cURL / Mailing Lists / curl-library / Single Mail

curl-library

Proposed changes to SSL comparison documentation

From: Nick Zitzmann <nick_at_chronosnet.com>
Date: Sat, 4 May 2013 13:03:14 -0600

The documentation at <http://curl.haxx.se/docs/ssl-compared.html> is missing sections for Windows- and Darwin-native SSL, and also doesn't mention a few key differences between engines, like whether they're database-driven or file-driven or both, or their support for CRL (none, manual, or automatic). I've made some proposed revisions; can the rest of you take a look and tell me what you think?

Nick Zitzmann
<http://www.chronosnet.com/>

cURL - SSL libraries compared

cURL
Haxx ad
libcurl

curl's project page on SourceForge.net

Sponsors:
Haxx

cURL > Docs > SSL libraries compared

Compare SSL libraries

This comparison only involves SSL/TLS libraries that libcurl can be built to use.

Feature OpenSSL GnuTLS NSS CyaSSL QSOSSL PolarSSL axTLS Secure Channel Secure Transport
TLS SRP yes* yes no no no no no no no
TLS ECC yes no yes no ? ? no yes*** yes**
Native CN check no yes yes yes yes yes yes yes yes
CRL manual manual automatic ? no manual no automatic automatic
SSLv2 yes no yes no no no no yes yes
SSLv3 yes yes yes yes yes yes no yes yes
TLSv1.0 yes yes yes yes yes yes yes yes yes
TLSv1.1 yes* yes yes yes ? yes yes yes yes*
TLSv1.2 yes* yes no yes ? ? no yes**** yes**
Small no no no yes N/A yes yes N/A N/A
Platforms Unix, Windows Unix, Windows Unix, Windows Unix, Windows IBM i Unix, Windows Unix, Windows Windows (CE and NT) Darwin (inc. iOS and Mac OS X)
Uses Certificate/Key Files yes yes yes yes ? yes yes no no
Uses Certificate/Key Database no no yes no ? no no yes yes
FIPS-140 yes no yes no no no no yes yes
License 4-clause BSD LGPL MPL/LGPL/GPL GPLv2 / prop ? GPLv2 / prop BSD Proprietary APSL 2.0
First release 1998 2004? ? 2006 ? 2006 2006 2000 2003?
Version 1.0.1c 2.10.4 3.12.4 1.9.0 ? 0.14.0 1.4.5 Windows 7 55179

* Not present in older versions of OpenSSL
** Requires iOS 5.0 or later, or OS X 10.8.0 or later
*** Requires Windows Vista or later
**** Requires Windows 7 or later

Docs situation?

File / run-time size requirements?

API situation? (OpenSSL look-alike or not etc)

Details

OpenSSL - lack of good docs and an API that isn't very consistent. The license is often mentioned as a problem since it isn't GPL compatible.

GnuTLS - good docs, consistent API, wide support for TLS standards. Not as widely used as OpenSSL.

NSS - lack of good docs. API is focused around having data in databases instead of individual files like the other libs do. Suffers a bit from being seen as only used by Mozilla's browser and mail client by project members.

CyaSSL - Little used by curl users. Dual GPL/commercial license.

QSOSSL - made for a single OS so it is of no use or interest for people who don't use OS/400

PolarSSL - (formerly known as XySSL) targeted at embedded use. Small footprint. Dual GPL/commercial license.

axTLS - targeted at small footprint. BSD licensed. Lack of good docs. Written by a single person.

Secure Channel - Microsoft's TLS/SSL engine. Only available for Microsoft operating systems.

Secure Transport - Apple's TLS/SSL engine. Only available for Apple operating systems.

More reading

The mentioned libraries: OpenSSL, GnuTLS, NSS, CyaSSL, QSOSSL, PolarSSL, axTLS, Secure Channel, Secure Transport.

More comparisons in the extensive feature-by-feature comparison on wikipedia.

Please mail us corrections if this table is incorrect, or tell us other features we should compare!

donate! Page updated August 22, 2012.
web site info

File upload with ASP.NET

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2013-05-04