fd(ssl, socket);
SSL_connect(ssl);

mbedtls example (initializing a TLS client):

mbedtls_ssl_context ssl;
mbedtls_ssl_config conf;
mbedtls_ssl_init(&ssl);
mbedtls_ssl_config_init(&conf);
mbedtls_ssl_set_bio(&ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL);

Both OpenSSL and mbedtls are popular open-source SSL/TLS libraries, but they cater to different use cases. OpenSSL is more feature-rich and widely adopted, making it suitable for a broad range of applications. mbedtls, on the other hand, is designed with embedded systems in mind, offering a smaller footprint and more modular architecture. The choice between the two depends on the specific requirements of your project, such as resource constraints, feature needs, and target platform.

wolfSSL logo

wolfssl

2,481

The wolfSSL library is a small, fast, portable implementation of TLS/SSL for embedded devices to the cloud. wolfSSL supports up to TLS 1.3 and DTLS 1.3!

Pros of wolfSSL

  • Smaller footprint and faster execution, ideal for embedded systems and IoT devices
  • FIPS 140-2 and 140-3 certified, suitable for government and military applications
  • More permissive licensing (GPLv2 or commercial) compared to OpenSSL's Apache License

Cons of wolfSSL

  • Less widespread adoption and community support than OpenSSL
  • Fewer available features and extensions compared to OpenSSL's extensive ecosystem
  • Limited compatibility with some legacy systems that rely on OpenSSL-specific features

Code Comparison

wolfSSL initialization:

wolfSSL_Init();
WOLFSSL_CTX* ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method());

OpenSSL initialization:

SSL_library_init();
SSL_CTX* ctx = SSL_CTX_new(TLSv1_2_client_method());

Both libraries offer similar APIs, but wolfSSL tends to prefix functions with "wolf" for clarity. The core functionality remains comparable, allowing for relatively straightforward migration between the two in many cases.

jedisct1 logo

libsodium

12,645

A modern, portable, easy to use crypto library.

Pros of libsodium

  • Simpler API with fewer options, reducing the risk of misuse
  • Focus on modern, secure cryptographic primitives
  • Designed with side-channel attack resistance in mind

Cons of libsodium

  • Less widely adopted compared to OpenSSL
  • Fewer features and algorithms supported
  • Limited support for legacy systems and protocols

Code Comparison

OpenSSL example (encrypting data):

EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
EVP_EncryptInit_ex(ctx, EVP_aes_256_cbc(), NULL, key, iv);
EVP_EncryptUpdate(ctx, ciphertext, &len, plaintext, plaintext_len);
EVP_EncryptFinal_ex(ctx, ciphertext + len, &len);
EVP_CIPHER_CTX_free(ctx);

libsodium example (encrypting data):

crypto_secretbox_easy(ciphertext, plaintext, plaintext_len, nonce, key);

The libsodium example demonstrates its simpler API, requiring fewer function calls and parameters. OpenSSL offers more flexibility but requires more complex setup and management. Both libraries provide secure encryption, but libsodium's approach aims to reduce the likelihood of implementation errors.

aws logo

s2n-tls

4,608

An implementation of the TLS/SSL protocols

Pros of s2n-tls

  • Simpler codebase with fewer lines of code, making it easier to audit and maintain
  • Designed with a focus on performance and security for cloud environments
  • Backed by AWS, ensuring regular updates and support

Cons of s2n-tls

  • Limited support for older TLS versions and less common cipher suites
  • Smaller community and ecosystem compared to OpenSSL
  • Less comprehensive documentation and fewer learning resources available

Code Comparison

OpenSSL:

SSL_CTX *ctx = SSL_CTX_new(TLS_method());
SSL *ssl = SSL_new(ctx);
SSL_set_fd(ssl, socket);
SSL_connect(ssl);
SSL_write(ssl, data, len);

s2n-tls:

struct s2n_config *config = s2n_config_new();
struct s2n_connection *conn = s2n_connection_new(S2N_CLIENT);
s2n_connection_set_config(conn, config);
s2n_connection_set_fd(conn, socket);
s2n_negotiate(conn, &blocked);

Both libraries provide similar functionality for establishing TLS connections, but s2n-tls has a more streamlined API with fewer function calls required. OpenSSL offers more granular control over the connection process, while s2n-tls simplifies the setup and negotiation steps.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

Welcome to the OpenSSL Project

openssl logo

github actions ci badge Nightly OS Zoo ci badge Provider Compatibility Quic Interop Daily checks

OpenSSL is a robust, commercial-grade, full-featured Open Source Toolkit for the TLS (formerly SSL), DTLS and QUIC protocols.

