#include "_doctype.html" cURL - SSL libraries compared #include "css.t" #define CURL_DOCS #define PROT_DOCS #define DOCS_SSL_COMPARED #define CURL_URL docs/ssl-compared.html #include "_menu.html" #include "setup.t" #include "release.t" WHERE3(Docs, "/docs/", Protocol docs, "/docs/protdocs.html", SSL libraries compared) TITLE(Compare SSL libraries)
Related:
Compare HTTP/FTP Tools
Compare HTTP Libraries

This comparison only involves SSL/TLS libraries that libcurl can be built to use. #define FEATURE yes #define MISSING no #define UNKNOWN ? #define FEATURE_P yes [1] #define FEATURE_P2 yes [2] #define FEATURE_P3 yes [3] #define FEATURE_P4 yes [4] #define FEATURE_P5 yes [5] #define FEATURE_P7 yes [7] #define FEATURE_P8 yes [8] #define MISSING_P no* #define NA N/A #define MANUAL manual #define AUTOMATIC automatic #define PKCS11 PKCS#11 #define PKCS11_P8 PKCS#11 [8] #define KEYCHAIN Keychain #define WINCAPI Microsoft CryptoAPI #define NEWCOL #define ENDCOL #define FEAT #define ENDFEAT #define NEWLINE #define ENDLINE #define NICETD #define NICETDEND

