> OpenSSL Cookbook: Preface



For all its warts, OpenSSL is one of the most successful and most important open source projects. It’s successful because it’s so widely used; it’s important because the security of large parts of the Internet infrastructure relies on it. The project consists of a high-performance implementation of key cryptographic algorithms, a complete SSL/TLS and PKI stack, and a command-line toolkit. I think it’s safe to say that if your job has something to do with security, web development, or system administration, you can’t avoid having to deal with OpenSSL on at least some level. The majority of the Internet is powered by open source products, and virtually all of them rely on OpenSSL.

This book covers two ways in which OpenSSL can be used. Chapter 1, OpenSSL, will help users who need to perform routine tasks of key and certificate generation, and configure programs that rely on OpenSSL for SSL/TLS functionality. This chapter also discusses how to create a complete private CA, which is useful for development and similar internal environments. Chapter 2, Testing with OpenSSL, focuses on server security testing using OpenSSL. Although sometimes time consuming, this type of low-level testing can’t be avoided when you wish to know exactly what’s going on.

Both chapters are borrowed from my larger work, called Bulletproof SSL and TLS. I decided to publish the OpenSSL chapters as a separate free book because good documentation is always in great demand. This is particularly true for OpenSSL, which is not very well documented; what you can find on the Internet is often wrong and outdated.

Besides, publishers often give away one or more chapters in order to show what the book is like, and I thought I should make the most of this practice by not only making the OpenSSL chapters free, but also by committing to continue to maintain and improve them over time. So here they are.

Reader feedback is always very important, but especially so in this case, because this is a living book. In traditional publishing, often years pass before reader feedback goes back into the book, and then only if another edition actually sees the light of day (which often does not happen for technical books, because of the small market size). With this book, you’ll see new content appear in a matter of days. Ultimately, what you send to me will affect how the book will evolve.

The best way to contact me is to use my email address, ivanr@webkreator.com. Sometimes I may also be able to respond via Twitter, where you will find me under the handle @ivanristic.

Bulletproof SSL and TLS is the book I wish I had back when I was starting to use SSL. I don’t remember when that was exactly, but it was definitely very early on, back when you still had to patch Apache to get it to support SSL. What I do remember is how, in 2005, when I was writing my first book, Apache Security, I started to appreciate the complexities of cryptography. I even began to like it.

In 2009 I started to work on SSL Labs, and for me, the world of cryptography began to unravel. Fast-forward a couple of years, and in 2015 I am still learning. Cryptography is a unique field in which the more you learn, the less you know.

In supporting SSL Labs users over the years, I realized that there was a lot written on SSL/TLS and PKI, but that the material generally suffered from two problems: (1) all you need is not in one place, making the little bits and pieces (e.g., RFCs) difficult to find, and (2) most of it is very detailed and low level. Many documents are also obsolete. I tried to make sense of it all and it took me years of work and study to even begin to understand the ecosystem.

Bulletproof SSL and TLS addresses the documentation gap. It’s a practical book that starts with a gentle introduction and a solid theory background, but then moves to discuss everything you need for your daily work. It also provides deep coverage of certain key aspects, for example protocol attacks. For those who want even more, there are hundreds of references to research papers and other external resources.

Ivan Ristić is a security researcher, engineer, and author, known especially for his contributions to the web application firewall field and development of ModSecurity, an open source web application firewall, and for his SSL/TLS and PKI research, tools, and guides published on the SSL Labs web site.

He is the author of three books, Apache Security, ModSecurity Handbook, and Bulletproof SSL and TLS, which he publishes via Feisty Duck, his own platform for continuous writing and publishing. Ivan is an active participant in the security community, and you’ll often find him speaking at security conferences such as Black Hat, RSA, OWASP AppSec, and others. He’s currently Director of Application Security Research at Qualys.

Copyright © 2018 Feisty Duck. All rights reserved.