How To Check/Find OpenSSL Version?
The OpenSSL is an open-source library that provides cryptographic functions and implementations. OpenSSL is a defacto library for cryptography-related operations and is used by a lot of different applications. OpenSSL is provided as a library and application. OpenSSL provides functions and features like SSL/TLS, SHA1, Encryption, Decryption, AES, etc.
Find OpenSSL Version
The OpenSSL provides the version command which provides information about the version, built date, platform, compiler flags, OpenSSL directory, etc. This command can be directly used to print the version of the installed OpenSSL like below.
From the output, we can see that the version is “1.2.3f”. These numbers have different meanings which are like below.
- Major Version of this OpenSSL is 1 which is the first number in the version information.
- Minor version number is 2 which is the second number in the version information.
- Letter release is “3f” which is used for bug fixing and tracking very minor releases.
- The version information also provides the build date which shows the date when the OpenSSL is build from source code as binary.
Find OpenSSL Version via Apt/Deb Package Manager
If the OpenSSL is installed via the apt or deb package manager the version information can be displayed by using these package managers. Even the OpenSSL is not installed provided OpenSSL version can be listed.
Find OpenSSL Version via Dnf/Rpm Package Manager
If the OpenSSL is installed via the dnf or yum or rpm package manager the version information can be displayed by using these package managers. Even the OpenSSL is not installed provided OpenSSL version can be listed.
Display All Information About OpenSSL
The version command can be all information about the OpenSSL in a more detailed way. The -a option is provided to the version command which lists the version and other information.
Display All Information About OpenSSL
How to Check the OpenSSL Version Number
OpenSSL is an open-source cryptographic library and SSL toolkit. The applications contained in the library help create a secure communication environment for computer networks.
OpenSSL contains an implementation of SSL and TLS protocols, meaning that most servers and HTTPS websites use its resources.
In this tutorial, learn how to find the OpenSSL version with a single command.
- A command-line/terminal window.
- OpenSSL installed on your system.
OpenSSL Version Command
The openssl version command allows you to determine the version your system is currently using. This information is useful if you want to find out if a particular feature is available, verify whether a security threat affects your system, or perhaps report a bug. Type in:
The resulting data will consist of the OpenSSL version designation and the date of its initial release.
The output is clear and easy to understand. We can break down the version format to get valuable insight. Additionally, using flags can help structure the data.
OpenSSL Releases
The format of the version provides a lot of information. The position of the numbers represent the release type:
- Major Releases – You can recognize a major release if one or both of the first two digits change. This type of release can break compatibility with previous versions. For example: 1.1.0g vs. 1.2.0
- Minor Releases – A minor release changes the last number of the version designation, e.g., 1.1.0 vs. 1.1.1. These releases are likely to contain new features; however, they should not break binary compatibility. You do not need to recompile applications to benefit from them.
- Letter Releases – The release designation in our example 1.1.0g contains bug and security fixes exclusively. No new features were added.
Note: The next planned version of OpenSSL is 3.0.0. Once the new version is released, the versioning scheme is going to change to a more contemporary format: MAJOR.MINOR.PATCH
OpenSSL Flags
By using a general flag –help we can see an overview of all valid options for openssl version.
There are eight (8) valid options that allow you to narrow your search. The option that provides the most comprehensive set of information is:
This command compiles all the information contained under the individual flags into a single output.
This option is convenient, especially when troubleshooting or composing a bug report.
The OPENSSLDIR line is especially interesting, as it will tell you where OpenSSL will look for its configurations and certificates. You can print out that specific line by using the following command:
In this example, the configuration files and certificates are located at /usr/lib/ssl
Now you have learned how to check the OpenSSL version.
You should now understand how to interpret that data. And how it can be used to improve server security, troubleshoot or submit a bug request.
The flags presented in the article provided you with the necessary tools to help you make an informed decision and administer your system effectively.
Introduction
The openssl command-line binary that ships with the OpenSSL libraries can perform a wide range of cryptographic operations. It can come in handy in scripts or for accomplishing one-time command-line tasks.
Documentation for using the openssl application is somewhat scattered, however, so this article aims to provide some practical examples of its use. I assume that you’ve already got a functional OpenSSL installation and that the openssl binary is in your shell’s PATH.
Just to be clear, this article is strictly practical; it does not concern cryptographic theory and concepts. If you don’t know what an MD5 sum is, this article won’t enlighten you one bit—but if all you need to know is how to use openssl to generate a file sum, you’re in luck.
The nature of this article is that I’ll be adding new examples incrementally. Check back at a later date if I haven’t gotten to the information you need.
How do I find out what OpenSSL version I’m running?
Use the version option.
You can get much more information with the version -a option.
How do I get a list of the available commands?
There are three built-in options for getting lists of available commands, but none of them provide what I consider useful output. The best thing to do is provide an invalid command ( help or -h will do nicely) to get a readable answer.
What the shell calls “Standard commands” are the main top-level options.
You can use the same trick with any of the subcommands.
In more boring fashion, you can consult the OpenSSL man pages.
How do I get a list of available ciphers?
Use the ciphers option. The ciphers(1) man page is quite helpful.
Benchmarking
How do I benchmark my system’s performance?
The OpenSSL developers have built a benchmarking suite directly into the openssl binary. It’s accessible via the speed option. It tests how many operations it can perform in a given time, rather than how long it takes to perform a given number of operations. This strikes me as quite sane, because the benchmarks don’t take significantly longer to run on a slow system than on a fast one.
To run a catchall benchmark, run it without any further options.
There are two sets of results. The first reports how many bytes per second can be processed for each algorithm, the second the times needed for sign/verify cycles. Here are the results on an 2.70GHz Intel Xeon E5.
You can run any of the algorithm-specific subtests directly.
How do I benchmark remote connections?
The s_time option lets you test connection performance. The most simple invocation will run for 30 seconds, use any cipher, and use SSL handshaking to determine number of connections per second, using both new and reused sessions:
Beyond that most simple invocation, s_time gives you a wide variety of testing options.
If you don’t have an SSL-enabled web server available for your use, you can emulate one using the s_server option.
Certificates
How do I generate a self-signed certificate?
You’ll first need to decide whether or not you want to encrypt your key. Doing so means that the key is protected by a passphrase.
On the plus side, adding a passphrase to a key makes it more secure, so the key is less likely to be useful to someone who steals it. The downside, however, is that you’ll have to either store the passphrase in a file or type it manually every time you want to start your web or ldap server.
It violates my normally paranoid nature to say it, but I prefer unencrypted keys, so I don’t have to manually type a passphrase each time a secure daemon is started. (It’s not terribly difficult to decrypt your key if you later tire of typing a passphrase.)
This example will produce a file called mycert.pem which will contain both the private key and the public certificate based on it. The certificate will be valid for 365 days, and the key (thanks to the -nodes option) is unencrypted.
Using this command-line invocation, you’ll have to answer a lot of questions: Country Name, State, City, and so on. The tricky question is “Common Name.” You’ll want to answer with the hostname or CNAME by which people will address the server. This is very important. If your web server’s real hostname is mybox.mydomain.com but people will be using www.mydomain.com to address the box, then use the latter name to answer the “Common Name” question.
Once you’re comfortable with the answers you provide to those questions, you can script the whole thing by adding the -subj option. I’ve included some information about location into the example that follows, but the only thing you really need to include for the certificate to be useful is the hostname (CN).
How do I generate a certificate request for VeriSign?
Applying for a certificate signed by a recognized certificate authority like VeriSign is a complex bureaucratic process. You’ve got to perform all the requisite paperwork before creating a certificate request.
As in the recipe for creating a self-signed certificate, you’ll have to decide whether or not you want a passphrase on your private key. The recipe below assumes you don’t. You’ll end up with two files: a new private key called mykey.pem and a certificate request called myreq.pem .
If you’ve already got a key and would like to use it for generating the request, the syntax is a bit simpler.
Similarly, you can also provide subject information on the command line.
When dealing with an institution like VeriSign, you need to take special care to make sure that the information you provide during the creation of the certificate request is exactly correct. I know from personal experience that even a difference as trivial as substituting “and” for “&” in the Organization Name will stall the process.
If you’d like, you can double check the signature and information provided in the certificate request.
Save the key file in a secure location. You’ll need it in order to use the certificate VeriSign sends you. The certificate request will typically be pasted into VeriSign’s online application form.