NICETD Feature NICETDEND NICETD OpenSSL[6] NICETDEND NICETD GnuTLS NICETDEND NICETD NSS NICETDEND NICETD CyaSSL NICETDEND NICETD QSOSSL NICETDEND NICETD PolarSSL NICETDEND NICETD axTLS NICETDEND NICETD Secure Channel ("WinSSL") NICETDEND NICETD Secure Transport ("DarwinSSL") NICETDEND ENDLINE NEWLINE FEAT Native name check ENDFEAT MISSING FEATURE FEATURE FEATURE FEATURE FEATURE FEATURE FEATURE FEATURE ENDLINE NEWLINE FEAT CRL ENDFEAT MANUAL MANUAL AUTOMATIC AUTOMATIC MISSING MANUAL MISSING AUTOMATIC AUTOMATIC ENDLINE NEWLINE FEAT SSLv2 ENDFEAT FEATURE MISSING FEATURE MISSING MISSING FEATURE MISSING FEATURE FEATURE ENDLINE NEWLINE FEAT SSLv3 ENDFEAT FEATURE FEATURE FEATURE FEATURE FEATURE FEATURE MISSING FEATURE FEATURE ENDLINE NEWLINE FEAT TLSv1.0 ENDFEAT FEATURE FEATURE FEATURE FEATURE FEATURE FEATURE FEATURE FEATURE FEATURE ENDLINE NEWLINE FEAT TLSv1.1 ENDFEAT FEATURE_P FEATURE FEATURE FEATURE FEATURE_P5 FEATURE FEATURE FEATURE FEATURE_P2 ENDLINE NEWLINE FEAT TLSv1.2 ENDFEAT FEATURE_P FEATURE FEATURE FEATURE FEATURE_P5 FEATURE MISSING FEATURE_P4 FEATURE_P2 ENDLINE NEWLINE FEAT TLS SRP ENDFEAT FEATURE_P FEATURE MISSING MISSING MISSING MISSING MISSING MISSING MISSING ENDLINE NEWLINE FEAT TLS ECC ENDFEAT FEATURE FEATURE FEATURE FEATURE UNKNOWN FEATURE MISSING FEATURE_P3 FEATURE_P2 ENDLINE NEWLINE FEAT ALPN ENDFEAT FEATURE FEATURE FEATURE MISSING MISSING FEATURE MISSING FEATURE_P7 MISSING ENDLINE NEWLINE FEAT NPN ENDFEAT FEATURE MISSING FEATURE MISSING MISSING MISSING MISSING FEATURE_P7 MISSING ENDLINE NEWLINE FEAT Small ENDFEAT MISSING MISSING MISSING FEATURE NA FEATURE FEATURE NA NA ENDLINE NEWLINE FEAT Platforms ENDFEAT FEAT POSIX, Windows, VMS ENDFEAT FEAT POSIX, Windows ENDFEAT FEAT POSIX, Windows ENDFEAT FEAT POSIX, Windows ENDFEAT FEAT IBM i ENDFEAT FEAT POSIX, Windows ENDFEAT FEAT POSIX, Windows ENDFEAT FEAT Windows (CE and NT) ENDFEAT FEAT Darwin (inc. iOS and Mac OS X) ENDFEAT ENDLINE NEWLINE FEAT Uses Certificate/Key Files ENDFEAT FEATURE FEATURE FEATURE FEATURE UNKNOWN FEATURE FEATURE MISSING MISSING ENDLINE NEWLINE FEAT Uses Certificate/Key Database ENDFEAT MISSING FEATURE FEATURE MISSING UNKNOWN MISSING MISSING FEATURE FEATURE ENDLINE NEWLINE FEAT Crypto module/token support ENDFEAT PKCS11_P8 PKCS11 PKCS11 MISSING UNKNOWN MISSING MISSING WINCAPI KEYCHAIN ENDLINE NEWLINE FEAT Select Certificates/Keys with PKCS#11 URI ENDFEAT FEATURE_P8 FEATURE MISSING NA UNKNOWN NA NA NA NA ENDLINE NEWLINE FEAT Integrates with system token database ENDFEAT FEATURE_P8 FEATURE MISSING MISSING UNKNOWN MISSING MISSING FEATURE FEATURE ENDLINE NEWLINE FEAT FIPS-140 ENDFEAT FEATURE FEATURE FEATURE MISSING MISSING MISSING MISSING FEATURE FEATURE ENDLINE NEWLINE FEAT OpenSSL-like API ENDFEAT NA FEAT limited ENDFEAT FEAT separate ENDFEAT FEATURE FEAT limited ENDFEAT MISSING FEAT limited ENDFEAT MISSING FEAT digests only ENDFEAT ENDLINE NEWLINE FEAT Vendor ENDFEAT FEAT OpenSSL Project ENDFEAT FEAT Free Software Foundation ENDFEAT FEAT Mozilla Foundation ENDFEAT FEAT wolfSSL ENDFEAT FEAT IBM Corporation ENDFEAT FEAT Offspark B.V. ENDFEAT FEAT Cameron Rich ENDFEAT FEAT Microsoft Corporation ENDFEAT FEAT Apple Inc. ENDFEAT ENDLINE NEWLINE FEAT License ENDFEAT FEAT 4-clause BSD ENDFEAT FEAT LGPL ENDFEAT FEAT MPL/LGPL/GPL ENDFEAT FEAT GPLv2 / prop ENDFEAT UNKNOWN FEAT GPLv2 / prop ENDFEAT FEAT BSD ENDFEAT FEAT Proprietary ENDFEAT FEAT APSL 2.0 ENDFEAT ENDLINE NEWLINE FEAT First release ENDFEAT NEWCOL 1998 ENDCOL NEWCOL 2004? ENDCOL NEWCOL ? ENDCOL NEWCOL 2006 ENDCOL NEWCOL ? ENDCOL NEWCOL 2006 ENDCOL NEWCOL 2006 ENDCOL NEWCOL 2000 ENDCOL NEWCOL 2003? ENDCOL ENDLINE NEWLINE FEAT Version ENDFEAT FEAT 1.0.1i ENDFEAT FEAT 3.3.15 ENDFEAT FEAT 3.16.4 ENDFEAT FEAT 3.1.0 ENDFEAT FEAT 7.1 TR6 ENDFEAT FEAT 1.3.8 ENDFEAT FEAT 1.4.9 ENDFEAT FEAT 6.3.9600 ENDFEAT FEAT 55471.14 ENDFEAT ENDLINE NEWLINE FEAT Famous Application ENDFEAT FEAT Apache HTTPD ENDFEAT FEAT GNOME ENDFEAT FEAT Mozilla Firefox ENDFEAT FEAT MySQL ENDFEAT FEAT IBM HTTPD ENDFEAT FEAT Hiawatha HTTPD ENDFEAT FEAT ? ENDFEAT FEAT Microsoft Internet Explorer ENDFEAT FEAT Apple Safari ENDFEAT ENDLINE

[1] = Requires OpenSSL 1.0.1c or later
[2] = Requires iOS 5.0 or later, or OS X 10.8.0 or later
[3] = Requires Windows Vista or later
[4] = Requires Windows 7 or later
[5] = Requires IBM i 7.1 TR6 or later
[6] = The same feature set is also provided by LibreSSL and probably by BoringSSL. The latter doesn't build with curl unmodified as of September 2014.
[7] = support for ALPN and NPN was added in Windows 8.1 / Server 2012 R2.
[8] = Via external engine_pkcs11; SUBTITLE(Glossary of Terms) Native name Check: If yes, then this means that the engine will automatically check the domain name in the server's certificate against the domain name used to connect to the server, unless CURLOPT_VERIFYHOST was manually disabled. If no, then libcurl will perform this check manually.

