OpenSSL是一個開源項目,由SSL/TLS工具集和加密庫構成,使用Apache stype許可,可免費獲取、使用。本文簡單介紹OpenSSL的版本信息、提供的命令。

OpenSSL Info

Introduction Reference


OpenSSL is an open source project that provides a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It is als*a general-purpose cryptography library.

The OpenSSL toolkit is licensed under an Apache-style license, which basically means that you are free t*get and use it for commercial and non-commercial purposes subject t*some simple license conditions. –


OpenSSL is a software library t*be used in applications that need t*secure communications over computer networks against eavesdropping or need t*ascertain the identity of the party at the other end. It has found wide use in internet web servers, serving a majority of all web sites.

OpenSSL contains an open-source implementation of the SSL and TLS protocols. The core library, written in the C programming language, implements basic cryptographic functions and provides various utility functions. Wrappers allowing the use of the OpenSSL library in a variety of computer languages are available. –

Functions Provided

OpenSSL提供如下功能(man openssl) * Creation and management of private keys, public keys and parameters * Public key cryptographic operations * Creation of X.509 certificates, CSRs and CRLs * Calculation of Message Digests * Encryption and Decryption with Ciphers * SSL/TLS Client and Server Tests * Handling of S/MIME signed or encrypted mail * Time Stamp requests, generation and verification

OpenSSL Version

OpenSSL當前(Jan 08, 2017)最新穩定版本是1.1.0,同時釋出長期支持版本(Long Term Suppout)1.0.2

關於OpenSSL的生命週期 1. v1.1.0為當前最新穩定版本; 2. v1.0.2為LTS(長期支持版本),官方支持的截止時間是Dec 31, 2019; 3. v1.0.1v1.0.0v0.9.8官方已停止支持、維護; 具體見 Downloads頁面。

OpenSSL官方於Jan 02, 2017發出公告 >The OpenSSL 1.0.1 series of releases are now out of support. Please upgrade to 1.1.0 or 1.0.2. – Latest News

DebianCentOS等GNU/Linux發行版的Repository暫未提供新版本的OpenSSL(如v1.0.2),如果需要使用最新穩定版,需手動進行編譯安裝,具體可參閱 * Compilation and Installation * OpenSSL - Beyond Linux® From Scratch

雖然v1.0.1已經於Dec 31, 2016被官方停止支持,但該版本是OpenSSL很重要的一個版本。OpenSSLv1.0.1開始支持 TLS v1.1TLS v1.2 協議。而v1.01之前的版本不支持該協議。具體可見 * OpenSSL 1.0.1 Series Release NotesMajor changes between OpenSSL 1.0.0h and OpenSSL 1.0.1 [14 Mar 2012] 部分; * Changelog

Release Notice & Vulnerability


item link


OpenSSL Check

  1. 通過如下命令判斷系統中是否安裝了OpenSSl

    command -v openssl &> /dev/null && ech*'installed' || ech*'not install'
  2. 通過如下命令查看版本信息


# simple version info
openssl version
# openssl version | awk '{print $2}'

# complete version info
openssl version -a


flying@lempstacker:~$ command -v openssl &> /dev/null && ech*'installed' || ech*'not install'
flying@lempstacker:~$ openssl version
OpenSSL 1.0.1t  3 May 2016
flying@lempstacker:~$ openssl version | awk '{print $2}'
flying@lempstacker:~$ openssl version -a
OpenSSL 1.0.1t  3 May 2016
built on: Fri Sep 23 17:53:23 2016
platform: debian-amd64
options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)
OPENSSLDIR: "/usr/lib/ssl"


flying@lempstacker:~$ cd /usr/lib/ssl/
flying@lempstacker:/usr/lib/ssl$ pwd
flying@lempstacker:/usr/lib/ssl$ ls -lhF
total 12K
lrwxrwxrwx 1 root root 14 Sep 24 01:56 certs -> /etc/ssl/certs/
drwxr-xr-x 1 root root 82 Dec  7 20:32 misc/
lrwxrwxrwx 1 root root 20 Sep 24 01:56 openssl.cnf -> /etc/ssl/openssl.cnf
lrwxrwxrwx 1 root root 16 Sep 24 01:56 private -> /etc/ssl/private/
flying@lempstacker:/usr/lib/ssl$ ls -lhF misc/
total 40K
-rwxr-xr-x 1 root root 5.8K Sep 24 01:56*
-rwxr-xr-x 1 root root 5.1K Sep 24 01:56*
-rwxr-xr-x 1 root root  119 Sep 24 01:56 c_hash*
-rwxr-xr-x 1 root root  152 Sep 24 01:56 c_info*
-rwxr-xr-x 1 root root  112 Sep 24 01:56 c_issuer*
-rwxr-xr-x 1 root root  110 Sep 24 01:56 c_name*
-rwxr-xr-x 1 root root 6.3K Sep 24 01:56 tsget*

該目錄的子目錄./misc中含有實現私有CA(cerfication authority)的腳本,腳本中的路徑及命令的說明可通過命令man ca查看。

OpenSSL Commands


openssl help

man openssl

List Available Commands


flying@lempstacker:~$ openssl help
openssl:Error: 'help' is an invalid command.

Standard commands
asn1parse         ca                ciphers           cms               
crl               crl2pkcs7         dgst              dh                
dhparam           dsa               dsaparam          ec                
ecparam           enc               engine            errstr            
gendh             gendsa            genpkey           genrsa            
nseq              ocsp              passwd            pkcs12            
pkcs7             pkcs8             pkey              pkeyparam         
pkeyutl           prime             rand              req               
rsa               rsautl            s_client          s_server          
s_time            sess_id           smime             speed             
spkac             srp               ts                verify            
version           x509              

Message Digest commands (see the `dgst' command for more details)
md4               md5               rmd160            sha               

Cipher commands (see the `enc' command for more details)
aes-128-cbc       aes-128-ecb       aes-192-cbc       aes-192-ecb       
aes-256-cbc       aes-256-ecb       base64            bf                
bf-cbc            bf-cfb            bf-ecb            bf-ofb            
camellia-128-cbc  camellia-128-ecb  camellia-192-cbc  camellia-192-ecb  
camellia-256-cbc  camellia-256-ecb  cast              cast-cbc          
cast5-cbc         cast5-cfb         cast5-ecb         cast5-ofb         
des               des-cbc           des-cfb           des-ecb           
des-ede           des-ede-cbc       des-ede-cfb       des-ede-ofb       
des-ede3          des-ede3-cbc      des-ede3-cfb      des-ede3-ofb      
des-ofb           des3              desx              rc2               
rc2-40-cbc        rc2-64-cbc        rc2-cbc           rc2-cfb           
rc2-ecb           rc2-ofb           rc4               rc4-40            
seed              seed-cbc          seed-cfb          seed-ecb          


輸出信息分為三部分 * Standard commands * Message Digest commands (man dgst) * Cipher commands (man enc)


#Standard commands (共46個)
openssl list-standard-commands

#Message Digest commands (共5個)
openssl list-message-digest-commands

#Cipher commands (共53個)
openssl list-cipher-commands

以上三個皆為 pseudo-command ,同樣還有

#list all cipher name (共197個)
openssl list-cipher-algorithms

#list all message digest name (共53個)
openssl list-message-digest-algorithms

#list all supported public key algorithms (共34個)
openssl list-public-key-algorithms

Standard Commands

標準命令目前有46個,具體使用可通過命令man command查看,如man x509

command explain
ca Certificate Authority (CA) Management.
ciphers Cipher Suite Description Determination.
cms CMS (Cryptographic Message Syntax) utility
crl Certificate Revocation List (CRL) Management.
crl2pkcs7 CRL to PKCS#7 Conversion.
dgst Message Digest Calculation.
dh Diffie-Hellman Parameter Management.
Obsoleted by dhparam.
dhparam Generation and Management of Diffie-Hellman Parameters.
Superseded by genpkey and pkeyparam
dsa DSA Data Management.
dsaparam DSA Parameter Generation and Management.
Superseded by genpkey and pkeyparam
ec EC (Elliptic curve) key processing
ecparam EC parameter manipulation and generation
enc Encoding with Ciphers.
engine Engine (loadble module) information and manipulation.
errstr Error Number to Error String Conversion.
gendh Generation of Diffie-Hellman Parameters.
Obsoleted by dhparam.
gendsa Generation of DSA Private Key from Parameters.
Superseded by genpkey and pkey
genpkey Generation of Private Key or Parameters.
genrsa Generation of RSA Private Key.
Superceded by genpkey.
nseq Create or examine a netscape certificate sequence
ocsp Online Certificate Status Protocol utility.
passwd Generation of hashed passwords.
pkcs12 PKCS#12 Data Management.
pkcs7 PKCS#7 Data Management.
pkey Public and private key management.
pkeyparam Public key algorithm parameter management.
pkeyutl Public key algorithm cryptographic operation utility.
rand Generate pseudo-random bytes.
req PKCS#10 X.509 Certificate Signing Request (CSR) Management.
rsa RSA key management.
rsautl RSA utility for signing, verification, encryption, and decryption. Superseded by pkeyutl
s_client This implements a generic SSL/TLS client which can establish a transparent connection to a remote server speaking SSL/TLS.
s_server This implements a generic SSL/TLS server which accepts connections from remote clients speaking SSL/TLS.
s_time SSL Connection Timer.
sess_id SSL Session Data Management.
smime S/MIME mail processing.
speed Algorithm Speed Measurement.
spkac SPKAC printing and generating utility
ts Time Stamping Authority tool (client/server)
verify X.509 Certificate Verification.
version OpenSSL Version Information.
x509 X.509 Certificate Data Management.

Message Digest Commands


command explain
md2 MD2 Digest
md5 MD5 Digest
mdc2 MDC2 Digest
rmd160 RMD-160 Digest
sha SHA Digest
sha1 SHA-1 Digest
sha224 SHA-224 Digest
sha256 SHA-256 Digest
sha384 SHA-384 Digest
sha512 SHA-512 Digest


# list all available ciphers
openssl ciphers -v

# This lists ciphers compatible with any of TLSv1, TLSv1.1 or TLSv1.2.
openssl ciphers -v -tls1

# list only high encryption ciphers (key lengths larger than 128 bits)
# 'MEDIUM' represents 128 bit encryption
openssl ciphers -v 'HIGH'

# list only cipher suites using RSA key exchange
openssl ciphers -v 'RSA+HIGH'

# list only high encryption ciphers using the RSA algorithm
openssl ciphers -v 'RSA+HIGH'

Encoding And Ciph Commands

Base64 Encoding Base64
Blowfish Cipher bf、bf-cbc、bf-cfb、bf-ecb、bf-ofb
CAST Cipher cast、cast-cbc
CAST5 Cipher cast5-cb、cast5-cfb、cast5-ecb、cast5-ofb
DES Cipher des、des-cbc、des-cfb、des-ecb、des-ede、des-ede-cbc、des-ede-cfb、des-ede-ofb、des-ofb
Triple-DES Cipher des3、desx、des-ede3、des-ede3-cbc、des-ede3-cfb、des-ede3-ofb
IDEA Cipher idea、idea-cbc、idea-cfb、idea-ecb、idea-ofb
RC2 Cipher rc2、rc2-cbc、rc2-cfb、rc2-ecb、rc2-ofb
RC4 Cipher rc4
RC5 Cipher rc5、rc5-cbc、rc5-cfb、rc5-ecb、rc5-ofb


Ivan Ristić, the creator of, has a free download of his OpenSSL Cookbook that covers the most frequently used OpenSSL features and commands. It is updated often, and is available at It is highly recommended. –

Change Logs

  • 2017.01.08 18:12 Sun Asia/Shanghai
    • 初稿完成