OpenSSL

Hello anyone used OpenSSL before?

Why do we need to pay for expensive SSL certs when there is OpenSSL
which is provided free? Is there a difference?

I've got an ecommerce website, and wondering if OpenSSL is enough?

Your thoughts will be appreciated

Openssl is a library for performing various encryption tasks, so
(other than the fact that it can manipulate them) it hasn't got much
to do with ssl certs. The problem with a self signed cert (which
openssl can generate for you) or something like a cacert is that most
users won't have the root certificate on their machine so will see a
'untrusted certificate' warning when they visit your site (and of
course this also means that you're open to a man in the middle type
attack)

Fred

My domain registrar has Geotrust RapidSSL for $10 / year. Is this good
enough SSL? Any other recommendations?

The two ends of the spectrum:

  • Verisign (http://www.verisign.com/): probably regarded as one of the most trusted SSL providers, but it certainly reflects in their pricing

  • StartSSL (http://www.startssl.com/): even provides a free certificate (trusted by browsers afaik), it’s more limited of course, but hey, that’s what free will give you

RapidSSL leans more towards StartSSL than Verisign. Also don’t forget you need a dedicated IP in order for your certificate to work properly!

Openssl is a library, what you pay for is, a certificate from a know certificate authority that is , a certificate created by someone like verysign because all browser know them and will not alert the user that the site is unknown/untrusted, so if you create you own certificate with openssl and you have an ecomerce site it will be a problem since all the browser will alert users that your site has an untrusted certificate and most user will not continue to your site, so that is why you have to buy a certificate from a known CA. Verysign is expensive but there are cheaper know CAs