Qualys Blog

www.qualys.com
Ivan Ristic

OpenSSL Cookbook v1.1 Released

openssl-cookbook-coverOpenSSL Cookbook is a free ebook based around one chapter of my in-progress book Bulletproof SSL/TLS and PKI. The appendix contains the SSL/TLS Deployment Best Practices document (re-published with permission from Qualys). In total, there’s about 50 pages of text that covers the OpenSSL essentials, starting with installation, then key and certificate management, and finally cipher suite configuration.

The first version of OpenSSL Cookbook was published in May, but now, five months after that release, I’ve released version 1.1. The changes in this version are as follows:

  • Updated SSL/TLS Deployment Best Practices to v1.3. This version brings several significant changes: 1) RC4 is deprecated, 2) the BEAST attack is considered mitigated server-side, 3) Forward Secrecy has been promoted to its own category. There are many other smaller improvements throughout.
  • Reworked the cipher suite configuration example to add Forward Security as a requirement, making the example more useful in practice.
  • Increased coverage of different key types with a discussion of ECDSA keys. Explained when each type is appropriate.
  • Added new text to explain how to generate DSA and ECDSA keys.
  • Explained the challenge password, when generating Certificate Signing Requests.
  • Marked cipher suite configuration keywords that were introduced only in the OpenSSL 1.x branch. This makes it easier to use the text for reference purposes, if you’re still running the older, OpenSSL 0.9.x, version.

You can get your copy from here.

2 responses to “OpenSSL Cookbook v1.1 Released”

  1. Hi,

    the openssl cookbook is a smart collection of information about openssl.

    In chapter "Building OpenSSL" there is a "recommendation" to download and compile openssl to get the newest version. With heartbleet in mind: Is there a recommendation for compiling openssl with special options ( -DOPENSSL_NO_HEARTBEATS, and ???)

    to get a "more secure" version of openssl?

    Do the authors plan to change these chapter?

    Does anyone would suggest "best practice"-options to compile a secure version of openssl?

    Appendix A (Best Practices) sounds interesting, and there are a lot of generally statements about what to do and what not (… "Use Only Secure Protocols"…).

    It would be of great help to all if there are more detail statements, e.g. how to configure

    apache or IIS ( to get a grade A with SSLlabs testing suite)

    And of course 49 pages are too little space for a "complete" collection.

    So keep on writing!

    Roland

Leave a Reply