libcurl, seven SSL libraries and one     SSH library      February 5th 2011
Daniel Stenberg●    Free Software●    Network hacker●    Embedded developer●    Consultant    Email:     daniel@haxx.se   ...
Agenda●   libcurl●   SSL/TLS libraries●   Why so many?●   Differences●   How?●   SSH libraries●   Why so few?
Questions?●    questions?●    remarks?●    interrupt!
general libcurl●   cURL since 1998●   libcurl since 2000●   today: DICT, FILE, FTP, FTPS, GOPHER, HTTP,     HTTPS, IMAP, I...
libcurl and SSL●   HTTPS support added 1998 (later ftp­ssl, smtps,     imaps, pop3s)●   SSLeay …turned into OpenSSL●   Gnu...
Why so many?●    Software wants to use SSL●    Different set of requirements and     demands●    Licensing●    What users/...
Lets compare●    7 libraries●    what makes people select or     reject each one?●    Caveats: Im focused on client­    si...
OpenSSLPro                  Con  Established and     License  proven                      Documentation  Many features    ...
GnuTLSPro                    Con  License               License  Documentation         Less used  Many features         Bi...
NSSPro                   Con  FIPS­140 licensed    DB vs file approach  Many features        too Firefox­focused          ...
qSSLPro                 Con  Runs on OS/400     Runs only on                      OS/400
yaSSLPro                 Con  License            Not fully emulating                      OpenSSL  Has an OpenSSL   API   ...
PolarSSLPro             Con  License        Documentation  Size?          Not widely tested                 Less support a...
axTLSPro               Con  Very small       TLS only  License          Not widely tested                   Less support a...
Or by feature●   GPL●   SRP●   TLS 1.2●   SSLv2●   FIPS­140●    Embedded focus●   Runs on Windows
How support them?●    started out as #ifdef maze●    turned into an internal API each     lib needs to provide
an internal API curlssl_init() curlssl_cleanup() curlssl_connect() curlssl_connect_nonblocking() curlssl_session_free() cu...
curlsslcurlssl_init()curlssl_cleanup()curlssl_connect()curlssl_connect_nonblocking()   sets the recv() and send()curlssl_s...
Maintain functionality●    hard●    test cases●    volunteer­based, non­stop     distributed testing
SSH libraries●    only 2 (libssh and libssh2)●    SSH is a much less popular     commodity protocol
picked libssh2●    hand over socket to library●    non­blocking operations●    license
Summary●    Lots of SSL libs●    Very few SSH libs●    Support them all is lots of work
SSL comparison onlineA start:http://curl.haxx.se/docs/ssl-compared.html
Upcoming SlideShare
Loading in …5
×

libcurl, seven SSL libraries and one SSH library

6,158 views

Published on

libcurl, seven SSL libraries and one SSH library. From my 30 minute talk at Fosdem 2011

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
6,158
On SlideShare
0
From Embeds
0
Number of Embeds
2,626
Actions
Shares
0
Downloads
16
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

libcurl, seven SSL libraries and one SSH library

  1. 1. libcurl, seven SSL libraries and one  SSH library February 5th 2011
  2. 2. Daniel Stenberg● Free Software● Network hacker● Embedded developer● Consultant Email: daniel@haxx.se Twitter: @bagder Web: daniel.haxx.se Blog: daniel.haxx.se/blog
  3. 3. Agenda● libcurl● SSL/TLS libraries● Why so many?● Differences● How?● SSH libraries● Why so few?
  4. 4. Questions?● questions?● remarks?● interrupt!
  5. 5. general libcurl● cURL since 1998● libcurl since 2000● today: DICT, FILE, FTP, FTPS, GOPHER, HTTP,  HTTPS, IMAP, IMAPS, LDAP, LDAPS, POP3,  POP3S, RTMP, RTSP, SCP, SFTP, SMTP, SMTPS,  TELNET and TFTP● almost 40 bindings● widely used● MIT licensed
  6. 6. libcurl and SSL● HTTPS support added 1998 (later ftp­ssl, smtps,  imaps, pop3s)● SSLeay …turned into OpenSSL● GnuTLS added in 2005● YaSSL “support” 2006● NSS 2007● qssl 2007● PolarSSL 2010● axTLS 2010
  7. 7. Why so many?● Software wants to use SSL● Different set of requirements and  demands● Licensing● What users/devs implement  support for!
  8. 8. Lets compare● 7 libraries● what makes people select or  reject each one?● Caveats: Im focused on client­ side, Im but a user of them
  9. 9. OpenSSLPro Con Established and  License proven Documentation Many features Quirky API leaves CN and  SAN verification to  apps Big
  10. 10. GnuTLSPro Con License License Documentation Less used Many features  Big (TLS1.2, SRP, etc) Easy API
  11. 11. NSSPro Con FIPS­140 licensed DB vs file approach Many features too Firefox­focused Documentation Big
  12. 12. qSSLPro Con Runs on OS/400  Runs only on  OS/400
  13. 13. yaSSLPro Con License Not fully emulating  OpenSSL Has an OpenSSL  API Documentation Size? Less support and  community
  14. 14. PolarSSLPro Con License Documentation Size? Not widely tested Less support and  community
  15. 15. axTLSPro Con Very small TLS only License Not widely tested Less support and  community
  16. 16. Or by feature● GPL● SRP● TLS 1.2● SSLv2● FIPS­140● Embedded focus● Runs on Windows
  17. 17. How support them?● started out as #ifdef maze● turned into an internal API each  lib needs to provide
  18. 18. an internal API curlssl_init() curlssl_cleanup() curlssl_connect() curlssl_connect_nonblocking() curlssl_session_free() curlssl_close_all() curlssl_close() curlssl_shutdown() curlssl_set_engine() curlssl_set_engine_default() curlssl_engines_list() curlssl_version(x,y) curlssl_data_pending(x,y)
  19. 19. curlsslcurlssl_init()curlssl_cleanup()curlssl_connect()curlssl_connect_nonblocking() sets the recv() and send()curlssl_session_free() functions after successfulcurlssl_close_all() handshakecurlssl_close()curlssl_shutdown()curlssl_set_engine()curlssl_set_engine_default()curlssl_engines_list()curlssl_version(x,y)curlssl_data_pending(x,y)
  20. 20. Maintain functionality● hard● test cases● volunteer­based, non­stop  distributed testing
  21. 21. SSH libraries● only 2 (libssh and libssh2)● SSH is a much less popular  commodity protocol
  22. 22. picked libssh2● hand over socket to library● non­blocking operations● license
  23. 23. Summary● Lots of SSL libs● Very few SSH libs● Support them all is lots of work
  24. 24. SSL comparison onlineA start:http://curl.haxx.se/docs/ssl-compared.html

×