libcurl, seven ssl libraries and one ssh library
DESCRIPTION
libcurl, seven SSL libraries and one SSH library. From my 30 minute talk at Fosdem 2011TRANSCRIPT
libcurl, seven SSL libraries and one
SSH libraryFebruary 5th 2011
Daniel Stenberg
Email: [email protected]: @bagderWeb: daniel.haxx.seBlog: daniel.haxx.se/blog
● Free Software● Network hacker● Embedded developer● Consultant
Agenda
● libcurl● SSL/TLS libraries● Why so many?● Differences● How?● SSH libraries● Why so few?
Questions?
● questions?● remarks?● interrupt!
general libcurl
● cURL since 1998● libcurl since 2000● today: DICT, FILE, FTP, FTPS, GOPHER, HTTP,
HTTPS, IMAP, IMAPS, LDAP, LDAPS, POP3, POP3S, RTMP, RTSP, SCP, SFTP, SMTP, SMTPS, TELNET and TFTP
● almost 40 bindings● widely used● MIT licensed
libcurl and SSL
● HTTPS support added 1998 (later ftpssl, smtps, imaps, pop3s)
● SSLeay …turned into OpenSSL● GnuTLS added in 2005● YaSSL “support” 2006● NSS 2007● qssl 2007● PolarSSL 2010● axTLS 2010
Why so many?
● Software wants to use SSL● Different set of requirements and
demands● Licensing● What users/devs implement
support for!
Let's compare
● 7 libraries● what makes people select or
reject each one?● Caveats: I'm focused on client
side, I'm but a user of them
OpenSSL
Established and proven
Many features
License
Documentation
Quirky API
leaves CN and SAN verification to apps
Big
Pro Con
GnuTLS
License
Documentation
Many features (TLS1.2, SRP, etc)
Easy API
License
Less used
Big
Pro Con
NSS
FIPS140 licensed
Many features
DB vs file approach
too Firefoxfocused
Documentation
Big
Pro Con
qSSL
Runs on OS/400 Runs only on OS/400
Pro Con
yaSSL
License
Has an OpenSSL API
Size?
Not fully emulating OpenSSL
Documentation
Less support and community
Pro Con
PolarSSL
License
Size?
Documentation
Not widely tested
Less support and community
Pro Con
axTLS
Very small
License
TLS only
Not widely tested
Less support and community
Pro Con
Or by feature
● GPL● SRP● TLS 1.2● SSLv2● FIPS140● Embedded focus● Runs on Windows
How support them?
● started out as #ifdef maze● turned into an internal API each
lib needs to provide
an internal APIcurlssl_init()curlssl_cleanup()curlssl_connect()curlssl_connect_nonblocking()curlssl_session_free()curlssl_close_all()curlssl_close()curlssl_shutdown()curlssl_set_engine()curlssl_set_engine_default()curlssl_engines_list()curlssl_version(x,y)curlssl_data_pending(x,y)
curlsslcurlssl_init()curlssl_cleanup()curlssl_connect()curlssl_connect_nonblocking()curlssl_session_free()curlssl_close_all()curlssl_close()curlssl_shutdown()curlssl_set_engine()curlssl_set_engine_default()curlssl_engines_list()curlssl_version(x,y)curlssl_data_pending(x,y)
sets the recv() and send() functions after successful handshake
Maintain functionality
● hard● test cases● volunteerbased, nonstop
distributed testing
SSH libraries
● only 2 (libssh and libssh2)● SSH is a much less popular
commodity protocol
picked libssh2
● hand over socket to library● nonblocking operations● license
Summary
● Lots of SSL libs● Very few SSH libs● Support them all is lots of work
SSL comparison online
A start:
http://curl.haxx.se/docs/ssl-compared.html