module OpenSSL


The OpenSSL module allows for access to Secure Sockets Layer (SSL) and Transport Layer Security (TLS) encryption, as well as classes for encrypting data, decrypting data, and computing hashes. It uses the SSL library provided by the operating system, which may be either OpenSSL or LibreSSL.

WARNING This module should not be used without first reading the Security considerations.

To create secure sockets, use either OpenSSL::SSL::Socket::Client for client applications, or OpenSSL::SSL::Socket::Server for servers. These classes use a default context, but you can provide your own by supplying an OpenSSL::SSL::Context. For more control, consider subclassing OpenSSL::SSL::Socket.

Hashing algorithms are provided by classes such as Digest::SHA256 and Digest::MD5. If you need a different option, you can initialize one using the name of the digest with OpenSSL::Digest. A Hash-based Message Authentication Code (HMAC) can be computed using HMAC and specifying a digest Algorithm.

The OpenSSL::Cipher class can be used for encrypting and decrypting data.

NOTE To use OpenSSL, you must explicitly import it using the require "openssl" statement.

Security Considerations

Crystal aims to provide reasonable configuration defaults in accordance with Mozilla's recommendations. However, these defaults may not be suitable for your application. It is recommended that you refer to the Open Worldwide Application Security Project (OWASP) cheat sheet on implementing transport layer protection to ensure the appropriate configuration for your use.

If you come across any shortcomings or spots for improvement in Crystal's configuration options, please don't hesitate to let us know by opening an issue.

Usage Example

Server side

An SSL server is created with a TCPServer and a SSL::Context. You can then use the SSL server like an ordinary TCP server.

NOTE For the below example to work, a certificate and private key should be attained.

require "openssl"
require "socket"

PORT = ENV["PORT"] ||= "5555"

# Bind new TCPServer to PORT
socket =

context =
context.private_key = "/path/to/private.key"
context.certificate_chain = "/path/to/public.cert"

puts "Server is up. Listening on port #{PORT}."

socket.accept do |client|
  puts "Got client"

  bytes =, context) do |ssl_socket|

  puts "Client said: #{}"

puts "Server has stopped."

Client side

An SSL client is created with a TCPSocket and a SSL::Context. Unlike a SSL server, a client does not require a certificate or private key.

NOTE By default, closing an SSL::Socket does not close the underlying socket. You need to set SSL::Socket#sync_close= to true if you want this behaviour.

require "openssl"
require "socket"

PORT = ENV["PORT"] ||= "5555"

# Bind TCPSocket to PORT and open a connection"", PORT) do |socket|
  context =, context) do |ssl_socket|
    ssl_socket << "Hello from client!"

Defined in: