libcurl, seven SSL libraries and one 

SSH libraryFebruary 5th 2011

Daniel Stenberg

Email: daniel@haxx.seTwitter: @bagderWeb: daniel.haxx.seBlog: daniel.haxx.se/blog

● Free Software● Network hacker● Embedded developer● Consultant

Agenda

● libcurl● SSL/TLS libraries● Why so many?● Differences● How?● SSH libraries● Why so few?

Questions?

● questions?● remarks?● interrupt!

general libcurl

● cURL since 1998● libcurl since 2000● today: DICT, FILE, FTP, FTPS, GOPHER, HTTP, 

HTTPS, IMAP, IMAPS, LDAP, LDAPS, POP3, POP3S, RTMP, RTSP, SCP, SFTP, SMTP, SMTPS, TELNET and TFTP

● almost 40 bindings● widely used● MIT licensed

libcurl and SSL

● HTTPS support added 1998 (later ftp­ssl, smtps, imaps, pop3s)

● SSLeay …turned into OpenSSL● GnuTLS added in 2005● YaSSL “support” 2006● NSS 2007● qssl 2007● PolarSSL 2010● axTLS 2010

Why so many?

● Software wants to use SSL● Different set of requirements and 

demands● Licensing● What users/devs implement 

support for!

Let's compare

● 7 libraries● what makes people select or 

reject each one?● Caveats: I'm focused on client­

side, I'm but a user of them

OpenSSL

Established and proven

Many features

License

Documentation

Quirky API

leaves CN and SAN verification to apps

Big

Pro Con

GnuTLS

License

Documentation

Many features (TLS1.2, SRP, etc)

Easy API

License

Less used

Big

Pro Con

NSS

FIPS­140 licensed

Many features

DB vs file approach

too Firefox­focused

Documentation

Big

Pro Con

qSSL

Runs on OS/400  Runs only on OS/400

Pro Con

yaSSL

License

Has an OpenSSL API

Size?

Not fully emulating OpenSSL

Documentation

Less support and community

Pro Con

PolarSSL

License

Size?

Documentation

Not widely tested

Less support and community

Pro Con

axTLS

Very small

License

TLS only

Not widely tested

Less support and community

Pro Con

Or by feature

● GPL● SRP● TLS 1.2● SSLv2● FIPS­140● Embedded focus● Runs on Windows

How support them?

● started out as #ifdef maze● turned into an internal API each 

lib needs to provide

an internal APIcurlssl_init()curlssl_cleanup()curlssl_connect()curlssl_connect_nonblocking()curlssl_session_free()curlssl_close_all()curlssl_close()curlssl_shutdown()curlssl_set_engine()curlssl_set_engine_default()curlssl_engines_list()curlssl_version(x,y)curlssl_data_pending(x,y)

curlsslcurlssl_init()curlssl_cleanup()curlssl_connect()curlssl_connect_nonblocking()curlssl_session_free()curlssl_close_all()curlssl_close()curlssl_shutdown()curlssl_set_engine()curlssl_set_engine_default()curlssl_engines_list()curlssl_version(x,y)curlssl_data_pending(x,y)

sets the recv() and send() functions after successful handshake

Maintain functionality

● hard● test cases● volunteer­based, non­stop 

distributed testing

SSH libraries

● only 2 (libssh and libssh2)● SSH is a much less popular 

commodity protocol

picked libssh2

● hand over socket to library● non­blocking operations● license

Summary

● Lots of SSL libs● Very few SSH libs● Support them all is lots of work

SSL comparison online

A start:

http://curl.haxx.se/docs/ssl-compared.html