SSL/TLS library side by side comparison

Posted on Wednesday, October 12th, 2011 in code by DP

Brian stumbled on this side by side comparison of SSL/TLS libraries and gave his review of it:

So in summary of what code bases I find usable from a licensing prospective:
TropicSSL and axTLS are clear winners in terms of the license
CyaSSL and PolarSSL are GPL V2 + FLOSS which is less desirable

Next I looked at the code bases.

CyaSSL looks the most complex, and that is born out in terms of the code size (27kLOC). Meanwhile PolarSSL/TopicSSL and axTLS come in at less than half of that with 12-14kLOC.

In terms of file/module organization TropicSSL/XySSL/PolarSSL looks a bit better than axTLS at least at first glance.

I conclude that if I want to have the most robust SSL/TSL I should look to port CyaSSL. If I want the freest SSL I should adopt axTLS or TropicSSL/XySSL. axTLS is still maintained by the original author while XySSL is not.

Via the forum.

This entry was posted on Wednesday, October 12th, 2011 at 12:00 pm and is filed under code. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.

9 Responses to “SSL/TLS library side by side comparison”

  1. Roberto Lombi says:

    SChannel i guess S is for “secure”… or maybe for “strict”.

  2. Don says:

    Isn’t the title wrong – it should be SSL/TLS (Transport Layer Security) – or am I missing something?

  3. Tiersten says:

    I was confused for a minute until I read the linked forum post where Brian states that this is from the point of view of embedded systems. OpenSSL is taken out of consideration despite being BSD licensed because it only supports the big platforms like Windows, Linux etc…

  4. Drone says:

    This is missing a columnt: BEAST vulnerability!

  5. Hi!

    Nice article. Here’s some comments:

    1. Thanks go out to Nikos Mavrogianopoulus and Simon of GNU TLS fame for putting together the original unbiased comparison of TLS implementations. Chris Conlon of wolfSSL extended their work and put it up the original comparison on wikipedia. It is gratifying to us that people find it useful.

    2. In regard to CyaSSL and code size:
    a. It is correct that it is the most robust of the bunch, and hence the largest code base.
    b. CyaSSL and probably the others all have numerous build options to make them small. Those build options are not spelled out in the comparison.
    c. Conclusion: If you take a deeper look at any of the above, they can all look a lot more simple if you assess the build options. CyaSSL, for example, can get pretty tiny if you exclude all of our optional ciphers and the older versions of TLS.


Leave a Reply

Notify me of followup comments via e-mail. You can also subscribe without commenting.

Recent Comments

  • KH: TPS62200 will get him to under 15uA, a bit better than the 20-30uA he mentioned. I would try the same thing. Switch some resistors in...
  • KH: Yeah, it's an end-user thing. Very few people would spend hundreds of hours on this kind of project and sustain it. It's more or less...
  • Max: Not quite a dinosaur if you've seen Big Hero 6 though... wait. You've watched it with your kids, didn't you? That's cheating...! ;) One of...
  • Edward Mallon: A visiting researcher dropped by our humble basement workshop with questions about the physical skill level students would need if they added one of our...
  • KH: And that looks really expensive... Only browsed the vid though, I'm an dinosaur so I had the sound off too. Nice of him to open-source...