libcurl, seven ssl libraries and one ssh library
DESCRIPTION
libcurl, seven SSL libraries and one SSH library. From my 30 minute talk at Fosdem 2011TRANSCRIPT
![Page 1: libcurl, seven SSL libraries and one SSH library](https://reader033.vdocument.in/reader033/viewer/2022052522/549d3e8ab47959d4318b498c/html5/thumbnails/1.jpg)
libcurl, seven SSL libraries and one
SSH libraryFebruary 5th 2011
![Page 2: libcurl, seven SSL libraries and one SSH library](https://reader033.vdocument.in/reader033/viewer/2022052522/549d3e8ab47959d4318b498c/html5/thumbnails/2.jpg)
Daniel Stenberg
Email: [email protected]: @bagderWeb: daniel.haxx.seBlog: daniel.haxx.se/blog
● Free Software● Network hacker● Embedded developer● Consultant
![Page 3: libcurl, seven SSL libraries and one SSH library](https://reader033.vdocument.in/reader033/viewer/2022052522/549d3e8ab47959d4318b498c/html5/thumbnails/3.jpg)
Agenda
● libcurl● SSL/TLS libraries● Why so many?● Differences● How?● SSH libraries● Why so few?
![Page 4: libcurl, seven SSL libraries and one SSH library](https://reader033.vdocument.in/reader033/viewer/2022052522/549d3e8ab47959d4318b498c/html5/thumbnails/4.jpg)
Questions?
● questions?● remarks?● interrupt!
![Page 5: libcurl, seven SSL libraries and one SSH library](https://reader033.vdocument.in/reader033/viewer/2022052522/549d3e8ab47959d4318b498c/html5/thumbnails/5.jpg)
general libcurl
● cURL since 1998● libcurl since 2000● today: DICT, FILE, FTP, FTPS, GOPHER, HTTP,
HTTPS, IMAP, IMAPS, LDAP, LDAPS, POP3, POP3S, RTMP, RTSP, SCP, SFTP, SMTP, SMTPS, TELNET and TFTP
● almost 40 bindings● widely used● MIT licensed
![Page 6: libcurl, seven SSL libraries and one SSH library](https://reader033.vdocument.in/reader033/viewer/2022052522/549d3e8ab47959d4318b498c/html5/thumbnails/6.jpg)
libcurl and SSL
● HTTPS support added 1998 (later ftpssl, smtps, imaps, pop3s)
● SSLeay …turned into OpenSSL● GnuTLS added in 2005● YaSSL “support” 2006● NSS 2007● qssl 2007● PolarSSL 2010● axTLS 2010
![Page 7: libcurl, seven SSL libraries and one SSH library](https://reader033.vdocument.in/reader033/viewer/2022052522/549d3e8ab47959d4318b498c/html5/thumbnails/7.jpg)
Why so many?
● Software wants to use SSL● Different set of requirements and
demands● Licensing● What users/devs implement
support for!
![Page 8: libcurl, seven SSL libraries and one SSH library](https://reader033.vdocument.in/reader033/viewer/2022052522/549d3e8ab47959d4318b498c/html5/thumbnails/8.jpg)
Let's compare
● 7 libraries● what makes people select or
reject each one?● Caveats: I'm focused on client
side, I'm but a user of them
![Page 9: libcurl, seven SSL libraries and one SSH library](https://reader033.vdocument.in/reader033/viewer/2022052522/549d3e8ab47959d4318b498c/html5/thumbnails/9.jpg)
OpenSSL
Established and proven
Many features
License
Documentation
Quirky API
leaves CN and SAN verification to apps
Big
Pro Con
![Page 10: libcurl, seven SSL libraries and one SSH library](https://reader033.vdocument.in/reader033/viewer/2022052522/549d3e8ab47959d4318b498c/html5/thumbnails/10.jpg)
GnuTLS
License
Documentation
Many features (TLS1.2, SRP, etc)
Easy API
License
Less used
Big
Pro Con
![Page 11: libcurl, seven SSL libraries and one SSH library](https://reader033.vdocument.in/reader033/viewer/2022052522/549d3e8ab47959d4318b498c/html5/thumbnails/11.jpg)
NSS
FIPS140 licensed
Many features
DB vs file approach
too Firefoxfocused
Documentation
Big
Pro Con
![Page 12: libcurl, seven SSL libraries and one SSH library](https://reader033.vdocument.in/reader033/viewer/2022052522/549d3e8ab47959d4318b498c/html5/thumbnails/12.jpg)
qSSL
Runs on OS/400 Runs only on OS/400
Pro Con
![Page 13: libcurl, seven SSL libraries and one SSH library](https://reader033.vdocument.in/reader033/viewer/2022052522/549d3e8ab47959d4318b498c/html5/thumbnails/13.jpg)
yaSSL
License
Has an OpenSSL API
Size?
Not fully emulating OpenSSL
Documentation
Less support and community
Pro Con
![Page 14: libcurl, seven SSL libraries and one SSH library](https://reader033.vdocument.in/reader033/viewer/2022052522/549d3e8ab47959d4318b498c/html5/thumbnails/14.jpg)
PolarSSL
License
Size?
Documentation
Not widely tested
Less support and community
Pro Con
![Page 15: libcurl, seven SSL libraries and one SSH library](https://reader033.vdocument.in/reader033/viewer/2022052522/549d3e8ab47959d4318b498c/html5/thumbnails/15.jpg)
axTLS
Very small
License
TLS only
Not widely tested
Less support and community
Pro Con
![Page 16: libcurl, seven SSL libraries and one SSH library](https://reader033.vdocument.in/reader033/viewer/2022052522/549d3e8ab47959d4318b498c/html5/thumbnails/16.jpg)
Or by feature
● GPL● SRP● TLS 1.2● SSLv2● FIPS140● Embedded focus● Runs on Windows
![Page 17: libcurl, seven SSL libraries and one SSH library](https://reader033.vdocument.in/reader033/viewer/2022052522/549d3e8ab47959d4318b498c/html5/thumbnails/17.jpg)
How support them?
● started out as #ifdef maze● turned into an internal API each
lib needs to provide
![Page 18: libcurl, seven SSL libraries and one SSH library](https://reader033.vdocument.in/reader033/viewer/2022052522/549d3e8ab47959d4318b498c/html5/thumbnails/18.jpg)
an internal APIcurlssl_init()curlssl_cleanup()curlssl_connect()curlssl_connect_nonblocking()curlssl_session_free()curlssl_close_all()curlssl_close()curlssl_shutdown()curlssl_set_engine()curlssl_set_engine_default()curlssl_engines_list()curlssl_version(x,y)curlssl_data_pending(x,y)
![Page 19: libcurl, seven SSL libraries and one SSH library](https://reader033.vdocument.in/reader033/viewer/2022052522/549d3e8ab47959d4318b498c/html5/thumbnails/19.jpg)
curlsslcurlssl_init()curlssl_cleanup()curlssl_connect()curlssl_connect_nonblocking()curlssl_session_free()curlssl_close_all()curlssl_close()curlssl_shutdown()curlssl_set_engine()curlssl_set_engine_default()curlssl_engines_list()curlssl_version(x,y)curlssl_data_pending(x,y)
sets the recv() and send() functions after successful handshake
![Page 20: libcurl, seven SSL libraries and one SSH library](https://reader033.vdocument.in/reader033/viewer/2022052522/549d3e8ab47959d4318b498c/html5/thumbnails/20.jpg)
Maintain functionality
● hard● test cases● volunteerbased, nonstop
distributed testing
![Page 21: libcurl, seven SSL libraries and one SSH library](https://reader033.vdocument.in/reader033/viewer/2022052522/549d3e8ab47959d4318b498c/html5/thumbnails/21.jpg)
SSH libraries
● only 2 (libssh and libssh2)● SSH is a much less popular
commodity protocol
![Page 22: libcurl, seven SSL libraries and one SSH library](https://reader033.vdocument.in/reader033/viewer/2022052522/549d3e8ab47959d4318b498c/html5/thumbnails/22.jpg)
picked libssh2
● hand over socket to library● nonblocking operations● license
![Page 23: libcurl, seven SSL libraries and one SSH library](https://reader033.vdocument.in/reader033/viewer/2022052522/549d3e8ab47959d4318b498c/html5/thumbnails/23.jpg)
Summary
● Lots of SSL libs● Very few SSH libs● Support them all is lots of work
![Page 24: libcurl, seven SSL libraries and one SSH library](https://reader033.vdocument.in/reader033/viewer/2022052522/549d3e8ab47959d4318b498c/html5/thumbnails/24.jpg)
SSL comparison online
A start:
http://curl.haxx.se/docs/ssl-compared.html