Openssl: The tool, not the lib – a mini-howto

OpenSSLDid you know that the tool OpenSSL which is shipped with the OpenSSL-distribution can do more than just create certificates of all kind for your webserver? It can also do other fancy stuff like calculating MD5-checksum or other digests. You can use it as a tool for encrypting or decrypting files. It can deal with encrypted S/MIME-emails or as a simple SSL-enabled TCP-client. And server!

I’m not going too much into detail and I won’t (and can’t) tell you about every nuance of this program, but there’s always the manualpage if you like to know more.


You can use the program openssl in two modes. In interactive mode you get the openssl-prompt and can enter commands. You remain in that openssl-shell until you quit. The other mode is just giving it enough parameters on the command-line so that it does your work.

Here I show you a simple interactive session.

$ openssl
OpenSSL> md5
Hello, World!

OpenSSL> sha1 /etc/hosts
SHA1(/etc/hosts)= 9eae810b5ddc9de42768cf67a3d4c7486c7ed609
OpenSSL> enc -a -bf -e
enter bf-cbc encryption password: 123
Verifying - enter bf-cbc encryption password: 123
Oh Hi! I upgraded your Ram.

OpenSSL> enc -a -bf -d
enter bf-cbc decryption password: 123

Oh Hi! I upgraded your Ram.
OpenSSL> exit

Listing 1: Interactive OpenSSL session example. Text in italics is the user’s input.

In Listing 1 I showed you some of the features the openssl-program supports. MD5-checksumming of interactively entered text. SHA1-checksumming of files on the harddrive. ASCII-armoured Blowfish-encryption. Neat, eh?

Now for a more complex example-session on the command-line:

$ openssl md5 < /etc/hosts
$ openssl enc -aes-256-cbc -salt -a -e hosts.aes
enter aes-256-cbc encryption password: 123
Verifying - enter aes-256-cbc encryption password: 123
$ cat hosts.aes
$ openssl enc -aes-256-cbc -salt -a -d < hosts.aes | \
openssl md5

enter aes-256-cbc decryption password: 123

Listing 2: An example command-line session using AES for encryption.

As you see, an interactive-session and regular invocation from the shell is no real difference. I’ll therefor only show the examples on the command-line.

Checksums and Message Digests

Supported digests-families: md, sha, others
Invocation: openssl dgst [-md5|-sha1|...]

Example 1: MD5-checkum of a file

$ openssl dgst -md5 < /etc/hosts

Example 2: SHA256-checksum of a file

$ openssl dgst -sha256 < /etc/hosts

Symmetric encryption/decryption

Supported cipher-families: AES, Blowfish, CAST, DES, RC
Invocation: openssl enc [-$cypher] [-a] [-e|-d] outfile

Example 3: Encryption and decryption using ASCII-armour and AES128

-a – causes openssl to create BASE64-encoded output rather than binary output
-e – set encryption mode
-d – set decryption mode
-aes128 – use AES 128 bit cipher

$ openssl enc -a -aes128 -e hosts.aes
enter aes-128-cbc encryption password: 123
Verifying - enter aes-128-cbc encryption password: 123
$ openssl enc -a -aes128 -d < hosts.aes
enter aes-128-cbc decryption password: 123 localhost.localdomain localhost

Use openssl as a simple SSL-client

Wouldn’t it be cool to have something like telnet, but speaks SSL? He? Just for testing? Yeah, that’d be neat.

Invocation: openssl s_client -connect ${host}:${port}

Example 4: Hitting an SSL-enabled webserver
Since this example is rather long, I’ve uploaded this listing: Downloading listing

There’s more to explore!

Hope you liked it. Why don’t you just know try to…

  • explore the RSA-commands and find out how to do encrypt, decrypt, sign and verify manually?
  • improvise a SSL-enabled webserver serving a single file using the s_server-command?
  • do funky md5/crypt/Apache password-hash stuff with the passwd-command?

Have fun!

Creative Commons License
This work is licensed under a Creative Commons Attribution 2.5 License.


2 Responses to Openssl: The tool, not the lib – a mini-howto

  1. peter says:

    Good introduction.
    Openssl is powerful, I was not aware !

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: