Advertisement
Check these out next
libcurl, seven SSL libraries and one SSH library
Feb. 5, 2011•0 likes•3,795 views
4 likes
Be the first to like this
Show More
views
Total views
0
On Slideshare
0
From embeds
0
Number of embeds
0
Download to read offline
Report
Technology
libcurl, seven SSL libraries and one SSH library. From my 30 minute talk at Fosdem 2011
Daniel StenbergFollow
Segfault manufacturer at wolfSSLAdvertisement
Advertisement
Advertisement
Recommended
about Debian "squeeze" @201002 OSC TokyospringHideki Yamane
Does Cowgirl Dream of Red Swirl?Hideki Yamane
ITB2016 - ForgeBox 2 Package ManagementOrtus Solutions, Corp
find & improve some bottleneck in Debian project (DebConf14 LT)Hideki Yamane
Rsyslog version naming (v8.6.0+)Rainer Gerhards
LXC, Docker, and the future of software delivery | LinuxCon 2013dotCloud
libcurl, seven SSL libraries and one SSH library
- libcurl, seven SSL libraries and one SSH library February 5th 2011
- Daniel Stenberg ● Free Software ● Network hacker ● Embedded developer ● Consultant Email: daniel@haxx.se Twitter: @bagder Web: daniel.haxx.se Blog: daniel.haxx.se/blog
- Agenda ● libcurl ● SSL/TLS libraries ● Why so many? ● Differences ● How? ● SSH libraries ● Why so few?
- Questions? ● questions? ● remarks? ● interrupt!
- general libcurl ● cURL since 1998 ● libcurl since 2000 ● today: DICT, FILE, FTP, FTPS, GOPHER, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, POP3, POP3S, RTMP, RTSP, SCP, SFTP, SMTP, SMTPS, TELNET and TFTP ● almost 40 bindings ● widely used ● MIT licensed
- libcurl and SSL ● HTTPS support added 1998 (later ftpssl, smtps, imaps, pop3s) ● SSLeay …turned into OpenSSL ● GnuTLS added in 2005 ● YaSSL “support” 2006 ● NSS 2007 ● qssl 2007 ● PolarSSL 2010 ● axTLS 2010
- Why so many? ● Software wants to use SSL ● Different set of requirements and demands ● Licensing ● What users/devs implement support for!
- Let's compare ● 7 libraries ● what makes people select or reject each one? ● Caveats: I'm focused on client side, I'm but a user of them
- OpenSSL Pro Con Established and License proven Documentation Many features Quirky API leaves CN and SAN verification to apps Big
- GnuTLS Pro Con License License Documentation Less used Many features Big (TLS1.2, SRP, etc) Easy API
- NSS Pro Con FIPS140 licensed DB vs file approach Many features too Firefoxfocused Documentation Big
- qSSL Pro Con Runs on OS/400 Runs only on OS/400
- yaSSL Pro Con License Not fully emulating OpenSSL Has an OpenSSL API Documentation Size? Less support and community
- PolarSSL Pro Con License Documentation Size? Not widely tested Less support and community
- axTLS Pro Con Very small TLS only License Not widely tested Less support and community
- Or by feature ● GPL ● SRP ● TLS 1.2 ● SSLv2 ● FIPS140 ● Embedded focus ● Runs on Windows
- How support them? ● started out as #ifdef maze ● turned into an internal API each lib needs to provide
- an internal API curlssl_init() curlssl_cleanup() curlssl_connect() curlssl_connect_nonblocking() curlssl_session_free() curlssl_close_all() curlssl_close() curlssl_shutdown() curlssl_set_engine() curlssl_set_engine_default() curlssl_engines_list() curlssl_version(x,y) curlssl_data_pending(x,y)
- curlssl curlssl_init() curlssl_cleanup() curlssl_connect() curlssl_connect_nonblocking() sets the recv() and send() curlssl_session_free() functions after successful curlssl_close_all() handshake curlssl_close() curlssl_shutdown() curlssl_set_engine() curlssl_set_engine_default() curlssl_engines_list() curlssl_version(x,y) curlssl_data_pending(x,y)
- Maintain functionality ● hard ● test cases ● volunteerbased, nonstop distributed testing
- SSH libraries ● only 2 (libssh and libssh2) ● SSH is a much less popular commodity protocol
- picked libssh2 ● hand over socket to library ● nonblocking operations ● license
- Summary ● Lots of SSL libs ● Very few SSH libs ● Support them all is lots of work
- SSL comparison online A start: http://curl.haxx.se/docs/ssl-compared.html
Advertisement