Categories

SSL/TLS library side by side comparison

Posted on Wednesday, October 12th, 2011 in code by DP

Brian stumbled on this side by side comparison of SSL/TLS libraries and gave his review of it:

So in summary of what code bases I find usable from a licensing prospective:
TropicSSL and axTLS are clear winners in terms of the license
CyaSSL and PolarSSL are GPL V2 + FLOSS which is less desirable

Next I looked at the code bases.

CyaSSL looks the most complex, and that is born out in terms of the code size (27kLOC). Meanwhile PolarSSL/TopicSSL and axTLS come in at less than half of that with 12-14kLOC.

In terms of file/module organization TropicSSL/XySSL/PolarSSL looks a bit better than axTLS at least at first glance.

I conclude that if I want to have the most robust SSL/TSL I should look to port CyaSSL. If I want the freest SSL I should adopt axTLS or TropicSSL/XySSL. axTLS is still maintained by the original author while XySSL is not.

Via the forum.

This entry was posted on Wednesday, October 12th, 2011 at 12:00 pm and is filed under code. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.

9 Responses to “SSL/TLS library side by side comparison”

  1. Roberto Lombi says:

    SChannel i guess S is for “secure”… or maybe for “strict”.

  2. Don says:

    Isn’t the title wrong – it should be SSL/TLS (Transport Layer Security) – or am I missing something?

  3. Tiersten says:

    I was confused for a minute until I read the linked forum post where Brian states that this is from the point of view of embedded systems. OpenSSL is taken out of consideration despite being BSD licensed because it only supports the big platforms like Windows, Linux etc…

  4. Drone says:

    This is missing a columnt: BEAST vulnerability!

  5. Hi!

    Nice article. Here’s some comments:

    1. Thanks go out to Nikos Mavrogianopoulus and Simon of GNU TLS fame for putting together the original unbiased comparison of TLS implementations. Chris Conlon of wolfSSL extended their work and put it up the original comparison on wikipedia. It is gratifying to us that people find it useful.

    2. In regard to CyaSSL and code size:
    a. It is correct that it is the most robust of the bunch, and hence the largest code base.
    b. CyaSSL and probably the others all have numerous build options to make them small. Those build options are not spelled out in the comparison.
    c. Conclusion: If you take a deeper look at any of the above, they can all look a lot more simple if you assess the build options. CyaSSL, for example, can get pretty tiny if you exclude all of our optional ciphers and the older versions of TLS.

    LS

Leave a Reply

Notify me of followup comments via e-mail. You can also subscribe without commenting.

Recent Comments

  • Bob: Jambalaya rocks.
  • KH: I should point out something... well, lead acid car batteries are designed to be well-charged all the time. The plates (which are patterned and thin)...
  • David Haile: You are a smart person and absolutely correct. That kind of current needs a lead acid car battery behind it. Still, it does have its...
  • KH: The solution discussed in the linked article is wrong. It's a largish Lipo (2500mAh) and he thinks 77uA is acceptable... ha ha ha ha ha....
  • Dave: I never had to opportunity to learn or use this stuff when I was in college (I'm sooo old that op-amps were just being developed...