CRL: CRL means "Certificate Revocation List" and is used to check to see if any certificates in the server's chain have been revoked for some reason. If automatic, then the engine will automatically download a CRL and use it to evaluate the trust of the server's certificate chain when performing the TLS handshake. If manual, then the engine will not automatically use a CRL, but you can provide one that has been downloaded separately by using the CURLOPT_CRL option. If no, then the CURLOPT_CRL option will be ignored.

SSLv2: This was the first public release of the SSL protocol. It is deprecated and really should no longer be used, because it has a number of serious security problems. Even if your engine supports it, libcurl will never default to allowing SSLv2 when performing a TLS handshake. Support for SSLv2 is only provided here if you need to connect to a very old (circa 1995) SSL server that does not support a newer version of the protocol.

SSLv3: This version of SSL fixed all of the major weaknesses in SSLv2. It is still widely supported on the public Internet, mainly because Microsoft Internet Explorer 6 does not support TLS by default, although TLS is a preferred protocol.

TLSv1.0: TLS is a slight variation on SSLv3 that was the first version of the protocol to be approved of by the Internet Engineering Task Force (IETF). This version of TLS has been available since 1999 and is by far the most widely supported version on the public Internet. There have been a few minor security vulnerabilities found in TLSv1.0 which were fixed later, but all of them (so far) have been easily worked around, which has contributed to the longevity of this version of TLS.

TLSv1.1: TLSv1.1 is similar to v1.0, except that it has a better fix for the CBC (Cipher Block Chain) cipher-suite attack that lead to the BEAST (Browser Exploit Against SSL/TLS) vulnerability in TLSv1.0. Unfortunately it was released seven years after v1.0, and took even longer to start appearing in TLS engines, so it's not very widely supported by servers yet.

TLSv1.2: TLSv1.2 provides even better security than TLSv1.1 and earlier, with support for many all-new cipher suites that are even more difficult to crack. Unfortunately TLSv1.2 is not widely used on the public Internet yet for the same reasons that v1.1 support is scarce.

TLS SRP: SRP means "Secure Remote Password" and it is a method of performing client-side authentication with a TLS server by using a user name and password, sometimes coupled with a certificate. It is not yet widely supported, but for the engines that do support it, you can provide the credentials to curl by using the CURLOPT_TLSAUTH_USERNAME and CURLOPT_TLSAUTH_PASSWORD options.

TLS ECC: ECC means "Elliptic Curve Cryptography" and it is an advanced set of cipher-suites that are used in TLS connections (typically with TLSv1.2). Not all engines support ECC.

Uses Certificate/Key Files: Some engines, such as OpenSSL, read certificates and keys from files rather than a central database. These engines require you to use a certificate bundle in order to verify a server's certificate chain; this is usually set at build time but can also be set by using the CURLOPT_CAINFO option.

Uses Certificate/Key Database: Some engines, such as Apple's Security framework, use a central database instead of separate files to store certificates and keys. Apple's Security framework database, for instance, is called the Keychain. For engines that use a database and don't also support files, the CURLOPT_CAINFO option is ignored.

Crypto module/token support: Support for cryptographic hardware tokens and software databases is typically provided via ; PKCS#11 on POSIX platforms, and via platform-specific APIs on Windows and Darwin. Examples of PKCS#11 software tokens include the GNOME keyring, and the NSS "soft token" database.

Integrates with system token database: Platforms often have a system-wide configuration which specifies which crypto modules/token should be visible in which applications. Many Linux distributions have chosen to use p11-kit; to provide this configuration, and some now consider it a bug for applications not to automatically use the tokens configured therein.

Select Certificates/Keys with PKCS#11 URI: RFC 7512 defines a standard URI format for specifying objects within PKCS#11 tokens/databases.

FIPS-140: FIPS-140 is a security standard used by the United States and Canada for transferring information that is sensitive but not classified. If yes, and you are using curl or a libcurl-based application in the US or Canadian government, or in a government contractor, then it's okay for you to use the engine when building curl/libcurl.

License: If you are deploying an application that uses libcurl, then the license used by the engine may affect whether or not you are able to distribute your application legally. OpenSSL's 4-clause BSD license, for instance, is not compatible with the GNU GPL. SUBTITLE(More reading)

The mentioned libraries: OpenSSL, GnuTLS, NSS, CyaSSL, PolarSSL, axTLS, Secure Channel, Secure Transport.

More comparisons in the extensive feature-by-feature comparison on wikipedia.

Please mail us corrections if this table is incorrect, or tell us other features we should compare! #include "_footer.html"