OpenSSL

from Wikipedia, the free encyclopedia
OpenSSL

OpenSSL logo.png
Basic data

developer OpenSSL Development Team
Publishing year 1998
Current  version 1.1.1g (April 21, 2020)
operating system Unix-like , Windows
programming language C.
category Cryptography
License similar to BSD (with advertising clause)
German speaking No
www.openssl.org

OpenSSL , originally SSLeay , is free software for Transport Layer Security , originally Secure Sockets Layer (SSL).

OpenSSL includes implementations of the network protocols and various encryptions as well as the openssl program for the command line for applying for, generating and managing certificates . The basic library written in C provides general cryptographic functions for encryption and decryption as well as various other tools.

history

In the mid-1990s, SSLeay made it possible to use SSL with strong encryption outside the USA, because this implementation originated in Australia and was therefore not subject to any export restrictions . The name of the software was formed by the initials of the network protocol and the programmer . Eric A. Young previously worked on implementations of Kerberos and DES . His friend Tim J. Hudson suggested this new project to him in 1995. Hudson also made a significant contribution to the project by programming related patches for other free software and for Windows .

The version SSLeay 0.9.1b from summer 1998 was no longer published, but was further developed by a new team until December 1998 and published as OpenSSL 0.9.1c. Ralf S. Engelschall, co-founder of this group, describes the development of OpenSSL as a prerequisite for the creation of mod_ssl , the most widely used encryption module for Apache web servers. In contrast to this practically finished module, which only needs to be maintained, the development of OpenSSL is not yet complete. Instead, committed, free programmers would continue to design applications, building on the already established basic functions of OpenSSL.

Spin-offs

In 2014 there were several spin-offs as a result of the Heartbleed bug. Due to the complexity of the project, which has grown over many years, and the associated difficulties in auditing for security gaps, the developers of the OpenBSD operating system around Theo de Raadt decided to publish an OpenSSL version with halved code size under the name LibreSSL .

Since then, Google has also used and published its own fork of OpenSSL under the name BoringSSL . This comes u. a. used in Chrome and Android.

FIPS 140-2 certification

OpenSSL is the first FIPS 140-2 certified open source program. This is a security standard established by the National Institute of Standards and Technology (NIST) for the Cryptographic Module Validation Program .

Approval was given in January 2006. It was provisionally withdrawn in June, but re-issued on February 16, 2007. According to John Weathersby from the Open Source Software Institute (OSSI), the problem was "political in nature" (in the original: a political challenge ), since a comparable certification costs commercial providers considerable money. The process was paid for by the American Department of Defense and interested companies who hoped for financial savings and standardization from a free solution.

Notable security flaws

Weak keys on Debian

On May 13th, 2008 the Debian project announced that the OpenSSL package of the distributions since September 17th, 2006 (version 0.9.8c-1 to 0.9.8g-9) contained a security hole. Due to a bug in a Debian-specific patch, the keys generated with the random number generator contained in these packages are predictable. This affects SSH , OpenVPN , DNSSEC keys, keys in X.509 certificates and session keys that are used in SSL / TLS connections ( HTTPS ). Keys that were generated with GnuPG or GnuTLS are not affected.

The vulnerability arose when an attempt was made to remove a warning message from the Valgrind code analysis tool . A less relevant line of code that caused the warning should be removed, but a second occurrence of this line, which was in a different context and had a completely different meaning, was also removed.

The corresponding key pairs are easy to attack, as it is possible to calculate all possible private keys within a few days. A freely downloadable package is available on the Internet for the SSH key concerned. This bug made SSL connections to many servers vulnerable to man-in-the-middle attacks . Connections to servers that have ever had a certificate with a weak key are vulnerable until the certificates expire or are effectively revoked. It should be noted that many browsers do not check for revoked certificates. Particularly prominent in this context was a vulnerable server from the service provider Akamai , which is responsible, among other things, for providing the ELSTER software for the German tax authorities and for driver updates from AMD.