The protocol implementations are based on a full-strength general purpose cryptographic library, which can also be used stand-alone. Also included is a cryptographic module validated to conform with FIPS standards.

OpenSSL is descended from the SSLeay library developed by Eric A. Young and Tim J. Hudson.

The official Home Page of the OpenSSL Project is www.openssl.org.

Table of Contents

Overview

The OpenSSL toolkit includes:

  • libssl an implementation of all TLS protocol versions up to TLSv1.3 (RFC 8446), DTLS protocol versions up to DTLSv1.2 (RFC 6347) and the QUIC version 1 protocol (RFC 9000).

  • libcrypto a full-strength general purpose cryptographic library. It constitutes the basis of the TLS implementation, but can also be used independently.

  • openssl the OpenSSL command line tool, a swiss army knife for cryptographic tasks, testing and analyzing. It can be used for

    • creation of key parameters
    • creation of X.509 certificates, CSRs and CRLs
    • calculation of message digests
    • encryption and decryption
    • SSL/TLS/DTLS and client and server tests
    • QUIC client tests
    • handling of S/MIME signed or encrypted mail
    • and more...

Download

For Production Use

Source code tarballs of the official releases can be downloaded from openssl-library.org/source/. The OpenSSL project does not distribute the toolkit in binary form.

However, for a large variety of operating systems precompiled versions of the OpenSSL toolkit are available. In particular, on Linux and other Unix operating systems, it is normally recommended to link against the precompiled shared libraries provided by the distributor or vendor.

We also maintain a list of third parties that produce OpenSSL binaries for various Operating Systems (including Windows) on the Binaries page on our wiki.

For Testing and Development

Although testing and development could in theory also be done using the source tarballs, having a local copy of the git repository with the entire project history gives you much more insight into the code base.

The main OpenSSL Git repository is private. There is a public GitHub mirror of it at github.com/openssl/openssl, which is updated automatically from the former on every commit.

A local copy of the Git repository can be obtained by cloning it from the GitHub mirror using

git clone https://github.com/openssl/openssl.git

If you intend to contribute to OpenSSL, either to fix bugs or contribute new features, you need to fork the GitHub mirror and clone your public fork instead.

git clone https://github.com/yourname/openssl.git

This is necessary because all development of OpenSSL nowadays is done via GitHub pull requests. For more details, see Contributing.

Build and Install

After obtaining the Source, have a look at the INSTALL file for detailed instructions about building and installing OpenSSL. For some platforms, the installation instructions are amended by a platform specific document.

Specific notes on upgrading to OpenSSL 3.x from previous versions can be found in the ossl-guide-migration(7ossl) manual page.

Documentation

README Files

There are some README.md files in the top level of the source distribution containing additional information on specific topics.

The OpenSSL Guide

There are some tutorial and introductory pages on some important OpenSSL topics within the OpenSSL Guide.

Manual Pages

The manual pages for the master branch and all current stable releases are available online.

Demos

There are numerous source code demos for using various OpenSSL capabilities in the demos subfolder.

Wiki

There is a GitHub Wiki which is currently not very active.

License

OpenSSL is licensed under the Apache License 2.0, which means that you are free to get and use it for commercial and non-commercial purposes as long as you fulfill its conditions.

See the LICENSE.txt file for more details.

Support

There are various ways to get in touch. The correct channel depends on your requirement. See the SUPPORT file for more details.

Contributing

If you are interested and willing to contribute to the OpenSSL project, please take a look at the CONTRIBUTING file.

Legalities

A number of nations restrict the use or export of cryptography. If you are potentially subject to such restrictions, you should seek legal advice before attempting to develop or distribute cryptographic code.

Copyright

Copyright (c) 1998-2025 The OpenSSL Project Authors

Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson

All rights reserved.