Relationship profile
First, let's look at the relationship between them.
SSL (Secure Socket Layer) is a network security protocol first adopted by Netscape.
TLS (Transport Layer Security) is also a network security protocol developed based on SSL. It can be regarded as an upgraded version of SSL. After SSL was standardized by IETF, it was named TLS.
openssl is an open source software library package, its main library is written in C language, and it implements the SSL and TLS protocols. It also provides other tools related to encryption certificates.
It can be simply understood as shown in the figure:
SSL(Secure Socket Layer)
origin
SSL (Secure Sockets Layer) is a secure transmission protocol designed by Netscape and mainly used for the Web. This protocol has been widely used on the Web. When the first version of the web browser, Netscape Navigator, was launched in 1994, the HTTPS protocol was launched and encrypted with SSL, which is the origin of SSL.
The basic algorithm was written by Taher Elgamal, the chief scientist of Netscape, so he is known as the "father of SSL".
version history
There are three versions of SSL, all of which are currently deprecated.
protocol | release time | state |
---|---|---|
SSL 1.0 | unpublished | unpublished |
SSL 2.0 | the year 1995 | Deprecated in 2011 |
SSL 3.0 | 1996 | Deprecated in 2015 |
- Version 1.0 was never made public because of serious security holes.
- Version 2.0 was released in February 1995. In 2011, the RFC 6176 standard deprecated SSL 2.0.
- Released in 1996, version 3.0 was completely redesigned by Netscape engineers Paul Kocher, Phil Karlton, and Alan Freier. In 2015, the RFC 7568 standard deprecated SSL 3.0.
TLS(Transport Layer Security)
origin
IETF standardizes SSL as RFC 2246 and calls it TLS (Transport Layer Security). The first version was released in 1999, called TLS 1.0. Technically speaking, the differences between TLS 1.0 and SSL 3.0 are very subtle.
version history
TLS 1.0 | Year 1999 | Deprecated in 2021 |
TLS 1.1 | year 2006 | Deprecated in 2021 |
TLS 1.2 | Year 2008 | |
TLS 1.3 | 2018 |
TLS 1.0
IETF standardizes SSL, namely RFC 2246, and calls it TLS (Transport Layer Security).
TLS 1.1
TLS 1.1 is defined in RFC 4346, published in April 2006, which is an update of TLS 1.0. Differences in this release include:
- Add protection against CBC attacks:
- The implicit IV is replaced with an explicit IV. (called initialization vector in IV cryptography)
- Change padding errors in block cipher modes.
- Support for IANA registered parameters.
Four browser vendors, Microsoft, Google, Apple, and Mozilla, will stop supporting TLS 1.0 and 1.1 in 2020. In March 2021, the RFC 8996 standard deprecated TLS 1.0 and TLS 1.1.
TLS 1.2
TLS 1.2 is defined in RFC 5246, published in August 2008. It is based on the earlier TLS 1.1 specification. Key differences include:
- Added SHA-2 cryptographic hash function.
- Add AEAD encryption algorithm, such as GCM mode.
- Add TLS extension definitions and AES cipher suites. All TLS versions removed their compatibility with SSL in RFC 6176 published in March 2011, so that TLS sessions will never be able to negotiate the use of SSL 2.0 to avoid security problems.
TLS 1.3
TLS 1.3 is defined in RFC 8446, published in August 2018. Its main differences from TLS 1.2 include:
- Separate key exchange algorithms (such as ECDHE) and authentication algorithms (such as RSA) from the cipher package.
- Removed support for MD5 and SHA1 cryptographic hash functions.
- Request a digital signature.
- Integrating HKDF and semi-ephemeral DH proposals.
- Replacement using PSK and recovery of tickets.
- Support 1-RTT handshake and initially support 0-RTT.
- Perfect forward secrecy is guaranteed by using ephemeral keys during key agreement.
- Dropped support for many insecure or obsolete features, including data compression, renegotiation, non-AEAD encryption algorithms, static RSA and static DH key exchange, custom DHE grouping, point format negotiation, protocol to change cipherbook specifications, UNIX time The Hello message and the length field AD are input into the AEAD cipherbook.
- Faster and better performance than TLS 1.2.
- Removed support for RC4 encryption algorithm.
- Integrate usage of session hash.
- Deprecated record layer version numbers and freeze numbers to improve backwards compatibility.
- Moved some security-related algorithm details from appendix to standard, and relegated ClientKeyShare to appendix.
- Support Ed25519 and Ed448 digital signature algorithms.
- Support for X25519 key exchange.
- Support ChaCha20 encryption algorithm with Poly1305 message authentication code.
- Support Encrypted Server Name Indication ( ESNI ) .
openssl
origin
The OpenSSL project started in 1998 with the goal of inventing a set of free encryption tools for use on the Internet. OpenSSL is based on SSLeay developed by Eric Young and Tim Hudson. As the two went to work at RSA, SSLeay stopped development in December 1998. Therefore, in December 1998, the community forked OpenSSL to continue development.
overview
The OpenSSL toolkit includes:
-
libssl is an implementation of all TLS protocol versions prior to TLSv1.3 (RFC 8446).
-
libCrypto is a full-strength general-purpose encryption library. It forms the basis of the TLS implementation and can also be used independently.
-
openssl OpenSSL command line tool, swiss army knife for encryption tasks, testing and analysis. it can be used for
- Create key parameters
- Create X.509 certificates, CSRs and CRLs
- Calculation of message digests
- encryption and decryption
- SSL/TLS client and server testing
- Handle S/MIME signed or encrypted mail
- and more...
version history
Version | initial version date | Remark | latest update |
---|---|---|---|
0.9.1 | December 23, 1998 |
|
0.9.1c (December 23, 1998) |
0.9.2 | March 22, 1999 |
|
0.9.2b (April 6, 1999) |
0.9.3 | May 25, 1999 |
|
0.9.3a (May 27, 1999) |
0.9.4 | August 9, 1999 |
|
0.9.4 (April 9, 1999) |
0.9.5 | February 28, 2000 |
|
0.9.5a (April 1, 2000) |
0.9.6 | September 24, 2000 |
|
0.9.6m (March 17, 2004) |
0.9.7 | December 31, 2002 |
|
0.9.7m (February 23, 2007) |
0.9.8 | July 5, 2005 |
|
0.9.8zh (December 3, 2015) |
1.0.0 | March 29, 2010 |
|
1.0.0t (December 3, 2015) |
1.0.1 | March 14, 2012 |
|
1.0.1u (September 22, 2016) |
1.0.2 | January 22, 2015 |
|
1.0.2u (December 20, 2019) |
1.1.0 | August 25, 2016 |
|
1.1.0l(2019年9月10日) |
1.1.1 | 2018年9月11日 |
|
1.1.1p(2022年6月21日) |
3.0.0 | 2021年9月7日 |
|
3.0.4 (2022年6月21日) |
注1:
openssl1.1分支的最新版为1.1.1t,于2023年2月7日发布,为长期支持版本。
openssl3.0分支的最新版本为3.1.0,于2023年3月14日发布,为稳定版本。
注2:
OpenSSL 项目是在 2018 年宣布更改版本号,从 v1.x 版本直接跳到 v3.x 版本,略过 2.x 版本,原因是 OpenSSL FIPS 模块此前已经使用过 2.x 版本号。作为首个大版本号更新,OpenSSL 3.0.0 没有完全向后兼容旧版本,但绝大部分使用 OpenSSL 1.1.1 的应用仍然能正常工作,只需重新编译下。