How do I test a new certificate?
The s_server option provides a simple but effective testing method. The example below assumes you’ve combined your key and certificate into one file called mycert.pem .
First, launch the test server on the machine on which the certificate will be used. By default, the server will listen on port 4433; you can alter that using the -accept option.
If the server launches without complaint, then chances are good that the certificate is ready for production use.
You can also point your web browser at the test server, e.g., https://yourserver:4433/ . Don’t forget to specify the “https” protocol; plain-old “http” won’t work. You should see a page listing the various ciphers available and some statistics about your connection. Most modern browsers allow you to examine the certificate as well.
How do I retrieve a remote certificate?
If you combine openssl and sed , you can retrieve remote certificates via a shell one-liner or a simple script.
You can, in turn, pipe that information back to openssl to do things like check the dates on all your active certificates.
How do I extract information from a certificate?
An SSL certificate contains a wide range of information: issuer, valid dates, subject, and some hardcore crypto stuff. The x509 subcommand is the entry point for retrieving this information. The examples below all assume that the certificate you want to examine is stored in a file named cert.pem .
Using the -text option will give you the full breadth of information.
Other options will provide more targeted sets of data.
How do I export or import a PKCS#12 certificate?
PKCS#12 files can be imported and exported by a number of applications, including Microsoft IIS. They are often associated with the file extension .pfx .
To create a PKCS#12 certificate, you’ll need a private key and a certificate. During the conversion process, you’ll be given an opportunity to put an “Export Password” (which can be empty, if you choose) on the certificate.
If someone sends you a PKCS#12 and any passwords needed to work with it, you can export it into standard PEM format.
Certificate Verification
Applications linked against the OpenSSL libraries can verify certificates signed by a recognized certificate authority (CA).
How do I verify a certificate?
Use the verify option to verify certificates.
If your local OpenSSL installation recognizes the certificate or its signing authority and everything else (dates, signing chain, etc.) checks out, you’ll get a simple OK message.
If anything is amiss, you’ll see some error messages with short descriptions of the problem, e.g.,
error 10 at 0 depth lookup:certificate has expired . Certificates are typically issued for a limited period of time—usually just one year—and openssl will complain if a certificate has expired.
error 18 at 0 depth lookup:self signed certificate . Unless you make an exception, OpenSSL won’t verify a self-signed certificate.
What certificate authorities does OpenSSL recognize?
When OpenSSL was built for your system, it was configured with a “Directory for OpenSSL files.” (That’s the —openssldir option passed to the configure script, for you hands-on types.) This is the directory that typically holds information about certificate authorities your system trusts.
The default location for this directory is /usr/local/ssl , but most vendors put it elsewhere, e.g., /usr/share/ssl (Red Hat/Fedora), /etc/ssl (Gentoo), /usr/lib/ssl (Debian), or /System/Library/OpenSSL (Macintosh OS X).
Use the version option to identify which directory (labeled OPENSSLDIR) your installation uses.
Within that directory and a subdirectory called certs , you’re likely to find one or more of three different kinds of files.
A large file called cert.pem , an omnibus collection of many certificates from recognized certificate authorities like VeriSign and Thawte.
Some small files in the certs subdirectory named with a .pem file extension, each of which contains a certificate from a single CA.
Some symlinks in the certs subdirectory with obscure filenames like 052eae11.0 . There is typically one of these links for each .pem file.
The first part of obscure filename is actually a hash value based on the certificate within the .pem file to which it points. The file extension is just an iterator, since it’s theoretically possible that multiple certificates can generate identical hashes.
On my Gentoo system, for example, there’s a symlink named f73e89fd.0 that points to a file named vsignss.pem . Sure enough, the certificate in that file generates a hash the equates to the name of the symlink:
When an application encounters a remote certificate, it will typically check to see if the cert can be found in cert.pem or, if not, in a file named after the certificate’s hash value. If found, the certificate is considered verified.
It’s interesting to note that some applications, like Sendmail, allow you to specify at runtime the location of the certificates you trust, while others, like Pine, do not.
How do I get OpenSSL to recognize/verify a certificate?
Put the file that contains the certificate you’d like to trust into the certs directory discussed above. Then create the hash-based symlink. Here’s a little script that’ll do just that.
Command-line clients and servers
The s_client and s_server options provide a way to launch SSL-enabled command-line clients and servers. There are other examples of their use scattered around this document, but this section is dedicated solely to them.
In this section, I assume you are familiar with the specific protocols at issue: SMTP, HTTP, etc. Explaining them is out of the scope of this article.
How do I connect to a secure SMTP server?
You can test, or even use, an SSL-enabled SMTP server from the command line using the s_client option .
Secure SMTP servers offer secure connections on up to three ports: 25 (TLS), 465 (SSL), and 587 (TLS). Some time around the 0.9.7 release, the openssl binary was given the ability to use STARTTLS when talking to SMTP servers.
RFC821 suggests (although it falls short of explicitly specifying) the two characters “<CRLF>” as line-terminator. Most mail agents do not care about this and accept either “<LF>” or “<CRLF>” as line-terminators, but Qmail does not. If you want to comply to the letter with RFC821 and/or communicate with Qmail, use also the -crlf option:
How do I connect to a web server using SNI?
The shortage of IPv4 addresses prompted the development of the HTTP 1.1 standard so a single IP address could host multiple name-based virtual servers.
Later, that same shortage of addresses led to the development of the Server Name Indication (SNI) extension of the TLS protocol. When using SNI, the client sends the hostname it wants to contact during the TLS negotiation. An SNI-enabled server is then able to offer the certificate with the matching hostname for the client to verify.
SNI is enabled in openssl by specifying the -servername option.
How do I connect to a secure [whatever] server?
Connecting to a different type of SSL-enabled server is essentially the same operation as outlined above. As of the date of this writing, openssl only supports command-line TLS with SMTP servers, so you have to use straightforward SSL connections with any other protocol.
How do I set up an SSL server from the command line?
The s_server option allows you to set up an SSL-enabled server from the command line, but it’s I wouldn’t recommend using it for anything other than testing or debugging. If you need a production-quality wrapper around an otherwise insecure server, check out Stunnel instead.
The s_server option works best when you have a certificate; it’s fairly limited without one.
Digests
Generating digests with the dgst option is one of the more straightforward tasks you can accomplish with the openssl binary. Producing digests is done so often, as a matter of fact, that you can find special-use binaries for doing the same thing.
How do I create an MD5 or SHA1 digest of a file?
Digests are created using the dgst option. I’ve seen several systems on which the OpenSSL dgst(1) man page does not accurately report the digest functions available via the local openssl binary. I suggest running openssl dgst -h to see which digests are actually available.
The MD5 digests are identical to those created with the widely available md5sum command, though the output formats differ.
The same is true for SHA1 digests and the output of the sha1sum application.
How do I sign a digest?
If you want to ensure that the digest you create doesn’t get modified without your permission, you can sign it using your private key. The following example assumes that you want to sign the SHA256 sum of a file called foo-1.23.tar.gz .
How do I verify a signed digest?
To verify a signed digest you’ll need the file from which the digest was derived, the signed digest, and the signer’s public key.
How do I create an Apache digest password entry?
Apache’s HTTP digest authentication feature requires a special password format. Apache ships with the htdigest utility, but it will only write to a file, not to standard output. When working with remote users, it’s sometimes nice for them to be able to generate a password hash on a machine they trust and then mail it for inclusion in your local password database.
The format of the password database is relatively simple: a colon-separated list of the username, authorization realm (specified by the Apache AuthName directive), and an MD5 digest of those two items and the password. Below is a script that duplicates the output of htdigest , except that the output is written to standard output. It takes advantage of the dgst option’s ability to read from standard input.
What other kinds of digests are available?
Use the built-in list-message-digest-commands option to get a list of the digest types available to your local OpenSSL installation.
Like the list in the dgst(1) man page, this list may be outdated. Let the buyer beware!
Encryption/Decryption
How do I base64-encode something?
Use the enc -base64 option.
It’s also possible to do a quick command-line encoding of a string value:
Note that echo will silently attach a newline character to your string. Consider using its -n option if you want to avoid that situation, which could be important if you’re trying to encode a password or authentication string.
Use the -d (decode) option to reverse the process.
How do I simply encrypt a file?
Simple file encryption is probably better done using a tool like GPG. Still, you may have occasion to want to encrypt a file without having to build or use a key/certificate structure. All you want to have to remember is a password. It can nearly be that simple—if you can also remember the cipher you employed for encryption.
To choose a cipher, consult the enc(1) man page. More simply (and perhaps more accurately), you can ask openssl for a list in one of two ways.
After you choose a cipher, you’ll also have to decide if you want to base64-encode the data. Doing so will mean the encrypted data can be, say, pasted into an email message. Otherwise, the output will be a binary file.
To decrypt file.enc you or the file’s recipient will need to remember the cipher and the passphrase.
If you’d like to avoid typing a passphrase every time you encrypt or decrypt a file, the openssl(1) man page provides the details under the heading “PASS PHRASE ARGUMENTS.” The format of the password argument is fairly simple.
Errors
How do I interpret SSL error messages?
Poking through your system logs, you see some error messages that are evidently related to OpenSSL or crypto:
The first step to figure out what’s going wrong is to use the errstr option to intrepret the error code. The code number is found between “error:” and “:lib”. In this case, it’s 0407006A.
If you’ve got a full OpenSSL installation, including all the development documentation, you can start your investigation there. In this example, the RSA_padding_add_PKCS1_type_1(3) man page will inform you that PKCS #1 involves block methods for signatures. After that, of course, you’d need to pore through your application’s source code to identify when it would expect be receiving those sorts of packets.
How do I generate an RSA key?
Use the genrsa option.
How do I generate a public RSA key?
Use the rsa option to produce a public version of your private RSA key.
How do I generate a DSA key?
Building DSA keys requires a parameter file, and DSA verify operations are slower than their RSA counterparts, so they aren’t as widely used as RSA keys.
If you’re only going to build a single DSA key, you can do so in just one step using the dsaparam subcommand.
If, on the other hand, you’ll be creating several DSA keys, you’ll probably want to build a shared parameter file before generating the keys. It can take a while to build the parameters, but once built, key generation is done quickly.
How do I create an elliptic curve key?
Routines for working with elliptic curve cryptography were added to OpenSSL in version 0.9.8. Generating an EC key involves the ecparam option.
How do I remove a passphrase from a key?
Perhaps you’ve grown tired of typing your passphrase every time your secure daemon starts. You can decrypt your key, removing the passphrase requirement, using the rsa or dsa option, depending on the signature algorithm you chose when creating your private key.
If you created an RSA key and it is stored in a standalone file called key.pem , then here’s how to output a decrypted version of the same key to a file called newkey.pem .
Often, you’ll have your private key and public certificate stored in the same file. If they are stored in a file called mycert.pem , you can construct a decrypted version called newcert.pem in two steps.
Password hashes
Using the passwd option, you can generate password hashes that interoperate with traditional /etc/passwd files, newer-style /etc/shadow files, and Apache password files.
How do I generate a crypt-style password hash?
You can generate a new hash quite simply:
If you know an existing password’s “salt,” you can duplicate the hash.
How do I generate a shadow-style password hash?
Newer Unix systems use a more secure MD5-based hashing mechanism that uses an eight-character salt (as compared to the two-character salt in traditional crypt()-style hashes). Generating them is still straightforward using the -1 option:
The salt in this format consists of the eight characters between the second and third dollar signs, in this case sXiKzkus . So you can also duplicate a hash with a known salt and password.
Prime numbers
Current cryptographic techniques rely heavily on the generation and testing of prime numbers, so it’s no surprise that the OpenSSL libraries contain several routines dealing with primes. Beginning with version 0.9.7e (or so), the prime option was added to the openssl binary.
How do I test whether a number is prime?
Pass the number to the prime option. Note that the number returned by openssl will be in hex, not decimal, format.
You can also pass hex numbers directly.
How do I generate a set of prime numbers?
Starting with OpenSSL version 1.0.0, the openssl binary can generate prime numbers of a specified length:
If you’re using a version of OpenSSL older than 1.0.0, you’ll have to pass a bunch of numbers to openssl and see what sticks. The seq utility is useful in this capacity.
Random data
How do I generate random data?
Use the rand option to generate binary or base64-encoded data.
On a Unix box with a /dev/urandom device and a copy of GNU head , or a recent version of BSD head , you can achieve a similar effect, often with better entropy:
You can get a wider variety of characters than what’s offered using Base64 encoding by using strings :
Make sure you know the trade-offs between the random and urandom devices before relying on them for truly critical entropy. Consult the random(4) man page on Linux and BSD systems, or random(7D) on Solaris, for further information.
S/MIME
S/MIME is a standard for sending and receiving secure MIME data, especially in e-mail messages. Automated S/MIME capabilities have been added to quite a few e-mail clients, though openssl can provide command-line S/MIME services using the smime option.
Note that the documentation in the smime(1) man page includes a number of good examples.
How do I verify a signed S/MIME message?
It’s pretty easy to verify a signed message. Use your mail client to save the signed message to a file. In this example, I assume that the file is named msg.txt .
If the sender’s certificate is signed by a certificate authority trusted by your OpenSSL infrastructure, you’ll see some mail headers, a copy of the message, and a concluding line that says Verification successful .
If the messages has been modified by an unauthorized party, the output will conclude with a failure message indicating that the digest and/or the signature doesn’t match what you received:
Likewise, if the sender’s certificate isn’t recognized by your OpenSSL infrastructure, you’ll get a similar error:
Most e-mail clients send a copy of the public certificate in the signature attached to the message. From the command line, you can view the certificate data yourself. You’ll use the smime -pk7out option to pipe a copy of the PKCS#7 certificate back into the pkcs7 option. It’s oddly cumbersome but it works.
If you’d like to extract a copy of your correspondent’s certificate for long-term use, use just the first part of that pipe.
At that point, you can either integrate it into your OpenSSL infrastructure or you can save it off somewhere for special use.
How do I encrypt a S/MIME message?
Let’s say that someone sends you her public certificate and asks that you encrypt some message to her. You’ve saved her certificate as her-cert.pem . You’ve saved your reply as my-message.txt .
To get the default—though fairly weak—RC2-40 encryption, you just tell openssl where the message and the certificate are located.
If you’re pretty sure your remote correspondent has a robust SSL toolkit, you can specify a stronger encryption algorithm like triple DES:
By default, the encrypted message, including the mail headers, is sent to standard output. Use the -out option or your shell to redirect it to a file. Or, much trickier, pipe the output directly to sendmail .
How do I sign a S/MIME message?
If you don’t need to encrypt the entire message, but you do want to sign it so that your recipient can be assured of the message’s integrity, the recipe is similar to that for encryption. The main difference is that you need to have your own key and certificate, since you can’t sign anything with the recipient’s cert.
How to Check the OpenSSL Version Number in Linux
It is pre-installed in the popular Linux distributions. The OpenSSL version you implement can be found on the command line in Linux.
How to Check the OpenSSL Version Number in Linux
There are different commands for checking the OpenSSL version number in the Linux:
1: How to Check the OpenSSL Version Using openssl version Command in Linux
The following command allows you to check the version of the OpenSSL your device is using:
The output is easy to understand as it contains the version designation and date of its release. The output 3.0.2 have different meanings:
Major Version: The first number in the version information is major version like in my case it is 3
Minor Version: The second number is 0 minor version
Letter release: The last number is for bug fixing tracking the minor release
2: How to Check the OpenSSL Version Using apt show openssl Command in Linux
If the OpenSSL is installed in Linux through the APT package, you can check the version by using the package manager:
3: How to Check the OpenSSL Version Using openssl version -a Command in Linux
The following command will provide all the information related to the OpenSSL, you can use it while troubleshooting and finding the bugs:
By executing the above commands, you will get the following results:
- Version of OpenSSL
- Date when OpenSSL was built
- Platform for building the OpenSSL
- Cryptography options of the OpenSSL
- Installation directory of the OpenSSL
- Engine directory
Bottom Line
You can check the version number of OpenSSL on your Linux through the execution of the simple commands. You must know the interpretation of the output and how to use OpenSSL to improve the security of your server. The commands mentioned above can be used to check the version of the OpenSSL in Debian based Linux. If you are a Linux user the easiest way to find the version of OpenSSL is through the openssl version.
About the author
Zainab Rehman
I’m an author by profession. My interest in the internet world motivates me to write for Linux Hint and I’m here to share my knowledge with others.