libcurl, seven SSL libraries and one SSH library. From my 30 minute talk at Fosdem 2011

1. libcurl, seven SSL
libraries and one
SSH library
February 5th 2011

2. Daniel Stenberg
●
Free Software
●
Network hacker
●
Embedded developer
●
Consultant
Email: daniel@haxx.se
Twitter: @bagder
Web: daniel.haxx.se
Blog: daniel.haxx.se/blog

3. Agenda
● libcurl
● SSL/TLS libraries
● Why so many?
● Differences
● How?
● SSH libraries
● Why so few?

4. Questions?
●
questions?
●
remarks?
●
interrupt!

5. general libcurl
● cURL since 1998
● libcurl since 2000
● today: DICT, FILE, FTP, FTPS, GOPHER, HTTP,
HTTPS, IMAP, IMAPS, LDAP, LDAPS, POP3,
POP3S, RTMP, RTSP, SCP, SFTP, SMTP, SMTPS,
TELNET and TFTP
● almost 40 bindings
● widely used
● MIT licensed

6. libcurl and SSL
● HTTPS support added 1998 (later ftp­ssl, smtps,
imaps, pop3s)
● SSLeay …turned into OpenSSL
● GnuTLS added in 2005
● YaSSL “support” 2006
● NSS 2007
● qssl 2007
● PolarSSL 2010
● axTLS 2010

7. Why so many?
●
Software wants to use SSL
●
Different set of requirements and
demands
●
Licensing
●
What users/devs implement
support for!

8. Let's compare
●
7 libraries
●
what makes people select or
reject each one?
●
Caveats: I'm focused on client­
side, I'm but a user of them

9. OpenSSL
Pro Con
Established and License
proven
Documentation
Many features
Quirky API
leaves CN and
SAN verification to
apps
Big

10. GnuTLS
Pro Con
License License
Documentation Less used
Many features Big
(TLS1.2, SRP, etc)
Easy API

11. NSS
Pro Con
FIPS­140 licensed DB vs file approach
Many features too Firefox­focused
Documentation
Big

12. qSSL
Pro Con
Runs on OS/400 Runs only on
OS/400

13. yaSSL
Pro Con
License Not fully emulating
OpenSSL
Has an OpenSSL
API Documentation
Size? Less support and
community

14. PolarSSL
Pro Con
License Documentation
Size? Not widely tested
Less support and
community

15. axTLS
Pro Con
Very small TLS only
License Not widely tested
Less support and
community

16. Or by feature
● GPL
● SRP
● TLS 1.2
● SSLv2
● FIPS­140
●
Embedded focus
● Runs on Windows

17. How support them?
●
started out as #ifdef maze
●
turned into an internal API each
lib needs to provide

18. an internal API
curlssl_init()
curlssl_cleanup()
curlssl_connect()
curlssl_connect_nonblocking()
curlssl_session_free()
curlssl_close_all()
curlssl_close()
curlssl_shutdown()
curlssl_set_engine()
curlssl_set_engine_default()
curlssl_engines_list()
curlssl_version(x,y)
curlssl_data_pending(x,y)

19. curlssl
curlssl_init()
curlssl_cleanup()
curlssl_connect()
curlssl_connect_nonblocking() sets the recv() and send()
curlssl_session_free() functions after successful
curlssl_close_all() handshake
curlssl_close()
curlssl_shutdown()
curlssl_set_engine()
curlssl_set_engine_default()
curlssl_engines_list()
curlssl_version(x,y)
curlssl_data_pending(x,y)

20. Maintain functionality
●
hard
●
test cases
●
volunteer­based, non­stop
distributed testing

21. SSH libraries
●
only 2 (libssh and libssh2)
●
SSH is a much less popular
commodity protocol

22. picked libssh2
●
hand over socket to library
●
non­blocking operations
●
license

23. Summary
●
Lots of SSL libs
●
Very few SSH libs
●
Support them all is lots of work

24. SSL comparison online
A start:
http://curl.haxx.se/docs/ssl-compared.html