More Related Content


Recently uploaded(20)


libcurl, seven SSL libraries and one SSH library

  1. libcurl, seven SSL  libraries and one  SSH library February 5th 2011
  2. Daniel Stenberg ● Free Software ● Network hacker ● Embedded developer ● Consultant Email: Twitter: @bagder Web: Blog:
  3. Agenda ● libcurl ● SSL/TLS libraries ● Why so many? ● Differences ● How? ● SSH libraries ● Why so few?
  4. Questions? ● questions? ● remarks? ● interrupt!
  5. general libcurl ● cURL since 1998 ● libcurl since 2000 ● today: DICT, FILE, FTP, FTPS, GOPHER, HTTP,  HTTPS, IMAP, IMAPS, LDAP, LDAPS, POP3,  POP3S, RTMP, RTSP, SCP, SFTP, SMTP, SMTPS,  TELNET and TFTP ● almost 40 bindings ● widely used ● MIT licensed
  6. libcurl and SSL ● HTTPS support added 1998 (later ftp­ssl, smtps,  imaps, pop3s) ● SSLeay …turned into OpenSSL ● GnuTLS added in 2005 ● YaSSL “support” 2006 ● NSS 2007 ● qssl 2007 ● PolarSSL 2010 ● axTLS 2010
  7. Why so many? ● Software wants to use SSL ● Different set of requirements and  demands ● Licensing ● What users/devs implement  support for!
  8. Let's compare ● 7 libraries ● what makes people select or  reject each one? ● Caveats: I'm focused on client­ side, I'm but a user of them
  9. OpenSSL Pro Con Established and  License proven Documentation Many features Quirky API leaves CN and  SAN verification to  apps Big
  10. GnuTLS Pro Con License License Documentation Less used Many features  Big (TLS1.2, SRP, etc) Easy API
  11. NSS Pro Con FIPS­140 licensed DB vs file approach Many features too Firefox­focused Documentation Big
  12. qSSL Pro Con Runs on OS/400  Runs only on  OS/400
  13. yaSSL Pro Con License Not fully emulating  OpenSSL Has an OpenSSL  API Documentation Size? Less support and  community
  14. PolarSSL Pro Con License Documentation Size? Not widely tested Less support and  community
  15. axTLS Pro Con Very small TLS only License Not widely tested Less support and  community
  16. Or by feature ● GPL ● SRP ● TLS 1.2 ● SSLv2 ● FIPS­140 ● Embedded focus ● Runs on Windows
  17. How support them? ● started out as #ifdef maze ● turned into an internal API each  lib needs to provide
  18. an internal API curlssl_init() curlssl_cleanup() curlssl_connect() curlssl_connect_nonblocking() curlssl_session_free() curlssl_close_all() curlssl_close() curlssl_shutdown() curlssl_set_engine() curlssl_set_engine_default() curlssl_engines_list() curlssl_version(x,y) curlssl_data_pending(x,y)
  19. curlssl curlssl_init() curlssl_cleanup() curlssl_connect() curlssl_connect_nonblocking() sets the recv() and send() curlssl_session_free() functions after successful curlssl_close_all() handshake curlssl_close() curlssl_shutdown() curlssl_set_engine() curlssl_set_engine_default() curlssl_engines_list() curlssl_version(x,y) curlssl_data_pending(x,y)
  20. Maintain functionality ● hard ● test cases ● volunteer­based, non­stop  distributed testing
  21. SSH libraries ● only 2 (libssh and libssh2) ● SSH is a much less popular  commodity protocol
  22. picked libssh2 ● hand over socket to library ● non­blocking operations ● license
  23. Summary ● Lots of SSL libs ● Very few SSH libs ● Support them all is lots of work
  24. SSL comparison online A start: