Openssl: The tool, not the lib – a mini-howto

OpenSSLDid you know that the tool OpenSSL which is shipped with the OpenSSL-distribution can do more than just create certificates of all kind for your webserver? It can also do other fancy stuff like calculating MD5-checksum or other digests. You can use it as a tool for encrypting or decrypting files. It can deal with encrypted S/MIME-emails or as a simple SSL-enabled TCP-client. And server!

I’m not going too much into detail and I won’t (and can’t) tell you about every nuance of this program, but there’s always the manualpage if you like to know more.

Introduction

You can use the program openssl in two modes. In interactive mode you get the openssl-prompt and can enter commands. You remain in that openssl-shell until you quit. The other mode is just giving it enough parameters on the command-line so that it does your work.

Here I show you a simple interactive session.

$ openssl
OpenSSL> md5
Hello, World!
(CTRL+D)

bea8252ff4e80f41719ea13cdf007273
OpenSSL> sha1 /etc/hosts
SHA1(/etc/hosts)= 9eae810b5ddc9de42768cf67a3d4c7486c7ed609
OpenSSL> enc -a -bf -e
enter bf-cbc encryption password: 123
Verifying - enter bf-cbc encryption password: 123
Oh Hi! I upgraded your Ram.
(CTRL+D)

U2FsdGVkX19127MRtfOvh9pU631VpV7Wc1loeOTpXWLGwX2raPBKJef8ONdcDYpd
OpenSSL> enc -a -bf -d
enter bf-cbc decryption password: 123
U2FsdGVkX19127MRtfOvh9pU631VpV7Wc1loeOTpXWLGwX2raPBKJef8ONdcDYpd
(CTRL+D)

Oh Hi! I upgraded your Ram.
OpenSSL> exit

Listing 1: Interactive OpenSSL session example. Text in italics is the user’s input.

In Listing 1 I showed you some of the features the openssl-program supports. MD5-checksumming of interactively entered text. SHA1-checksumming of files on the harddrive. ASCII-armoured Blowfish-encryption. Neat, eh?

Now for a more complex example-session on the command-line:

$ openssl md5 < /etc/hosts
09cff0c342cf543c82aa514e9edcf21b
$ openssl enc -aes-256-cbc -salt -a -e hosts.aes
enter aes-256-cbc encryption password: 123
Verifying - enter aes-256-cbc encryption password: 123
$ cat hosts.aes
U2FsdGVkX1+yYaXzHyDiGhX4Pqhesz1a73xy/w54fGN5FrVmjzXBc9ON1n3R3eqk
8kOMLO+GuHF9fj4GzIDVP+/JKQdsfiOdknSmxPno3f65jtgUQoYBjIv0rE8LMyiV
/i4gY8sGsRhHtqo+a/Udj1Kwu34QU5sL8BZR9GStp91TR8Z7nitd1Of66PK0mqUy
X96k6Cj6e0pYhqUHFoXZTBrDPUoCzoLKcRKDngtwr6ySOUJuFGaxaZZVNpnOfDhy
i1W7xJkY8AXMxuh7zB6nVO0RggXB0R+53CNOp2NXOpiO4xSIXSAIbCXj/NGzziWn
Ur1MpRNV/jmHIMNBe1RSpfrCYLkwX1naE1cHAYBC3+2f+gwpw8NmpvM1yZsGBatE
qDzhPwe3Q5X9vpcCYMl7oQ/ldXXKZQXV9GPM+SMPpuB6vZLgIuNY42AZ/sJXPw0V
kBqMN+jwIdjPilkuOmNkINV6K/3TuO895nB4DZtxovcIjtC4AoYgd+en9bMCB7aF
$ openssl enc -aes-256-cbc -salt -a -d < hosts.aes | \
openssl md5

enter aes-256-cbc decryption password: 123
09cff0c342cf543c82aa514e9edcf21b

Listing 2: An example command-line session using AES for encryption.

As you see, an interactive-session and regular invocation from the shell is no real difference. I’ll therefor only show the examples on the command-line.

Checksums and Message Digests

Supported digests-families: md, sha, others
Invocation: openssl dgst [-md5|-sha1|...]

Example 1: MD5-checkum of a file

$ openssl dgst -md5 < /etc/hosts
09cff0c342cf543c82aa514e9edcf21b

Example 2: SHA256-checksum of a file

$ openssl dgst -sha256 < /etc/hosts
63c001b38a72383a38b8f6b4f5ea3d7e45ca663d0723a4f2b61e054a1abddc38

Symmetric encryption/decryption

Supported cipher-families: AES, Blowfish, CAST, DES, RC
Invocation: openssl enc [-$cypher] [-a] [-e|-d] outfile

Example 3: Encryption and decryption using ASCII-armour and AES128

-a – causes openssl to create BASE64-encoded output rather than binary output
-e – set encryption mode
-d – set decryption mode
-aes128 – use AES 128 bit cipher

$ openssl enc -a -aes128 -e hosts.aes
enter aes-128-cbc encryption password: 123
Verifying - enter aes-128-cbc encryption password: 123
$ openssl enc -a -aes128 -d < hosts.aes
enter aes-128-cbc decryption password: 123
127.0.0.1 localhost.localdomain localhost

Use openssl as a simple SSL-client

Wouldn’t it be cool to have something like telnet, but speaks SSL? He? Just for testing? Yeah, that’d be neat.

Invocation: openssl s_client -connect ${host}:${port}

Example 4: Hitting an SSL-enabled webserver
Since this example is rather long, I’ve uploaded this listing: Downloading listing

There’s more to explore!

Hope you liked it. Why don’t you just know try to…

  • explore the RSA-commands and find out how to do encrypt, decrypt, sign and verify manually?
  • improvise a SSL-enabled webserver serving a single file using the s_server-command?
  • do funky md5/crypt/Apache password-hash stuff with the passwd-command?

Have fun!


Creative Commons License
This work is licensed under a Creative Commons Attribution 2.5 License.

2 Responses to Openssl: The tool, not the lib – a mini-howto

  1. peter says:

    Good introduction.
    Openssl is powerful, I was not aware !

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: