book cover

OpenSSL Cookbook  3rd Edition

The definitive guide to using the OpenSSL command line for configuration and testing. Topics covered in this book include key and certificate management, server configuration, a step by step guide to creating a private CA, and testing of online services. Written by Ivan Ristić.

Preface

For all its warts, OpenSSL is one of the most successful and most important open source projects. It's successful because it's so widely used; it's important because the security of large parts of the Internet infrastructure relies on it. The project consists of a high-performance implementation of key cryptographic algorithms, a complete TLS and PKI stack, and a command-line toolkit. I think it's safe to say that if your job has something to do with security, web development, or system administration, you can't avoid having to deal with OpenSSL on at least some level. The majority of the Internet is powered by open source products, and most of them rely on OpenSSL.

This book covers two ways in which OpenSSL can be used. Chapter 1, OpenSSL Command Line, will help users who need to perform routine tasks of key and certificate generation, and configure programs that rely on OpenSSL for TLS functionality. This chapter also discusses how to create a complete private CA, which is useful for development and similar internal environments. Chapter 2, Testing TLS with OpenSSL, focuses on server security testing using OpenSSL. Although sometimes time consuming, this type of low-level testing can’t be avoided when you wish to know exactly what’s going on.

Both chapters are borrowed from my larger work, called Bulletproof TLS and PKI. I decided to publish the OpenSSL chapters as a separate free book because there is a severe lack of good and easily available documentation. As is often true for complex and long-lived projects, the OpenSSL documentation you can find on the Internet is often wrong and outdated.

Besides, publishers often give away one or more chapters in order to show what the book is like, and I thought I should make the most of this practice by not only making the OpenSSL chapters free, but also by committing to continue to maintain and improve them over time. So here they are.

Feedback

Reader feedback is always very important, but especially so in this case, because this is a living book. In traditional publishing, often years pass before reader feedback goes back into the book, and then only if another edition actually sees the light of day (which often does not happen for technical books, because of the small market size). With this book, you'll see new content appear in a matter of days. Ultimately, what you send to me will affect how the book will evolve.

The best way to contact me is to use my email address, ivanr@webkreator.com. Sometimes I may also be able to respond via Twitter, where you will find me under the handle @ivanristic.

Acknowledgments

This is a short book, but it's packed with technical information. As a result, there are ample opportunities for mistakes. I am very grateful to Matt Caswell for his help in keeping the mistakes away. Matt, who is a member of the OpenSSL development team, joined me as technical reviewer for the third edition.

Various people have written to me with their thoughts and corrections. They, too, made this book better. I extend my thanks to Brian Howson, Christian Folini, Jeff Kayser, Martin Carpenter, Michael Reschly, Karsten Weiss, Olivier Levillain, and Stephen N. Henson.

My special thanks goes to my copyeditor, Melinda Rankin. She has been a pleasure to work with, as always.

About Bulletproof TLS and PKI

Bulletproof TLS and PKI is the book I wish I had back when I was starting to use SSL. I don't remember when that was exactly, but it was definitely very early on, back when you still had to patch Apache to get it to support SSL. What I do remember is how, in 2005, when I was writing my first book, Apache Security, I started to appreciate the complexities of cryptography. I even began to like it.

In 2009 I started to work on SSL Labs, and for me, the world of cryptography began to unravel. Fast-forward a decade, and in 2020 I am still learning. Cryptography is a unique field in which the more you learn, the less you know.

In supporting SSL Labs users over the years, I realized that there was a lot written on SSL/TLS and PKI, but that the material generally suffered from two problems: (1) all you need is not in one place, making the little bits and pieces (e.g., RFCs) difficult to find, and (2) most of it is too detailed and low level. Many documents are also obsolete. I tried to make sense of it all and it took me years of work and study to even begin to understand the ecosystem.

Bulletproof TLS and PKI addresses the documentation gap. It’s a practical book that starts with a gentle introduction and a solid theory background, but then moves to discuss everything you need for your daily work. It also provides deep coverage of certain key aspects, for example protocol attacks. For those who want even more, there are hundreds of references to research papers and other external resources.

About the Author

Ivan Ristić writes computer security books and builds security products. His book Bulletproof TLS and PKI, the result of more than a decade of research and study, is widely recognized as the de-facto SSL/TLS and PKI reference manual. His work on SSL Labs made hundreds of thousands of web sites more secure. Before that, he created ModSecurity, a leading open source web application firewall.

More recently, Ivan founded Hardenize, a platform for continuous security monitoring that provides free assessments to everyone. He's a member of Let's Encrypt's technical advisory board.

< Prev
^ Table of Contents
Next >