Heartbleed bug

Due to the Heartbleed bug, parts of the working memory of the other side can be read out in affected OpenSSL versions via TLS and DTLS connections . This means that data from affected systems can be copied without authorization, such as private keys from X.509 certificates, user names and passwords . The heartbeat implementation in OpenSSL versions 1.0.1 from March 14, 2012 up to and including 1.0.1f, as well as several beta versions of 1.0.1 and 1.0.2 is affected. The vulnerability was fixed with version 1.0.1g on April 7, 2014.

License

OpenSSL is licensed by SSLeay and its own license, which apply collectively. Both are similar to the original BSD license . The main restriction is therefore that advertisements for third-party products that contain OpenSSL must mention OpenSSL and the two authors of SSLeay.

From version 3.0.0, OpenSSL is under the Apache 2.0 license in order to simplify its use in other open source projects.

history

This overview only contains the most important versions.

branch Publication date (branch) Last version End of support annotation
Older version; no longer supported: 0.9.1 - 1.0.0 December 23, 1998 (0.9.1) 1.0.0 t (December 3, 2015) December 31, 2015 (0.9.8 and 1.0.0)
Older version; no longer supported: 1.0.1 March 14, 2012 1.0.1 u (September 22, 2016) December 31, 2016
Older version; no longer supported: 1.0.2 January 22, 2015 1.0.2 u (December 20, 2019) December 31, 2019 (LTS)
Older version; no longer supported: 1.1.0 August 25, 2016 1.1.0 l (September 10, 2019) September 11, 2019
Current version: 1.1.1 11th September 2018 1.1.1 g (April 21, 2020) September 11, 2023 (LTS)
Future version: 3.0.0 ~ Q4 2020
Legend:
Older version; no longer supported
Older version; still supported
Current version
Current preliminary version
Future version

See also

Web links

Individual evidence

  1. a b Secure Socket Layer: Encode and certify with SSLeay . Publisher Heinz Heise . 1996. Retrieved December 5, 2011.
  2. Eric Young . EMC Corporation . Archived from the original on November 11, 2011. Retrieved December 5, 2011.
  3. SSLeay 0.6.6.docs . University of Michigan . Retrieved December 5, 2011.
  4. a b License . OpenSSL Project. Retrieved November 28, 2011.
  5. ChangeLog. OpenSSL, December 2, 2010, accessed August 10, 2011 .
  6. In the interview: Ralf S. Engelschall - the German open source guru. Netzwelt.de, August 9, 2010, accessed on January 11, 2011 .
  7. Theo de Raadt: OpenSSL cannot be repaired. golem.de, April 24, 2014, accessed April 24, 2014 .
  8. Google develops its own SSL library | heise online
  9. Google: BoringSSL description on Github
  10. Jana Cranmer: NIST recertifies open source encryption module , February 16, 2007.
  11. Debian Security Announcement - DSA-1571-1 openssl - Predictable Random Number Generator , May 13, 2008, accessed August 31, 2017.
  12. blog.fefe.de/?ts=b6c9ec7e
  13. Download link at http://game.amd.com/us-en/drivers_catalyst.aspx?p=xp64/theater550-xp64
  14. Various Licenses and Comments about Them . Free Software Foundation. Retrieved November 28, 2011.
  15. ^ Tilman Wittenhorst: OpenSSL changes the license and annoys those involved. In: heise online . Heise Medien , March 25, 2017, accessed on January 6, 2020 .
  16. OpenSSL Re-licensing to Apache License v. 2.0 To Encourage Broader Use with Other FOSS Projects and Products. In: Core Infrastructure Initiative . Linux Foundation , March 23, 2017, accessed January 6, 2020 (American English).
  17. ^ Richard Levitte: Change license to the Apache License v2.0 · openssl / openssl @ 1513331. December 6, 2018, accessed January 6, 2020 .
  18. OpenSSL version 1.0.2u published ( s ) on December 20, 2019. Retrieved on December 22 of 2019.
  19. OpenSSL 1.1.0 Series Release Notes ( en ) August 25, 2016. Accessed August 25, 2016.
  20. OpenSSL version 1.1.1g published ( en ) 21 April 2020. Accessed April 22, 2020th
  21. Update on 3.0 Development ( en ) November 7, 2019. Accessed December 3, 2019.